Lecture 3 Page 1 CS 136, Fall 2010 Security Mechanisms CS 136 Computer Security Peter Reiher September 30, 2010.

Slides:



Advertisements
Similar presentations
Configuration management
Advertisements

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
SE571 Security in Computing
Lecture 7 Access Control
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
G53SEC 1 Access Control principals, objects and their operations.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Security CS Introduction to Operating Systems.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Trusted Operating Systems
Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.
Lecture 17 Page 1 CS 111 Fall 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Secure Operating Systems Lesson F: Capability Based Systems.
Lecture 16 Page 1 CS 188,Winter 2015 Security in Distributed Systems CS 188 Distributed Systems March 5, 2015.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 3 Page 1 CS 136, Winter 2010 Security Mechanisms CS 136 Computer Security Peter Reiher January 12, 2010.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Lecture 2 Page 1 CS 136, Spring 2016 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher March 31, 2016.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 2 Page 1 CS 136, Fall 2011 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher September 27, 2011.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Outline Security design principles Security policies Basic concepts
Access Control Model SAM-5.
Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets Possession of the capability for.
Outline Basic concepts in computer security
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Android Access Control
Chapter 14: System Protection
Outline What does the OS protect? Authentication for operating systems
Outline Security design principles Security policies Basic concepts
Outline What does the OS protect? Authentication for operating systems
Chapter 14: Protection.
CE Operating Systems Lecture 21
Outline Security tools Access control. Security Mechanisms CS 136 Computer Security Peter Reiher April 7, 2009.
Chapter 14: Protection.
PLANNING A SECURE BASELINE INSTALLATION
16. Account Monitoring and Control
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Access Control What’s New?
Access Control Dr. X Parenthesis: before we dive deeper into crypto, we will explore and old but still valid security principle, access controls.
Android Access Control
Presentation transcript:

Lecture 3 Page 1 CS 136, Fall 2010 Security Mechanisms CS 136 Computer Security Peter Reiher September 30, 2010

Lecture 3 Page 2 CS 136, Fall 2010 Outline Security tools Access control

Lecture 3 Page 3 CS 136, Fall 2010 Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense

Lecture 3 Page 4 CS 136, Fall 2010 Physical Security Lock up your computer –Actually, sometimes a good answer But what about networking? –Networks poke a hole in the locked door In any case, lack of physical security often makes other measures pointless

Lecture 3 Page 5 CS 136, Fall 2010 Access Controls Only let authorized parties access the system A lot trickier than it sounds Particularly in a network environment Once data is outside your system, how can you continue to control it? –Again, of concern in network environments

Lecture 3 Page 6 CS 136, Fall 2010 Encryption Algorithms to hide the content of data or communications Only those knowing a secret can decrypt the protection One of the most important tools in computer security –But not a panacea Covered in more detail later in class

Lecture 3 Page 7 CS 136, Fall 2010 Authentication Methods of ensuring that someone is who they say they are Vital for access control But also vital for many other purposes Often (but not always) based on encryption

Lecture 3 Page 8 CS 136, Fall 2010 Encapsulation Methods of allowing outsiders limited access to your resources Let them use or access some things –But not everything Simple, in concept Extremely challenging, in practice

Lecture 3 Page 9 CS 136, Fall 2010 Intrusion Detection All security methods sometimes fail When they do, notice that something is wrong And take steps to correct the problem Reactive, not preventative –But unrealistic to believe any prevention is certain Must be automatic to be really useful

Lecture 3 Page 10 CS 136, Fall 2010 Common Sense A lot of problems arise because people don’t like to think The best security tools generally fail if people use them badly If the easiest way in is to fool people, that’s what attackers will do

Lecture 3 Page 11 CS 136, Fall 2010 Access Control Security could be easy –If we didn’t want anyone to get access to anything The trick is giving access to only the right people –And at the right time and circumstances How do we ensure that a given resource can only be accessed when it should be?

Lecture 3 Page 12 CS 136, Fall 2010 Goals for Access Control Complete mediation Least privilege Useful in a networked environment Scalability Acceptable cost and usability

Lecture 3 Page 13 CS 136, Fall 2010 Access Control Mechanisms Access control lists Capabilities Access control matrices

Lecture 3 Page 14 CS 136, Fall 2010 The Language of Access Control Subjects are active entities that want to gain access to something –E.g., users or programs Objects represent things that can be accessed –E.g., files, devices, database records Access is any form of interaction with an object An entity can be both subject and object

Lecture 3 Page 15 CS 136, Fall 2010 Mandatory vs. Discretionary Access Control Mandatory access control is dictated by the underlying system –Individual users can’t override it –Even for their own data Discretionary access control is under command of the user –System enforces what they choose –More common than mandatory

Lecture 3 Page 16 CS 136, Fall 2010 Access Control Lists For each protected resource, maintain a single list Each list entry specifies a user who can access the resource –And the allowable modes of access When a user requests access to a resource, check the access control list (ACL)

Lecture 3 Page 17 CS 136, Fall 2010 ACL Objects and Subjects In ACL terminology, the resources being protected are objects The entities attempting to access them are subjects –Allowing finer granularity of control than per-user

Lecture 3 Page 18 CS 136, Fall 2010 ACL Example An operating system example: –Using ACLs to protect a file User (Subject) A is allowed to read and write to the file User (Subject) B may only read from it User (Subject) C may not access it

Lecture 3 Page 19 CS 136, Fall 2010 write An ACL Protecting a File File X ACL for file X A read write B C none Subject ASubject BSubject C read denied

Lecture 3 Page 20 CS 136, Fall 2010 Issues for Access Control Lists How do you know that the requestor is who he says he is? How do you protect the access control list from modification? How do you determine what resources a user can access? Generally issues for OS design

Lecture 3 Page 21 CS 136, Fall 2010 ACLs in Practice Unix file permissions are a limited form of an ACL –Only owner, group, and all can have ACL entries –Only read/write/execute controls are available Other systems (modern Windows, Linux, Solaris) have more general ACL mechanisms

Lecture 3 Page 22 CS 136, Fall 2010 ACLs and Wildcards Can specify a whole range of subjects who share same access rights to object E.g., “all members of the software development team can read this file” Shortens the lists But leads to questions of conflicts

Lecture 3 Page 23 CS 136, Fall 2010 Conflicts in ACLs Accounts receivable Bob Fred Nancy Accountants BobRW AccountantsR Can Bob write this file? What happens if a subject matches more than one ACL entry?

Lecture 3 Page 24 CS 136, Fall 2010 How To Handle ACL Conflicts Give most liberal rights Give most restrictive rights Deal with list in order –Giving first rights found –Or last rights found Any of these solutions might be best in particular circumstances

Lecture 3 Page 25 CS 136, Fall 2010 Handling Conflicts in an Example System In standard Unix file access permissions, determine identity –Owner, group member, other Test only rights for the highest group If I own the file, test owner rights –Even if I’m in the group and group rights are more liberal

Lecture 3 Page 26 CS 136, Fall 2010 Pros and Cons of ACLs +Easy to figure out who can access a resource +Easy to revoke or change access permissions –Hard to figure out what a subject can access –Changing access rights requires getting to the object

Lecture 3 Page 27 CS 136, Fall 2010 Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets Possession of the capability for an object implies that access is allowed

Lecture 3 Page 28 CS 136, Fall 2010 Properties of Capabilities Must be unforgeable –In single machine, keep under control of OS –What about in a networked system? In most systems, some capabilities allow creation of other capabilities –Process can pass restricted set of capabilities to a subprocess

Lecture 3 Page 29 CS 136, Fall 2010 Capabilities and Domains The set of objects a subject can access at a given moment is its domain –The subject has a capability for each object in its domain Domains can be expanded by obtaining new capabilities New domains can be created for subprocesses

Lecture 3 Page 30 CS 136, Fall 2010 Capabilities Protecting a File Read X Subject BSubject C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X Subject A Capability Checking File X Read, Write read File X Read, Write Check validity of capability OK!

Lecture 3 Page 31 CS 136, Fall 2010 write denied Capabilities Denying Access write User B User C Capabilities for C Capabilities for A File X Read, Write Capabilities for B File X Read File X User A Capability Checking Check validity of capability No Capability Provided!

Lecture 3 Page 32 CS 136, Fall 2010 How Will This Work in a Network? Subject B Subject C Capabilities for C Capabilities for B File X Read Capabilities for A File X Read, Write Subject A Capability Checking File X File X Read, Write Subject A Subject B File X Read Subject C File X Read, Write How can we tell if it’s a good capability?

Lecture 3 Page 33 CS 136, Fall 2010 Revoking Capabilities Fred Nancy Accounts receivable How do we take away Fred’s capability? Without taking away Nancy’s?

Lecture 3 Page 34 CS 136, Fall 2010 Revocation By Destroying the Capability Fred Nancy Accounts receivable How can you be sure you’ve destroyed all copies everywhere?

Lecture 3 Page 35 CS 136, Fall 2010 Revocation By Invalidation on Use Fred Nancy Accounts receivable Fred Read Accounts Receivable Accounts receivable capability revocation list Ted Ned Costs time to check revocation list Especially if list gets long Also requires secure identification of the requestor

Lecture 3 Page 36 CS 136, Fall 2010 Revocation By Generation Numbers Fred Nancy Accounts receivable If generation numbers match, the capability is still valid To invalidate capability, increase generation number 4 Requires some control of capabilities Selective revocation is hard Can replace generation number with some other software token

Lecture 3 Page 37 CS 136, Fall 2010 Pros and Cons of Capabilities +Easy to determine what a subject can access +Potentially faster than ACLs (in some circumstances) +Easy model for transfer of privileges –Hard to determine who can access an object –Requires extra mechanism to allow revocation –In network environment, need cryptographic methods to prevent forgery

Lecture 3 Page 38 CS 136, Fall 2010 ACLs, Capabilities, Complete Mediation, & Performance Ideally, every data access should have access control independently applied Practicality of doing so depends on the performance costs

Lecture 3 Page 39 CS 136, Fall 2010 Access Control Without Complete Mediation What if access control status changed between last check and current access? Common case is this doesn’t happen What if it does? –Actually check changeable data structure on each access –Give process something cheap and revocable that allows access –Live with non-complete mediation

Lecture 3 Page 40 CS 136, Fall 2010 Access Control in the Distributed World ACLs still work OK –Provided you have a global namespace for subjects –And no one can masquerade Capabilities are more problematic –Their security relies on unforgeability

Lecture 3 Page 41 CS 136, Fall 2010 Using Cryptographic Capabilities Can cryptography make capabilities unforgeable? It can make it impossible to create them from nothing –And only usable by their owner But it can’t make them uncopyable So cryptographic capability systems must assume they can be freely copied

Lecture 3 Page 42 CS 136, Fall 2010 Access Control Matrices A very general access control concept In principle, ACLs are a 1-D list of who is permitted to access one object And capabilities are a 1-D list of what one subject can access Access control matrices are a 2-D description of access rights More conceptual than practical

Lecture 3 Page 43 CS 136, Fall 2010 Access Control Matrix Example Subjects Objects File AFile BNetworkPrinter User 1 User 2 Sysadmin Guest rwr r w sr rw configure w sr User 2’s Capabilities File B’s ACL

Lecture 3 Page 44 CS 136, Fall 2010 Role Based Access Control Not really an alternative to ACLs, capabilities, access control matrix Rather, a more complex way of looking at access control subjects Commonly used in systems that care about security –Available in Solaris, SE Linux, modern Windows systems

Lecture 3 Page 45 CS 136, Fall 2010 The Idea Behind Role Based Access Control Each user has certain roles he can take while using the system At any given time, the user is performing a certain role Give the user access to only those things that are required to fulfill that role

Lecture 3 Page 46 CS 136, Fall 2010 A Simple Example Fred is a system administrator But Fred is a also a normal user To:Fred From: Dick Subject: Fun URL Hi, Fred. I found this neat URL... Fred should operate under one role while doing system administration And another role while doing normal stuff

Lecture 3 Page 47 CS 136, Fall 2010 Continuing With Our Example Fred logs on as “fred” To:Fred From: Dick Subject: Fun URL Hi, Fred. I found this neat URL... He reads his To:Fred From: Dick Subject: Fun URL Hi, Fred. I found this neat URL... To:Fred From: Dick Subject: Fun URL Hi, Fred. I found this neat URL... To:Fred From: Dick Subject: Fun URL Hi, Fred. I found this neat URL... He decides to upgrade the C++ compiler So he changes his role to “sysadmin” Then he has the privileges to upgrade the compiler

Lecture 3 Page 48 CS 136, Fall 2010 What Has Been Gained? While reading mail and surfing the web, Fred isn’t able to upgrade the C++ compiler –He doesn’t have the access rights So if he accidentally downloads malicious code, it can’t “upgrade” the compiler

Lecture 3 Page 49 CS 136, Fall 2010 Changing Roles Role based access control only helps if changing roles isn’t trivial –Otherwise, the malicious code merely changes roles before doing anything else Typically requires providing some secure form of authentication –Which proves you have the right to change roles –Usually passwords, but other methods possible

Lecture 3 Page 50 CS 136, Fall 2010 Practical Limitations on Role Based Access Control Number of roles per user Problems of disjoint role privileges System administration overheads

Lecture 3 Page 51 CS 136, Fall 2010 Number of Roles Per User Each new role requires new authentication Less secure if the authentication is the same for each role –E.g., Unix sudo, which only requires your basic password How many passwords will people remember? –And how often will they be happy to type them?

Lecture 3 Page 52 CS 136, Fall 2010 Problems of Disjoint Roles Each role should have disjoint privileges –More secure if roles aren’t supersets of other roles May cause difficulties if certain operations require privileges from different roles

Lecture 3 Page 53 CS 136, Fall 2010 Problems of System Administration Access control is only useful if the permissions are set correctly for each subject and object The more subjects there are, the more work system administrators must do –Since each subject needs to get only the proper privileges

Lecture 3 Page 54 CS 136, Fall 2010 RBAC in Real Systems Windows has provided an RBAC API since Windows Server 2003 –Authorization Manager Most Linux systems have RBAC add-ons –SELinux includes RBAC –Some other Linux distributions do, too Also lots of special tools to build RBAC systems under Windows

Lecture 3 Page 55 CS 136, Fall 2010 Android Access Control Android is a software development environment for mobile devices –Especially phones An open platform that allows adding arbitrary applications –Written by many different parties What’s the appropriate access control model?

Lecture 3 Page 56 CS 136, Fall 2010 The Android Access Control Model Linux ACLs at the bottom –If that were all, apps would run with permissions of user who ran them Above that, access control specific for Android Each application runs as its own Linux user –But how to handle interactions between apps? Access to other apps’ components handled by Intercomponent Communications (ICC) controls

Lecture 3 Page 57 CS 136, Fall 2010 ICC Access Control Built into Android stack –So Android apps use it, but no regular app does ICC reference monitor provides a form of mandatory access control Android apps built of components –Each app component has an access label Developers assign apps sets of access labels –Some for components in their own app –Some for components of other apps –Set defines an application’s access domain

Lecture 3 Page 58 CS 136, Fall 2010 What Does This Mean? Application developer limits what his application can do –Even if compromised, it can’t do more –Permissions settable only at app installation Developer can also limit who else can use his components –Preventing data leakage, for example

Lecture 3 Page 59 CS 136, Fall 2010 Some Advantages of This Approach Limits power of applications Allows those installing applications to know what they can access Centralizes information about access permissions –Extensions limit that somewhat

Lecture 3 Page 60 CS 136, Fall 2010 Reference Monitors Whatever form it takes, access control must be instantiated in actual code –That checks if a given attempt to reference an object should be allowed That code is called a reference monitor Obviously, good reference monitors are critical for system security

Lecture 3 Page 61 CS 136, Fall 2010 Desirable Properties of Reference Monitors Correctness Proper placement Efficiency Simplicity Flexibility

Lecture 3 Page 62 CS 136, Fall 2010 An Example Reference Monitor The Linux code that mediates file access Applied on relatively few of the file system calls –Open, execute, directory traversal, a few others –Not on read and write

Lecture 3 Page 63 CS 136, Fall 2010 Conclusion Much of security relates to allowing some people access to some resources While preventing the same access to others Without some method of determining who should access what... You can’t do that

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.