Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Published byEleanore Hubbard Modified over 7 years ago

Similar presentations

Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Access Control CSC 482/582: Computer Security

2 Topics What is Access Control? Access Control Matrix Model
Protection State Transitions Special Rights Principle of Attenuation of Privilege <<Access Control Matrix Activity>> Groups and Roles Implementation of the Access Control Matrix Access Control Lists: by column (object). Capabilities: by row (subject). UNIX, Windows NT, and SQL ACLs. Hardware Protection CSC 482/582: Computer Security

3 Why study Access Control?
Center of gravity of computer security Why do we authenticate users? What security features do OSes provide? What’s the purpose of cryptography? Access Control is pervasive. Access Control is where Computer Science meets Security Engineering. We’ll start with theory (computer science) Then examine implementations (engineering) CSC 482/582: Computer Security

4 Access Control is Pervasive
Application Middleware Operating System Hardware CSC 482/582: Computer Security

5 Access Control is Pervasive
Application Complex, custom security policy. Ex: Amazon account: wish list, reviews, CC Middleware Database, system libraries, 3rd party software Ex: Credit card authorization center Operating System File ACLs, IPC Hardware Memory management, hardware device access. CSC 482/582: Computer Security

6 Access Control Matrix Precisely describes protection state of system.
Q Sets of system states: P: Set of all possible states. Q: Set of allowed states, according to security policy. P-Q: Set of disallowed states. ACM describes the set of states Q. Set of possible protection states P Set of secure states Q System insecure if in current state in P-Q Policy: characterizing states in Q Mechanism: preventing system from entering a state in P-Q CSC 482/582: Computer Security

7 Access Control Matrix As system changes, state changes.
State transitions. Only concerned with protection state. ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another. CSC 482/582: Computer Security

8 ACM Description Objects O = { o1,…,om } Subjects S = { s1,…,sn }
All protected entities. Subjects S = { s1,…,sn } Active entities, S  O Rights R = { r1,…,rk } Entries A[si, oj]  R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) subjects s1 s2 sn o1 … om s1 … sn Subjects=active entities, e.g. processes, users Objects=protected entities, e.g. files, network ports, database tables/rows CSC 482/582: Computer Security

9 Example: File/Process
Processes p, q Files f, g Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo o=own, ability to modify rights for other subjects r=read (abstract: what does it mean to read a process—send message or read status?) CSC 482/582: Computer Security

10 Copy Right Allows possessor to give rights to another
Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on model, instantiation of model Also called “grant right.” Granter may lose rights given, depending on model. Ex: “P” (change permission) right in WINNT CSC 482/582: Computer Security

11 Ownership Right Usually allows possessor to change entries in ACM column So owner of object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users Ex: chown, chgrp CSC 482/582: Computer Security

12 Attenuation of Privilege
Principle: Subject may not give rights it does not possess to another. Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. chmod 077 /tmp/file_i_cannot_read CSC 482/582: Computer Security

13 How can we implement the ACM?
Problem: scale Thousands of subjects. Millions of objects. Yet most entries are blank or default. Solutions Group subjects together as a single entities Groups and Roles Implement by row: Capabilities Implement by column: Access Control Lists The ACM is too large, so we use several techniques to express its meaning w/o implementing the ACM as an ordinary matrix. CSC 482/582: Computer Security

14 Groups and Roles Collect subjects together to express:
Need to share objects. Security categories (e.g., admin, faculty, student, guest) role: group that ties membership to function Problem: loss of granularity. Historically UNIX group system was static, relying on newgrp command, but modern UNIX group system is dynamic. CSC 482/582: Computer Security

15 Capabilities Implement ACM by row.
Access Control associated with subject. Example: UNIX file descriptors System checks ACL on file open, returns fd. Process subsequently uses fd to read and write file. If ACL changes, process still has access via fd. User ls homedir rootdir james rx rw r Examples: OS/400, public key certificates CSC 482/582: Computer Security

16 Capability Questions How to prevent user from modifying capabilities?
How to prevent user from copying capabilities? How to revoke rights to an object? CSC 482/582: Computer Security

17 How to prevent user from modifying?
Memory protection Capabilities are readable, but not writable. Indirection Capability is pointer to per-process table whose access control prevents user from touching. Cryptography Cryptographically secure checksum associated with capability and checked before usage. CSC 482/582: Computer Security

18 How to prevent user from copying?
Copying capabilities allows users to grant rights to others. Solution: Use indirection or cryptographic techniques from prev slide to prevent direct access. Add copy flag to capability, as a specific right given to copy capabilities in order to give rights to other users. CSC 482/582: Computer Security

19 How to revoke rights to an object?
Direct solution Check capabilities of every process. Remove those that grant access to object. Computationally expensive. Alternative solution Create a global object table. Capabilities reference objects indirectly via their entries in the global object table. Invalidate entry in global object table to revoke. CSC 482/582: Computer Security

20 Access Control Lists (ACLs)
Implement ACM by column. Access control by object. Example: UNIX ACLs Short “rwx” user/group/other. Long POSIX ACLs. User audit data root rw james r joe Allows users to easily manage access control to their own data. What can you do with ACLs if an employee is terminated? Usually need to go to authentication—revoke their password, but what if they still have active logins? Examples: UNIX, Windows NT CSC 482/582: Computer Security

21 ACL Questions Which subjects can modify an object’s ACL?
Do ACLs apply to privileged users? Do ACLs support groups and wildcards? How are ACL conflicts resolved? What are default permissions? How can a subject’s rights be revoked? CSC 482/582: Computer Security

22 Which subjects can modify an ACL?
Create an own right for an ACL. Only subjects with own right can modify ACL. Creating an object also creates object’s ACL. Usually creator given own right at this time. Other default rights may be set at creation too. Some systems allow anyone with access to object to modify ACL. What are the security implications of sharing access to a file on such a system? CSC 482/582: Computer Security

23 Do ACLs apply to privileged users?
Many systems have privileged users. UNIX: root. Windows NT: administrator. Should ACLs apply to privileged users? Need read access to all objects for backups. What security problems are produced by ignoring ACLs for privileged users? CSC 482/582: Computer Security

24 How are ACL conflicts resolved?
What happens when multiple ACL entries give different permissions to same subject? First entry wins. Last entry wins. Deny wins over allow. CSC 482/582: Computer Security

25 What are the default permissions?
Interaction of ACLs with base permissions. POSIX ACLs modify UNIX base permissions. How are default ACLs determined? Subject Subject sets default permissions, like UNIX umask. Inheritance Objects in hierarchical system inherit ACLs of parent object. Subjects inherit sets of default permissions from their parent subjects. CSC 482/582: Computer Security

26 How are rights revoked? Removal of subject’s rights to object.
Delete entries for subject from ACL. If ownership doesn’t control granting rights, matters can be complex: If A has granted rights to B, what should happen to B’s rights if you remove A’s rights? Removal of subject’s rights to all objects. Very expensive (millions of objects.) Most systems don’t support. Why isn’t disabling subject’s account sufficient? CSC 482/582: Computer Security

27 ACLs vs Capabilities Capabilities
Slow: OS has to read ACL for each object accessed. Easy to find/change rights on a particular object. Difficult to revoke privileges for a specific subject. Capabilities Fast: OS always knows subject identity. Easy to find/change rights on a particular subject. Difficult to revoke privileges to a subject object. Examples: OS/400, public key certificates CSC 482/582: Computer Security

28 UNIX Access Control Model
UID integer user ID UID=0 is root GID integer group ID Users can belong to multiple groups Objects have both a user + group owner. System compares object UID with EUID. EUID identical except after su or SETUID. Maximum number of groups varies per system. groups command will list your groups. CSC 482/582: Computer Security

29 UNIX File Permissions Three sets of permissions:
User owner Group owner Other (everyone else) Three permissions per group read write execute UID 0 can access regardless of permissions. Files: directories, devices (disks, printers), IPC File permissions apply to all types of objects, including directories, devices, named pipes, and UNIX domain sockets that are represented as files on UNIX systems. CSC 482/582: Computer Security

30 UNIX File Permissions Best-match policy Directories
OS applies permission set that most closely matches. You can be denied access by best match even if you match another set. Directories read = listing of directory execute = traversal of directory write = add or remove files from directory CSC 482/582: Computer Security

31 Special File Permissions
Each object has set of special permission bits sticky On a directory, means users can only delete files that they own setuid Execute program with EUID = owner’s UID setgid Execute program with EGID = owner’s GID On directories, causes default group owner to be that of directory owner’s GID. CSC 482/582: Computer Security

32 Changing Permissions: chmod
# remove other access chmod o-rwx *.c # add group r/w access chmod g+rw *.c # allow only you access chmod u=rwx * Set specifiers u = user g = group o = other Permissions r = read w = write x = execute ls –l (ls –lg on Solaris) CSC 482/582: Computer Security

33 Octal Permission Notation
Each set (u,g,o) is represented by an octal digit. Each permission (r,w,x) is one bit within a digit. ex: chmod 0644 file u: rw, g: r, o: r ex: chmod 0711 bin u: rwx, g: x, o: x 4 read setuid 2 write setgid 1 execute sticky CSC 482/582: Computer Security

34 Changing Ownership newgrp chgrp chown
Group owner of files is your default group. Changes default group to another group to which you belong. chgrp Changes group owner of existing file. chown Changes owner of existing file. Only root can use this command. CSC 482/582: Computer Security

35 Default Permissions: umask
Determines permissions given to newly created files Three-digit octal number Programs default to 0666 Umask modifies to: 0666 & ~umask ex: umask=022 => file has mode 0644 ex: umask=066 => file has mode 0600 CSC 482/582: Computer Security

36 setuid/setgid Solution to UNIX ACLs inability to directly handle (user, program, file) triplets. Process runs with EUID/EGID of file, not of user who spawned the process. Follow principle of least privilege create special user/groups for most purposes Follow principle of separation of privilege keep setuid functions/programs small drop privileges when unnecessary Implementing 3-dimensional matrix (user, program, file) with 2- or 1-dimensional mechanisms causes mistakes to be common, especially when developers use setuid 0 programs to bypass understanding what access control is necessary. find / \( -perm o -perm \) -type f -print CSC 482/582: Computer Security

37 Limitations of Classic ACLs
ACL control list only contains 3 entries Limited to one user. Limited to one group. Root (UID 0) can do anything. CSC 482/582: Computer Security

38 POSIX Extended ACLs getfacl setfacl
Supported by most UNIX/Linux systems. Slight syntax differences may exist. getfacl setfacl chmod 600 file setfacl -m user:gdoor:r-- file File unreadable by other, but ACL allows gdoor Supported on most Linux (kernel 2.4+, earlier with patches), FreeBSD (5.0+), and Solaris filesystems. Samba and Windows/UNIX ACL translation issues? CSC 482/582: Computer Security

39 Immutable Files Immutable Files on Linux Immutable Files on FreeBSD
chattr +i Cannot delete, rename, write to, link to Applies to root too Only root can remove immutable flag Immutable Files on FreeBSD chflags +noschg Cannot be removed by root in securelevel >0 Root can change securelevel in single user mode. CSC 482/582: Computer Security

40 Host-based Access Control
/etc/hosts.allow and /etc/hosts.deny used by tcpd, sshd, other servers Identify subjects by hostname IP address network address/mask Allow before Deny use last rule in /etc/hosts.deny to deny all CSC 482/582: Computer Security

41 Windows NT Access Control
Security IDs (SIDs) users groups hosts Token: user SID + group SIDs for a subject ACLs on files and directories registry keys many other objects: printers, IPC, etc. File ACLs exist on NTFS and SMB filesystems, but not FAT/FAT32. CSC 482/582: Computer Security

42 Standard NT Permissions
Read: read file or contents of a directory Write: create or write files and directories Read & Execute: read file and directory attributes, view directory contents, and read files within directory. List Folder Contents: RX, but not inherited by files within a folder. Modify: delete, write, read, and execute. Full Control: all, including taking ownership and changing permissions Files/directories inherit permissions from parent directory by default. CSC 482/582: Computer Security

43 Windows NT Conflict Resolution
If user not present in ACL and not a member of any group in ACL, access is denied. If ACL explicitly denies user access, access is denied. Otherwise, if user named in ACL, user has union of set of rights from each ACL entry in which user is named. CSC 482/582: Computer Security

44 Special NT Permissions
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership More granular than UNIX r,w,x permissions with differing file/directory interpretations. CSC 482/582: Computer Security

45 SQL Access Control Subjects Objects Rights Users. Roles.
create role faculty grant faculty to james Objects Databases, tables, table columns. Rights Select, insert, update, delete, references, grant. CSC 482/582: Computer Security

46 SQL Access Control The grant command gives access to a user
grant select on students to james or a role: grant select, insert, update on grades to faculty and includes power to grant options: grant insert on students to registrar with grant option The revoke command removes access remove insert on grades from faculty CSC 482/582: Computer Security

47 Hardware Protection Confidentiality Integrity Availability
Processes cannot read memory space of kernel or of other processes without permission. Integrity Processes cannot write to memory space of kernel or of other processes without permission. Availability One process cannot deny access to CPU or other resources to kernel or other processes. CSC 482/582: Computer Security

48 Hardware Mechanisms: VM
Each process has its own address space. Prevents processes from accessing memory of kernel or other processes. Attempted violations produce page fault exceptions. Implemented using a page table. Page table entries contain access control info. Read Write Execute (not separate on Intel CPUs) Supervisor (only accessible in supervisor mode) CSC 482/582: Computer Security

49 VM Address Translation
CSC 482/582: Computer Security

50 Hardware Mechanisms: Rings
Protection Rings. Lower number rings have more rights. Intel CPUs have 4 rings Ring 0 is supervisor mode. Ring 3 is user mode. Most OSes do not use other rings. Multics used 64 protection rings. Different parts of OS ran in different rings. Procedures of same program could have different access rights. CSC 482/582: Computer Security

51 Hardware: Privileged Instructions
Only can be used in supervisor mode. Setting address space MOV CR3 Enable/disable interrupts CLI, STI Reading/writing to hardware IN, OUT Switch from user to supervisor mode on interrupt. CSC 482/582: Computer Security

52 Hardware: System Timer
Processes can voluntarily give up control to OS via system calls to request OS services. SYSENTER, INT 2e Timer interrupt Programmable Interval Timer chip. Happens every OS, depending on OS. Transfers control from process to OS. Ensures no process can deny availability of machine to kernel or other processes. CSC 482/582: Computer Security

53 Why is Access Control hard?
Complex Objects Identifying objects of interest. Is your choice of objects too coarse or fine-grained? Hierarchical structure like filesystem or XML Subjects are Complex Identifying subjects of interest. What are the relationships between subjects? Access Control states change. Security objectives often unclear. CSC 482/582: Computer Security

54 Key Points Center of gravity of security; pervasive.
Access Control Matrix simplest abstraction mechanism for representing protection state. ACM is too big, so real systems use either: ACLs: columns (objects) of ACM. Capabilities: rows (subjects) of ACM. Access Control in Practice: UNIX. Access control rests on hardware foundation. Virtual memory, rings, privileged instructions. CSC 482/582: Computer Security

55 References Anderson, Ross, Security Engineering, 2nd edition, Wiley, 2008. Bishop, Matt, Introduction to Computer Security, Addison-Wesley, 2005. Bovet, Daniel and Cesati, Marco, Understanding the Linux Kernel, 2nd edition, O’Reilly, 2003. Silberschatz, et. al., Database System Concepts, 4th edition, McGraw-Hill, 2002. Silberschatz, et. al., Operating System Concepts, 7th edition, Wiley, 2005. Viega, John, and McGraw, Gary, Building Secure Software, Addison-Wesley, 2002. CSC 482/582: Computer Security

Download ppt "CSC 482/582: Computer Security"

Similar presentations

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Sharing Files Richard Newman based on Smith “Elementary Information Security”

Sharing Files Richard Newman based on Smith “Elementary Information Security”
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Operating System Security CS460 Cyber Security Spring 2010.

Operating System Security CS460 Cyber Security Spring 2010.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.

ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.

14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.

Similar presentations

Ads by Google