CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control

CIT 380: Securing Computer SystemsSlide #2 Access Control Matrix As system changes, state changes. –State transitions. –Only concerned with protection state. ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another.

CIT 380: Securing Computer SystemsSlide #3 Access Control Matrix objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Objects O = { o 1,…,o m } –All protected entities. Subjects S = { s 1,…,s n } –Active entities, S  Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

Access Control Matrix Subjects –Users –Processes (Programs) Objects –Processes (Programs) –Files CIT 380: Securing Computer SystemsSlide #4

Access Control Matrix Rights –Read (r) –Write (w) –Execute (x) –Append (a) –Owner (o) –Copy Rights (c) CIT 380: Securing Computer SystemsSlide #5

CIT 380: Securing Computer SystemsSlide #6 Example: File/Process Processes p, q Files f, g Rights r, w, x, a, o fgpq prworrwxow qarorrwxo

CIT 380: Securing Computer SystemsSlide #7 Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right –r is read right that cannot be copied –rc is read right that can be copied Is copy flag copied when giving r rights? –Depends on model, instantiation of model

CIT 380: Securing Computer SystemsSlide #8 Ownership Right Usually allows possessor to change entries in ACM column –So owner of object can add, delete rights for others –May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

CIT 380: Securing Computer SystemsSlide #9 Attenuation of Privilege Principle: Subject may not give rights it does not possess to another. –Restricts addition of rights within a system –Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

CIT 380: Securing Computer SystemsSlide #10 How can we implement the ACM? Problem: scale –Thousands of subjects. –Millions of objects. –Yet most entries are blank or default. Solutions –Group subjects together as a single entities Groups and Roles –Implement by row: Capabilities –Implement by column: Access Control Lists

CIT 380: Securing Computer SystemsSlide #11 Groups and Roles Collect subjects together to express: –Need to share objects. –Security categories (e.g., admin, faculty, student, guest) role: group that ties membership to function Problem: loss of granularity.

CIT 380: Securing Computer SystemsSlide #12 Capabilities Implement ACM by row. Access Control associated with subject. Example: UNIX file descriptors –System checks ACL on file open, returns fd. –Process subsequently uses fd to read and write file. –If ACL changes, process still has access via fd. Userlshomedirrootdir jamesrxrwr

CIT 380: Securing Computer SystemsSlide #13 Capability Questions How to revoke rights to an object? Direct solution –Check capabilities of every process. –Remove those that grant access to object. –Computationally expensive.

CIT 380: Securing Computer SystemsSlide #14 Access Control Lists (ACLs) Implement ACM by column. Access control by object. Example: UNIX ACLs –Short “rwx” user/group/other. –Long POSIX ACLs. Useraudit data rootrw jamesr joe

CIT 380: Securing Computer SystemsSlide #15 ACL Questions 1.Which subjects can modify an object’s ACL? 2.Do ACLs apply to privileged users? 3.Do ACLs support groups and wildcards? 4.How are ACL conflicts resolved? 5.What are default permissions? 6.How can a subject’s rights be revoked?

CIT 380: Securing Computer SystemsSlide #16 Which subjects can modify an ACL? Create an own right for an ACL. –Only subjects with own right can modify ACL. Creating an object also creates object’s ACL. –Usually creator given own right at this time. –Other default rights may be set at creation too.

Which subjects can modify an ACL? Some systems allow anyone with access to object to modify ACL. –What are the security implications of sharing access to a file on such a system? CIT 380: Securing Computer SystemsSlide #17

CIT 380: Securing Computer SystemsSlide #18 Do ACLs apply to privileged users? Many systems have privileged users. –UNIX: root. –Windows NT: administrator. Should ACLs apply to privileged users? –Need read access to all objects for backups. –What security problems are produced by ignoring ACLs for privileged users?

CIT 380: Securing Computer SystemsSlide #19 What are the default permissions? Interaction of ACLs with base permissions. –POSIX ACLs modify UNIX base permissions.

What are the default permissions? How are default ACLs determined? –Subject Subject sets default permissions, like UNIX umask. –Inheritance Objects in hierarchical system inherit ACLs of parent object. Subjects inherit sets of default permissions from their parent subjects. CIT 380: Securing Computer SystemsSlide #20

CIT 380: Securing Computer SystemsSlide #21 How are rights revoked? Removal of subject’s rights to object. –Delete entries for subject from ACL. –If ownership doesn’t control granting rights, matters can be complex: If A has granted rights to B, what should happen to B’s rights if you remove A’s rights? Removal of subject’s rights to all objects. –Very expensive (millions of objects.) –Most systems don’t support. –Why isn’t disabling subject’s account sufficient?

CIT 380: Securing Computer SystemsSlide #22 ACLs vs Capabilities ACLs Slow: OS has to read ACL for each object accessed. Easy to find/change rights on a particular object. Difficult to revoke privileges for a specific subject. Capabilities Fast: OS always knows subject identity. Easy to find/change rights on a particular subject. Difficult to revoke privileges to a subject object.

CIT 380: Securing Computer SystemsSlide #23 Limitations of Classic ACLs ACL control list only contains 3 entries –Limited to one user. –Limited to one group. Root (UID 0) can do anything.

CIT 380: Securing Computer SystemsSlide #24 POSIX Extended ACLs Supported by most UNIX/Linux systems. –Slight syntax differences may exist. getfacl setfacl –chmod 600 file –setfacl -m user:gdoor:r-- file –File unreadable by other, but ACL allows gdoor

CIT 380: Securing Computer SystemsSlide #25 Host-based Access Control /etc/hosts.allow and /etc/hosts.deny used by tcpd, sshd, other servers Identify subjects by –hostname –IP address –network address/mask Allow before Deny –use last rule in /etc/hosts.deny to deny all

CIT 380: Securing Computer SystemsSlide #26 Hardware Protection Confidentiality –Processes cannot read memory space of kernel or of other processes without permission. Integrity –Processes cannot write to memory space of kernel or of other processes without permission.

Hardware Protection Availability –One process cannot deny access to CPU or other resources to kernel or other processes. CIT 380: Securing Computer SystemsSlide #27

CIT 380: Securing Computer SystemsSlide #28 Hardware Mechanisms: VM Each process has its own address space. –Prevents processes from accessing memory of kernel or other processes. Attempted violations produce page fault exceptions.

Hardware Mechanisms: VM Each process has its own address space. –Implemented using a page table. –Page table entries contain access control info. Read Write Execute (not separate on Intel CPUs) Supervisor (only accessible in supervisor mode) CIT 380: Securing Computer SystemsSlide #29

CIT 380: Securing Computer SystemsSlide #30 VM Address Translation

CIT 380: Securing Computer SystemsSlide #31 Hardware Mechanisms: Rings Protection Rings. –Lower number rings have more rights. –Intel CPUs have 4 rings Ring 0 is supervisor mode. Ring 3 is user mode. Most OSes do not use other rings. –Multics used 64 protection rings. Different parts of OS ran in different rings. Procedures of same program could have different access rights.

Hardware Mechanisms: System Timer Timer interrupt –Programmable Interval Timer chip. –Happens every OS, depending on OS. –Transfers control from process to OS. –Ensures no process can deny availability of machine to kernel or other processes. CIT 380: Securing Computer SystemsSlide #32

CIT 380: Securing Computer SystemsSlide #33 Why is Access Control hard? Complex Objects –Identifying objects of interest. Is your choice of objects too coarse or fine-grained? –Hierarchical structure like filesystem or XML Subjects are Complex –Identifying subjects of interest. –What are the relationships between subjects?

Why is Access Control hard? Access Control states change. Security objectives often unclear. CIT 380: Securing Computer SystemsSlide #34

CIT 380: Securing Computer SystemsSlide #35 References 1.Anderson, Ross, Security Engineering, Wiley, Bishop, Matt, Introduction to Computer Security, Addison-Wesley, Bovet, Daniel and Cesati, Marco, Understanding the Linux Kernel, 2 nd edition, O’Reilly, Silberschatz, et. al., Database System Concepts, 4 th edition, McGraw-Hill, Silberschatz, et. al., Operating System Concepts, 7 th edition, Wiley, Viega, John, and McGraw, Gary, Building Secure Software, Addison-Wesley, 2002.