Access Control Mechanisms and Security Models - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Access Control Mechanisms and Security Models

Description:

EROS essays on capabilities (instead of access lists) http://www.eros-os.org/essays/00Essays.html ... Sharing system resources requires operating system to ... – PowerPoint PPT presentation

Number of Views:1846
Avg rating:3.0/5.0
Slides: 46
Provided by: joanneh5
Category:

less

Transcript and Presenter's Notes

Title: Access Control Mechanisms and Security Models


1
Access Control Mechanisms and Security Models
  • How does the computer enforce access policy?

2
Readings
  • EROS essays on capabilities (instead of access
    lists)
  • http//www.eros-os.org/essays/00Essays.html
  • Computer Security paper by Kemmerer

3
Access Control Mechanisms and Models
  • Dual mode operation
  • Access Matrix
  • ACLs and Capabilities
  • Multilevel and Multilateral Security
  • Access Models
  • Bell-LaPadula
  • Biba

4
Operating System Protection
  • Sharing system resources requires operating
    system to ensure that an incorrect program cannot
    interfere with other programs.
  • Most computers provide hardware support to
    differentiate between at least two modes of
    operations (dual mode).
  • 1. User mode execution done on behalf of a
    user.
  • 2. Monitor mode (also kernel mode or system mode)
    execution done on behalf of operating system.

5
O.S. Protection
  • All I/O instructions are privileged instructions.
  • Must ensure that a user program could never gain
    control of the computer in monitor mode (i.e., a
    user program cannot alter OS program
    instructions).
  • Must provide memory protection for the OS kernel
    and one user program from accessing memory
    allocated to another.

6
  • Associate with every process, two registers that
    determine the range of legal addresses
  • Base register holds the smallest legal physical
    memory address.
  • Limit register contains the size of the range
  • Memory outside the defined range cannot be
    accessed.
  • In monitor mode, the operating system has
    unrestricted access to both monitor and users
    memory.
  • The load instructions for the base and limit
    registers are privileged instructions.

7
Protecting Other Objects
  • Operating system consists of a collection of
    objects (hardware and software) buffers,
    registers, memory regions, PCBs, files,
    directories, etc.
  • Each object has a unique name and can be accessed
    through a well-defined set of operations. For
    files those operations are read, write, execute.
  • Protection problem - ensure that each object is
    accessed correctly and only by those processes
    that are allowed to do so.

8
Subjects and Objects
  • Subject
  • Active entity in a computer system
  • User, process, thread
  • We will assume that a subject is synonymous with
    a user
  • Object
  • Passive entity or resource in a computer system
  • Files, directories, printers

9
Assign Subjects to Domains
  • Domains are entities that might want to access
    the objects processes, programs, users, roles.
  • Domain granularity
  • There may be just 2 domains in the system users
    and the superuser
  • There may be a domain for each user
  • There may be several domains per user user
    surfing web, user compiling programs, user
    changing his password, etc.

10
Access Operations
  • An access is an interaction between an object and
    a subject
  • A subject may observe (read) an object
  • Information flows from object to subject
  • A subject may alter (write to) an object
  • Information flows from subject to object

11
Read and Write Access
  • In a multi-user OS users open files to get access
  • Files are opened for read or for write access so
    that the OS can avoid conflicts like two users
    simultaneously writing to the same file
  • Write access mode is usually implemented as
    read/write mode
  • A user editing a file should not be asked to open
    it twice
  • The append (or blind write or write-only)
    access mode allows users to alter an object
    without observing its contents
  • Rarely useful (audit log files being the main
    exception)
  • Implemented in Multics

12
Execute Access
  • Sometimes an object can be used without opening
    it in read or write mode
  • Directories
  • Binary executable files
  • Cryptographic keys
  • UNIX includes the execute access operation
  • This may mean different things in different
    contexts and in different systems

13
Access Operations in Unix
  • File access
  • Read (r)
  • Write (w)
  • Execute (x)
  • Directory access
  • Read (list directory contents)
  • Write (create or rename files in directory)
  • Execute (search directory)

14
Unix ls command
15
Access Matrix
  • The protection problem can be viewed as a matrix
    (access matrix)
  • Rows represent domains
  • Columns represent objects
  • Access(i, j) is the set of operations that a
    process executing in Domaini can invoke on Objectj

16
Access Matrix
17
Access Matrix
  • Access matrix is the mechanism for enforcing
    security policy.
  • Policy
  • Who can access what object and in what mode.
  • Mechanism
  • Operating system provides access-matrix rules.
  • It ensures that the matrix is only manipulated by
    authorized agents and that rules are strictly
    enforced.

18
Access Control Mechanism
  • A request can be regarded as a triple (s,o,a)
  • s is a subject
  • o is an object
  • a is an access operation
  • A request is granted if
  • a belongs to the access matrix entry
    corresponding to subject s and object o

19
Implementation of Access Matrix
  • Sparse matrix (list of access right/domain pairs)
    or Access control lists or Capability lists
  • Each column Access-control list for one object.
    Defines who can perform what operation. Domain
    1 Read, Write Domain 2 Read Domain 3 Read
  • Each Row Capability List (like a key). For each
    domain, what operations allowed on what objects.
  • Object 1 Read
  • Object 4 Read, Write, Execute
  • Object 5 Read, Write, Delete, Copy

20
Access Control Lists (ACL)
  • Access control lists focus on the objects
  • Typically implemented at operating system level
  • Windows NT uses ACLs
  • Disadvantage
  • How can we check the access rights of a
    particular subject efficiently (before-the-act
    per-subject review)?

21
Capability Lists
  • Capability lists focus on the subjects
  • Typically implemented in services and application
    software
  • Database applications often use capability lists
    to implement fine-grained access to tables and
    queries
  • Renewed interest in capability-based access
    control for distributed systems
  • Disdavantage
  • How can we check which subjects can access a
    given object (before-the-act per-object review)?

22
Administrative Tasks
  • Tasks include
  • Creation of new objects and subjects
  • Deletion of objects and subjects
  • Changing entries in access control matrix
    (changing entries in ACLs and capability lists)
  • The administration of access control structures
    is extremely time-consuming, complicated and
    error-prone

23
Administering Access Control
  • Access control structures that aggregate subjects
    and objects are used to simplify the
    administrative burden
  • User groups and roles aggregate subjects
    (student, faculty, staff)
  • Data types aggregate objects (account files,
    binary executables)

24
(No Transcript)
25
ACLs or Capability Lists?
  • Theoretically these implementations are the same
    any protection state that can be represented in
    one can be represented in the other. In
    practice, some actions are just impractical in
    one implementation or the other.
  • Removing a user (because he left the company) is
    more efficient in capability lists.
  • Changing a file to read-only for everyone
    (february-sales is made read-only when February
    is over) is easier in ACLs.

26
Implementation Considerations
  • In a given implementation, new lists can be
    created or changed easily, whereas the items in
    the lists must be well-defined and unchanging.
  • Creating a new domain or splitting a current one
    is easy in capability lists. domainB as
    manager and domainB as payroll person.
  • The result is that capability list systems create
    fine-grained domains. This makes it easy to
    enforce the principle of least privilege a
    fundamental principle in computer security.

27
Example ACL Systems
  • In ACL systems, the password program and many
    system utilities, like compilers, run as root
    since the available domains are limited.
  • Suppose you discover that the password file is
    kept in /x/y/z (or the IDS logs showing that you
    tried to break into the system). You invoke the
    compiler and specify that it should write the
    output to /x/y/z !!!
  • This (and many other problems) can be patched in
    ACL systems, but it never exists as a problem in
    capability list systems.

28
Example Capability Lists
  • Capability lists
  • Password-program /x/y/z, read, write
  • Compiler /usr/bin/prog, read
  • Jholliday /usrs/faculty/jholliday, read, write,
    owner
  • A new domain is created
  • Compiler-jholliday /user/bin/prog, read
    /usrs/faculty/jholliday, write
  • Note this domain does not have the capability to
    write to /x/y/z
  • UNIX, an ACL system, handles this type of problem
    with the setuid bit but this has lead to many
    security problems.
  • Each file has associated with it a domain bit
    (setuid bit).
  • When file is executed and setuid on, then
    user-id is set to owner of the file being
    executed. When execution completes user-id is
    reset.

29
Multilevel and Multilateral Security
  • Multilevel Security levels are like user and
    super-user or secret and top-secret. The higher
    level (super-user, top-secret) includes all of
    the privileges of the lower level(s).
  • Multilateral security is concerned with security
    between domains at the same level (different user
    accounts should not interfere with each other).

30
Where to Place Security Mechanisms?
31
Security Mechanisms Security Layers are Best
  • Visualize security mechanisms as concentric
    protection rings, with hardware mechanisms in the
    center and application mechanisms at the outside.

Hardware/ physical
Mechanisms towards the center tend to be more
generic while mechanisms at the outside are more
likely to address individual user requirements.
O.S.
application
32
Protection Rings
  • Often, the location of a security mechanism on
    the protection ring is related to its complexity.
    Generic mechanisms (inner rings) are simple,
    applications (outer rings) clamour for
    feature-rich security functions.
  • Do you prefer simplicity - and higher assurance -
    to a feature-rich security environment?
  • Fundamental dilemma simple generic mechanisms
    may not match specific security requirements. To
    choose the right features from a rich menu, you
    have to be a security expert. Security unaware
    users are in a no-win situation.

33
Blocking Access to the Layer Below
  • Attackers try to bypass protection mechanisms.
    The parts of the system that can disable the
    mechanism lie within the current layer or the
    layer below (or within). The parts of the system
    that can malfunction without compromising the
    mechanism lie outside.
  • How do you stop an attacker from getting access
    to a layer below your protection mechanism?

34
The Layer Below Examples
  • Recovery tools, like Norton Utilities, restore
    the data by reading memory directly and then
    restoring the file structure. Such a tool can be
    used to circumvent logical access control as it
    does not care for the logical memory structure
  • Unix treats I/O devices and physical memory
    devices like files. If access permissions are
    defined badly, e.g. if read access is given to a
    disk containing read protected files, then an
    attacker can read the disk contents and
    reconstruct the files.

35
Examples
  • Backup whoever has access to a backup tape has
    access to all the data on it. Logical access
    control is of no help and backup tapes have to be
    locked away safely to protect the data.

36
Security Models
  • A security model is a formal description of a
    security policy
  • Models are used in high assurance security
    evaluations
  • Models are important historic milestones in
    computer security (e.g. Bell-LaPadula)
  • The models presented today are not recipes for
    security but can be a starting point when you
    have to define a model yourself.

37
Basic Security Theorem
  • To design a secure system with the help of state
    machine models,
  • define state set so that it captures security
  • check that all state transitions starting in a
    secure state yield a secure state
  • check that initial state of the system is
    secure
  • Security is then preserved by all state
    transitions. The system will always be secure.

38
Bell LaPadula (BLP) Model
  • Early state machine approach
  • an access operation is described by a tuple
  • (s,o,a), s ? S, o ? O, a ? A
  • E.g. (Alice, fun.com, read)
  • Well studied and formalized. Used in government
    Orange Book and Common Criteria
  • Considers only multi-level security needs, thus
    describes confidentiality requirements.

39
Bell LaPadula (BLP) Model
  • Subjects and objects are labeled with security
    levels that form a partial ordering
  • The policy No information flow from high
    security levels down to low security level
    (confidentiality)
  • BLP only considers information flows that occur
    when a subject observes or alters an object

40
BLP Information Flow
Top Secret
Read down
Secret
Write up
Confidential
Prevents subjects from acting as channels by
reading one memory object and transferring
information to another memory object
41
BLP Model
  • C(s) is the confidentiality level of subject s.
  • C(o) is the level of object o.
  • Subject s can read object o if C(s) ? C(o)
  • Subject s can write to object o if C(o) ? C(s)
  • property that prevents information leakage if
    s has read o, then he can write to p only if C(p)
    ? C(o)

42
Biba Model
  • BLP applies to secrecy of information
    (confidentiality), but not integrity. Biba model
    identifies inappropriate modification of data.
  • State machine model similar to BLP for integrity
    policies that regulate modification of objects
  • Integrity levels (such as trustworthy,
    untrusted or corrupted) are assigned to
    subjects and objects
  • The Biba model has policies for an invoke
    operation whereby one subject can access (invoke)
    another subject
  • The policies for static integrity levels are the
    dual of the BLP confidentiality levels

43
Biba Model
  • Subjects and objects are ordered by integrity
    levels
  • I(s) is the integrity of subject s
  • I(o) is the integrity of object o
  • Subject s can modify o only if I(s) ? I(o)
  • Integrity property If s has read access to
    object o with integrity level I(o), then s can
    have write access to p only if I(o) ? I(p)
    (anti-pollution property)

44
Biba Dynamic Integrity Levels
  • Subject Low Watermark Policy Subject s can read
    (observe) an object o at any integrity level. The
    new integrity level of s is g.l.b.(IS(s),IO(o))
  • Object Low Watermark Policy Subject s can modify
    (alter) an object o at any integrity level. The
    new integrity level of o is g.l.b.(IS(s),IO(o))

45
For Further Study
  • Other security models
  • Changing access rights Harrison-Ruzo-Ullman,
    Chinese Wall
  • Integrity Clark-Wilson
  • Computer Security, Dieter Gollmann, Wiley, 1999
Write a Comment
User Comments (0)
About PowerShow.com