Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byFrancine Angelica Moody Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Access Control CIT 480: Securing Computer Systems

2 CIT 480: Securing Computer Systems
Topics Access Control Matrix ACLs and Capabilities Role-Based Access Control (RBAC) Discretionary Access Control (DAC) Examples: UNIX, Windows, Android, SQL Mandatory Access Control (MAC) Hardware Protection CIT 480: Securing Computer Systems

3 CIT 480: Securing Computer Systems
Access Control Access control is the selective restriction of access to an information, computational, or physical resource. CIT 480: Securing Computer Systems

4 Access Control is Pervasive
Application Middleware Operating System Hardware CIT 480: Securing Computer Systems

5 Access Control is Pervasive
Application Complex, custom security policy. Ex: Amazon account: wish list, reviews, CC Middleware Database, system libraries, 3rd party software Ex: Credit card authorization center Operating System File ACLs, IPC, Android permissions system, SELinux Hardware Memory management, hardware device access. CIT 480: Securing Computer Systems

6 Access Control Matrices
A table that defines permissions. Each row of this table is associated with a subject, which is a user, group, or system that can perform actions. Each column of the table is associated with an object, which is a file, directory, document, device, resource, or any other entity for which we want to define access rights. Each cell of the table is then filled with the access rights for the associated combination of subject and object. Access rights can include actions such as reading, writing, copying, executing, deleting, and annotating. An empty cell means that no access rights are granted. CIT 480: Securing Computer Systems

7 Example Access Control Matrix
CIT 480: Securing Computer Systems

8 Access Control Lists (ACLs)
An ACL defines, for each object, o, a list, L, called o’s access control list, which enumerates all the subjects that have access rights for o and, for each such subject, s, gives the access rights that s has for object o. /etc/passwd /usr/bin/ /u/roberto/ /admin/ root: r,w mike: r roberto: r backup: r root: r,w,x mike: r,x roberto: r,x backup: r,x root: r,w,x roberto: r,w,x backup: r,x root: r,w,x backup: r,x

9 Capabilities /etc/passwd: r,w,x; /usr/bin: r,w,x; /u/roberto: r,w,x; /admin/: r,w,x root Capabilities take a subject-centered approach to access control. It defines, for each subject s, the list of the objects for which s has nonempty access control rights, together with the specific rights for each such object. /usr/passwd: r; /usr/bin: r,x mike /usr/passwd: r; /usr/bin: r; /u/roberto: r,w,x roberto backup /etc/passwd: r,x; /usr/bin: r,x; /u/roberto: r,x; /admin/: r,x

10 Role-based Access Control
Define roles and then specify access control rights for these roles, rather than for subjects directly. Department Member Administrative Personnel Accountant Secretary Administrative Manager Faculty Lab Technician Lab Manager Student Undergraduate Student Graduate Student Department Chair Technical Personnel Backup Agent System Administrator Undergraduate TA Graduate TA CIT 480: Securing Computer Systems

11 Discretionary and Mandatory
Discretionary Access Control (DAC) Users set ACLs on objects OR Sysadmins set capabilities for each user. Consumer OS like Windows, Linux use DAC. Mandatory Access Control (MAC) Administrator configures access control matrix. Access cannot be altered while system is running. Examples: chattr, SElinux, Windows MIC CIT 480: Securing Computer Systems

12 UNIX Access Control Model
UID integer user ID UID=0 is root GID integer group ID Users can belong to multiple groups Objects have both a user + group owner. System compares object UID with EUID. EUID identical except after su or SETUID. Maximum number of groups varies per system. groups command will list your groups. CIT 480: Securing Computer Systems

13 CIT 480: Securing Computer Systems
UNIX File Permissions Three sets of permissions: User owner Group owner Other (everyone else) Three permissions per group read write execute UID 0 can access regardless of permissions. Files: directories, devices (disks, printers), IPC File permissions apply to all types of objects, including directories, devices, named pipes, and UNIX domain sockets that are represented as files on UNIX systems. CIT 480: Securing Computer Systems

14 CIT 480: Securing Computer Systems
UNIX File Permissions Best-match policy OS applies permission set that most closely matches. You can be denied access by best match even if you match another set. Directories read = listing of directory execute = traversal of directory write = add or remove files from directory CIT 480: Securing Computer Systems

15 Special File Permissions
Each object has set of special permission bits sticky On a directory, means users can only delete files that they own setuid Execute program with EUID = owner’s UID setgid Execute program with EGID = owner’s GID On directories, causes default group owner to be that of directory owner’s GID.

16 Changing Permissions: chmod
# remove other access chmod o-rwx *.c # add group r/w access chmod g+rw *.c # allow only you access chmod u=rwx * Set specifiers u = user g = group o = other Permissions r = read w = write x = execute ls –l (ls –lg on Solaris) CIT 480: Securing Computer Systems

17 Octal Permission Notation
Each set (u,g,o) is represented by an octal digit. Each permission (r,w,x) is one bit within a digit. ex: chmod 0644 file u: rw, g: r, o: r ex: chmod 0711 bin u: rwx, g: x, o: x 4 read setuid 2 write setgid 1 execute sticky CIT 480: Securing Computer Systems

18 CIT 480: Securing Computer Systems
Changing Ownership newgrp Group owner of files is your default group. Changes default group to another group to which you belong. chgrp Changes group owner of existing file. chown Changes owner of existing file. Only root can use this command. CIT 480: Securing Computer Systems

19 Default Permissions: umask
Determines permissions given to newly created files Three-digit octal number Programs default to 0666 Umask modifies to: 0666 & ~umask ex: umask=022 => file has mode 0644 ex: umask=066 => file has mode 0600 CIT 480: Securing Computer Systems

20 CIT 480: Securing Computer Systems
setuid/setgid Solution to UNIX ACLs inability to directly handle (user, program, file) triplets. Process runs with EUID/EGID of file, not of user who spawned the process. Follow principle of least privilege create special user/groups for most purposes Follow principle of separation of privilege keep setuid functions/programs small drop privileges when unnecessary Implementing 3-dimensional matrix (user, program, file) with 2- or 1-dimensional mechanisms causes mistakes to be common, especially when developers use setuid 0 programs to bypass understanding what access control is necessary. find / \( -perm o -perm \) -type f -print CIT 480: Securing Computer Systems

21 Limitations of Classic ACLs
ACL control list only contains 3 entries Limited to one user. Limited to one group. Root (UID 0) can do anything. CIT 480: Securing Computer Systems

22 CIT 480: Securing Computer Systems
POSIX Extended ACLs Supported by most UNIX/Linux systems. Slight syntax differences may exist. getfacl setfacl chmod 600 file setfacl -m user:gdoor:r-- file File unreadable by other, but ACL allows gdoor Supported on most Linux (kernel 2.4+, earlier with patches), FreeBSD (5.0+), and Solaris filesystems. Samba and Windows/UNIX ACL translation issues? CIT 480: Securing Computer Systems

23 Windows NT Access Control
Security IDs (SIDs) users groups hosts Token: user SID + group SIDs for a subject ACLs on files and directories registry keys many other objects: printers, IPC, etc. File ACLs exist on NTFS and SMB filesystems, but not FAT/FAT32. CIT 480: Securing Computer Systems

24 Standard NT Permissions
Read: read file or contents of a directory Write: create or write files and directories Read & Execute: read file and directory attributes, view directory contents, and read files within directory. List Folder Contents: RX, but not inherited by files within a folder. Modify: delete, write, read, and execute. Full Control: all, including taking ownership and changing permissions Files/directories inherit permissions from parent directory by default. CIT 480: Securing Computer Systems

25 CIT 480: Securing Computer Systems
Android: App Level DAC Android is a version of Linux for mobile devices. Each app runs with its own UID and GID. By default can only access files within its own directory. Android apps request permissions at install time. CIT 480: Securing Computer Systems

26 Database Access Control Models
DAC provided by SQL GRANT, REVOKE stmts. MAC provided by db-specific extensions. Subjects Users, Roles Objects Databases, tables, rows, columns, views. Rights Select, insert, update, delete, references, grant. CIT 480: Securing Computer Systems

27 SQL Access Control Examples
The grant command gives access to a user grant select on students to james or a role: grant select, insert, update on grades to faculty and includes power to grant options: grant insert on students to registrar with grant option The revoke command removes access remove insert on grades from faculty

28 Database App Security Models
One Big Application User Single user account for all accesses. DB sees no difference between app users. Vulnerability that compromises one app user can lead to exposure of data of all users. Application users are database users Each app user has a database user account too. Restrict users to accessing their own data even if there is a vulnerability in the application. CIT 480: Securing Computer Systems

29 CIT 480: Securing Computer Systems
Immutable Files Immutable Files on FreeBSD (MAC) chflags +noschg Cannot be removed by root in securelevel >0 Immutable Files on Linux (DAC) chattr +i Cannot delete, rename, write to, link to. Applies to root too, unlike normal permissions. Only root can remove immutable flag. Root can change securelevel in single user mode. CIT 480: Securing Computer Systems

30 CIT 480: Securing Computer Systems
SELinux SELinux is a fine-grained MAC system for Linux. Operates at process level. Files have security contexts. Process can access file only if allowed by policy. Policy can only be changed after reboot. CIT 480: Securing Computer Systems

31 CIT 480: Securing Computer Systems
SELinux Expansions SEPostgreSQL Enforces MAC on Postgres database tables. SECURITY LABEL SQL statement to label db objs. Uses system SELinux configuration. SEAndroid SELinux for Android platform + MAC for Android permissions and inter-component communication (ICC). CIT 480: Securing Computer Systems

32 CIT 480: Securing Computer Systems
Hardware Protection Confidentiality Processes cannot read memory space of kernel or of other processes without permission. Integrity Processes cannot write to memory space of kernel or of other processes without permission. Availability One process cannot deny access to CPU or other resources to kernel or other processes. CIT 480: Securing Computer Systems

33 Hardware Mechanisms: VM
Each process has its own address space. Prevents processes from accessing memory of kernel or other processes. Attempted violations produce page fault exceptions. Implemented using a page table. Page table entries contain access control info. Read Write Execute (not separate on Intel CPUs) Supervisor (only accessible in supervisor mode) CIT 480: Securing Computer Systems

34 VM Address Translation

35 Hardware Mechanisms: Rings
Protection Rings. Lower number rings have more rights. Intel CPUs have 4 rings Ring 0 is supervisor mode. Ring 3 is user mode. Most OSes do not use other rings. Multics used 64 protection rings. Different parts of OS ran in different rings. Procedures of same program could have different access rights. CIT 480: Securing Computer Systems

36 Hardware: Privileged Instructions
Only can be used in supervisor mode. Setting address space MOV CR3 Enable/disable interrupts CLI, STI Reading/writing to hardware IN, OUT Switch from user to supervisor mode on interrupt. CIT 480: Securing Computer Systems

37 Hardware: System Timer
Processes can voluntarily give up control to OS via system calls to request OS services. SYSENTER, INT 2e Timer interrupt Programmable Interval Timer chip. Happens every OS, depending on OS. Transfers control from process to OS. Ensures no process can deny availability of machine to kernel or other processes. CIT 480: Securing Computer Systems

38 Key Points Access Control models Types of Access Control UNIX ACLs
Access Control Matrix ACL implements ACM by column (object based) Capability implements ACM by row (subject based) Types of Access Control Mandatory (MAC) Discretionary (DAC) Role Based (RBAC) UNIX ACLs Chmod, umask, POSIX ACLs Hardware Access Controls Rings, VM, privileged instructions, system timer

39 CIT 480: Securing Computer Systems
References Anderson, Security Engineering 2nd Edition, Wiley, 2008. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. CIT 480: Securing Computer Systems

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.

Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Sharing Files Richard Newman based on Smith “Elementary Information Security”

Sharing Files Richard Newman based on Smith “Elementary Information Security”
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Getting Started with Linux Linux System Administration Permissions.

Getting Started with Linux Linux System Administration Permissions.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.

File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.
Operating System Security CS460 Cyber Security Spring 2010.

Operating System Security CS460 Cyber Security Spring 2010.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.

File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control.
G53SEC 1 Access Control principals, objects and their operations.

G53SEC 1 Access Control principals, objects and their operations.

Similar presentations

Ads by Google