Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they."— Presentation transcript:

1 June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they cover –Policy languages The nature of mechanisms –Types –Secure vs. precise Underlying both –Trust

2 Computer Security: Art and Science ©2002-2004 Matt Bishop Overview Policies Trust Nature of Security Mechanisms Policy Expression Languages Limits on Secure and Precise Mechanisms

3 Computer Security: Art and Science ©2002-2004 Matt Bishop Policy Languages Express security policies in a precise way High-level languages –Policy constraints expressed abstractly Low-level languages –Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system

4 Computer Security: Art and Science ©2002-2004 Matt Bishop High-Level Policy Languages Constraints expressed independent of enforcement mechanism Constraints restrict entities, actions Constraints expressed unambiguously –Requires a precise language, usually a mathematical, logical, or programming-like language

5 Computer Security: Art and Science ©2002-2004 Matt Bishop Example: Web Browser Goal: restrict actions of Java programs that are downloaded and executed under control of web browser Language specific to Java programs Expresses constraints as conditions restricting invocation of entities

6 Computer Security: Art and Science ©2002-2004 Matt Bishop Expressing Constraints Entities are classes, methods –Class: set of objects to which a particular access constraint is applied. –Method: set of ways an operation can be invoked Operations –Instantiation: s creates instance of class c: s –| c –Invocation: s 1 executes object s 2 : s 1 |  s 2 Access constraints –deny(s op x) when b –While b is true, subject s cannot perform op on (subject or class) x; empty s means all subjects

7 Computer Security: Art and Science ©2002-2004 Matt Bishop Sample Constraint At most 100 network connections open Socket class defines network interface –Network.numconns gives number of active network connections Constraint deny( -| Socket) when (Network.numconns >= 100)

8 Computer Security: Art and Science ©2002-2004 Matt Bishop Sample Constraints Downloaded program cannot access password database file on UNIX system Program’s class and methods for files: class File { public file(String name); public String getfilename(); public char read(); Constraint: deny( |-> file.read) when (file.getfilename() == ``/etc/passwd’’)

9 Computer Security: Art and Science ©2002-2004 Matt Bishop DTEL(Domain-type enforcement language) Basis: access can be constrained by types Each object is associated with a type Each subject is associated with a domain The constructs of the language constrain the actions that a member of a domain can perform on an object of a specific type. –A subject cannot execute a text file, but it can execute an object file.

10 Computer Security: Art and Science ©2002-2004 Matt Bishop Example Goal: users cannot write to system binaries Subjects in administrative domain can –User must authenticate to enter that domain Subjects belong to domains: –d_userordinary users –d_adminadministrative users –d_loginfor login –d_daemonsystem daemons login program (d_login domain) controls access between d_user and d_admin.

11 Computer Security: Art and Science ©2002-2004 Matt Bishop Types Object types: –t_sysbinexecutable system files –t_readablereadable files –t_writablewritable files –t_dtedata used by enforcement mechanisms –t_genericdata generated from user processes

12 Computer Security: Art and Science ©2002-2004 Matt Bishop Domain Representation Sequence –First component is list of programs that start in the domain –Other components describe rights subject in domain has over objects of a type (crwd->t_writable) means subject can create, read, write, and list (search) any object of type t_writable

13 Computer Security: Art and Science ©2002-2004 Matt Bishop d_daemon Domain When the init program begins, it starts in this domain. –It can create(c), read(r), write(w), and do a directory search(d) of any object of type t_writable. –It can read, search, and execute(x) any object of type t_sysbin –It can read and search anything of type t_generic, t_readable, or t_dte. –When the init program invokes the login program, the login program transitions to the d_login domain automatically.

14 Computer Security: Art and Science ©2002-2004 Matt Bishop d_daemon Domain domain d_daemon = (/sbin/init), (crwd->t_writable), (rd->t_generic, t_readable, t_dte), (rxd->t_sysbin), (auto->d_login);

15 Computer Security: Art and Science ©2002-2004 Matt Bishop d_admin Domain domain d_admin = (/usr/bin/sh, /usr/bin/csh, /usr/bin/ksh), (c->t_generic), (crwxd->t_readable, t_writable, t_dte, t_sysbin), (sigtstp->d_daemon);

16 Computer Security: Art and Science ©2002-2004 Matt Bishop d_user Domain domain d_user = (/usr/bin/sh, /usr/bin/csh, /usr/bin/ksh), (crd->t_generic), (rxd->t_sysbin), (crwd->t_writable), (rd->t_readable, t_dte); No auto component as no user commands transition out of it Users cannot write to system binaries

17 Computer Security: Art and Science ©2002-2004 Matt Bishop d_login Domain domain d_login = (/usr/bin/login), (crwd->t_writable), (rd->t_readable, t_generic, t_dte), (setauth->d_user), (exec->d_user, d_admin); Cannot execute anything except the transition –Only /usr/bin/login in this domain setauth enables subject to change UID exec access to d_user, d_admin domains

18 Computer Security: Art and Science ©2002-2004 Matt Bishop Set Up initial_domain = d_daemon; –System starts in d_daemon domain assign -r t_generic /; assign -r t_writable /usr/var, /dev, /tmp; assign -r t_readable /etc; assign -r -s dte_t /dte; assign -r -s t_sysbin /sbin, /bin, /usr/bin, /usr/sbin; –These assign initial types to objects ––r recursively assigns type ––s binds type to name of object (delete it, recreate it, still of given type)

19 Computer Security: Art and Science ©2002-2004 Matt Bishop Low-Level Policy Languages Set of inputs or arguments to commands –Check or set constraints on system Low level of abstraction –Need details of system, commands

20 Computer Security: Art and Science ©2002-2004 Matt Bishop Example: X Window System UNIX X11 Windowing System –Provides a language for controlling access to the console Access to X11 display controlled by list –List says what hosts allowed, disallowed access xhost +groucho -chico –Connections from host groucho allowed –Connections from host chico not allowed

21 Computer Security: Art and Science ©2002-2004 Matt Bishop Example: tripwire (ftp://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire/) File scanner that reports changes to file system and file attributes –tw.config describes what may change /usr/mab/tripwire +gimnpsu012345678-a Check everything but time of last access (“-a”) –Database holds previous values of attributes Tripwire assumes a policy of constancy –Records an initial state and on subsequent runs reports files whose settings have changed.

22 Computer Security: Art and Science ©2002-2004 Matt Bishop Example Database Record /usr/mab/tripwire/README 0..../. 100600 45763 1 917 10 33242.gtPvf.gtPvY.gtPvY 0.ZD4cc0Wr8i21ZKaI..LUOr3.0fwo5:hf4e4.8TAqd0V4ubv ?.........9b3 1M4GX01xbGIX0oVuGo1h15z3 ?:Y9jfa04rdzM1q:eqt1APgHk ?.Eb9yo.2zkEh1XKovX1:d0wF0kfAvC ?1M4GX01xbGIX2947jdyrior38h15z3 0 file name, version, bitmask for attributes, mode, inode number, number of links, UID, GID, size, times of creation, last modification, last access, cryptographic checksums

23 Computer Security: Art and Science ©2002-2004 Matt Bishop Comments System administrators not expected to edit database to set attributes properly Checking for changes with tripwire is easy –Just run once to create the database, run again to check Checking for conformance to policy is harder –Need to either edit database file, or (better) set system up to conform to policy, then run tripwire to construct database

24 Example: The RIACS file system checker Emphasizes the ability to set policy and then check policy and then check for conformance. Uses a database file and records fixed attributes. –/etc/pac 0755 1 root root 16384 12 22341 Jan 12, 1999 at 12:47:54 After generating such a file, the analyst can change the values as appropriate. –The next run, file system state is compared with these values. Computer Security: Art and Science ©2002-2004 Matt Bishop

Download ppt "June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they."

Similar presentations

Operating System Security

Operating System Security
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Chapter 2 Data Models Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

Chapter 2 Data Models Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.

Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
1 Security Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 15, 2004.

1 Security Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 15, 2004.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
April 15, 2004ECS 235Slide #1 Policy Languages Express security policies in a precise way High-level languages –Policy constraints expressed abstractly.

April 15, 2004ECS 235Slide #1 Policy Languages Express security policies in a precise way High-level languages –Policy constraints expressed abstractly.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

Similar presentations

Ads by Google