ACCESS CONTROL

1
ACCESS CONTROL SECURITY MODELS (REVIEW)

• Center of gravity of computer security

2
Fundamental Model of Access Control
Reference Monitors
subject
Access request
object
3
Possible Access Control Mechanisms are

• Control Matrix
• Control lists
• Groups and Roles
• Extension to Distributed (file) Systems

4
Example Access Control Matrix for Bookkeeping
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r rw w
Bob rx r r r
Srini rx r r r
5
Basic UNIX file security

• -rw-rw-r-- 1 root sys 1344 Jul 2 2257
  /etc/vfstab

Others
Group
Owner
-rwxrwxrwx Owner permissions -rwxrwxrwx Group
permissions -rwxrwxrwx Other permissions
6
SUID and SGID Security

• Owner of a program can mark it as suid, enabling
  a user, special privileges of access control
  attributes
• sgid for groups
• What is the security issue here?

7
SUID and SGID Security(cont.)

• SUID root programs are particularly vulnerable to
  attack.
• If it is possible to subvert the program in some
  way, then root access can be gained.
• A very well known method of such subversion is
  the buffer overflow.
• Buffer overflow vulnerability results from bad
  coding practices on the part of the original
  programmer of the SUID root program!

8
ACCESS CONTROL SECURITY MODELS(2)

• Center of gravity of computer security

9
Buffer Overflow

• kill_sntsd.plThere is a remotely exploitable
  buffer overflow in the simple network time sync
  daemon present on RedHat 6.1.
• adredirasp.txtMicrosoft BackOffice component
  adredir.asp contains a buffer overflow.
• dmail27q.txtNetwin DSMTP Server v2.7q contains a
  remotely exploitable buffer overflow.
• kdesud.txtKDE kdesud present in Mandrake 7.02
  (Air) has a buffer overflow allowing you to gain
  gid 0.
• innd222over.txtThe news server innd 2.2.2 has a
  remotely exploitable buffer overflow.
• cgatepro.txtCommuniGatePro 3.1 for Windows NT
  contains a buffer overflow.
• chkperm.txtSolaris 2.x chkperm contains a buffer
  overflow.
• winamp.txtNullsoft Winamp 2.10 contains a buffer
  overflow in its handling of playlist files
  allowing execution of arbitrary code. Exploit
  included.
• icqover.txtICQ Version 99b 1.1.1.1 contains a
  buffer overflow.
• qpop3.txtQpopper lt 3.0beta29 contains a buffer
  overflow that allows authenticated users to
  execute arbitrary.
• ex_sdtcm_convert.cSparc Solaris 7 sdtcm_convert
  buffer overflow exploit.freebsdover.txtBuffer
  overflows exist in fts, du, and find in FreeBSD
  2.2.7/2.2.8.
• netwaretts.txtThere is a buffer overflow in the
  Transaction Tracking System (TTS) built into
  Novel Netware.
• ex_lpset.cExploit for buffer overflow in Solaris
  x86 lpset.
• ex_admintool.cExploit for buffer overflow in
  Solaris x86 admintool.
• ex_dtprintinfo.cExploit for buffer overflow in
  Solaris x86 dtprintinfo.
• netbuf.cExploit for TCP buffer overflow mbuf
  panic in FreeBSD-2.x and IRIX.
• smbval.txtThe SMB authentication library
  smbvalid.a contains many buffer overflows.
• iis4over.txtRetina vs. IIS4, Round 2 - IIS4 SP3
  Option Pack 4 are vulnerable to remote buffer
  overflows. EXPLOIT INCLUDED.ftpd.txtRemote
  buffer overflows in various FTP servers leads to
  potential root compromise. (ProFTPD 1.2.0pre1 and
  Wuarchive ftpd (2.4.2-academBETA-18)).
• slmail3.1.txtSLMail 3.1 contains yet another
  buffer overflow.

Hundreds of Buffer Overflow vulnerabilities have
been documented in various versions of UNIX Not
restricted to UNIX, Windows and other operating
systems can also be vulnerable. Writing a
buffer overflow attack requires some knowledge of
the stack architecture for the particular
hardware (e.g. Intel stacks implemented in a
different way from SPARC stacks)
10
Buffer Overflow The problem

• void function(char str)
• char buffer16
• strcpy(buffer,str)
• void main()
• char string256
• int i
• for( i 0 i lt 255 i)
• stringi 'A'
• function(string)

11
Buffer Overflow

• void function(char str)
• char buffer16
• strcpy(buffer,str)
• void main()
• char string256
• int i
• for( i 0 i lt 255 i)
• stringi 'A'
• function(string)

string



string pushed onto stack
12
Buffer Overflow

• void function(char str)
• char buffer16
• strcpy(buffer,str)
• void main()
• char string256
• int i
• for( i 0 i lt 255 i)
• stringi 'A'
• function(string)

return address
string


return address pushed onto stack
13
Buffer Overflow
buffer16 (local variable) pushed onto stack

• void function(char str)
• char buffer16
• strcpy(buffer,str)
• void main()
• char string256
• int i
• for( i 0 i lt 255 i)
• stringi 'A'
• function(string)

buffer0
buffer1

buffer15
return address
string


14
Buffer Overflow
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault

• void function(char str)
• char buffer16
• strcpy(buffer,str)
• void main()
• char string256
• int i
• for( i 0 i lt 255 i)
• stringi 'A'
• function(string)

A
A
A
A
A
A
A

15
Buffer Overflow Attack

• Instead of writing A past the allocated local
  buffer and into the rest of the stack, write data
  into the stack such that
• The return address is replaced by an address
  which points to a bit of code written by the
  attacker (which can also be written onto the
  stack)
• This code may, for example, spawn a shell.
• If the original program was SUID root, this will
  be a root shell!

16
Buffer Overflow Attack

• If no patch is available from O/S vendor to fix
  the vulnerability, then at least remove SUID root
  permissions from the program in question.

17
Authentication means

• to establish the proof of identity.
• Authentication techniques may vary depending on
  the kind of resource being accessed.
• The various kinds of access can be classified
  into
• user-to-host
• host-to-host
• user(or process) to user (process)

18
Trusted hosts

• UNIX allows hosts to trust another.
• If host A trusts host B, then a user who has the
  same user name on B and A can access resources on
  A from B without a password.
• Implemented using .rhosts and /etc/hosts.equiv
• rlogin, rsh, rcp

19
Trusted hosts - advantages

• Password cannot be sniffed because it is not
  transmitted.
• Users can log in once and then subsequently move
  to any machine in the trusted network.
• Convenience.

20
Trusted hosts - disadvantages

• If one host is compromised (e.g. boot B to single
  user mode then change to any user you like), then
  the other host is also compromised read that
  users files on A.
• Even if B cannot be booted to single user mode
  without a password, can physically replace B with
  another machine.
• Trusted hosts uses IP address authentication.
• Vulnerable to IP spoofing.

21
NFS

• Network File System
• Developed by Sun Microsystems
• Supported by most UNIX systems
• Allows remote access to local file systems

22
NFS example (Solaris)
Host ANFS Server
Network
/files
NFS calls
NFS calls
mount t nfs A/files /mnt/files
Host B
share -F nfs -o rwB,rootB /files
23
NFS Security Considerations

• Export only to trusted hosts
• Export only those parts of the filesystem which
  require remote access
• Export read-only unless writing absolutely
  required
• Be very careful mapping root on the server to
  root on the client.
• Remove group write permissions for exported files
  and directories.
• Be careful exporting user home directories

24
NFS Security Considerations

• Do not allow users to log into NFS server.
• Do not accept incoming NFS call requests on
  non-privileged ports.
• Use Secure NFS.
• Dont use NFS! (Is it absolutely necessary?)

25
Threats to Availability

• Denial of Service attacks
• Probably more of a threat when carried out via
  the network than on the local machine alone.
• Not UNIX specific

26
Windows accounts

• Each user has an account
• On a computer and/or an Active Directory domain
• Non-human accounts are for system processes
• Account typically has name and password
• Authentication based on Kerberos or hashed
  password (for NT compatibility only)
• OS supports password strength, aging policies
• Certificates and smartcards are also supported
  (in 2000/XP, but not commonly used yet)
• A user may belong to many groups
• Has the union of the groups rights at any time

27
Windows file systems (1/3)

• FAT (for backward compatibility)
• FAT supports no access control
• NTFS (NT File System)
• Access control based on user IDs and file
  permissions
• Basic permissions are Read, Write, Execute,
  Delete, Change Permissions, Take Ownership
  ?RWXDPO
• Standard permissions are basic ones combined
• Different permissions to a file can be granted to
  individual users/groups using ACL
• More fine-grained, flexible than UNIX

28
Windows file systems (2/3)

• The following access permissions apply to files
• NoAccess
• Read(RX) read and execute
• Change(RWXD) read,write,exe,delete
• Full Control(all) RWXDPO
• Special Access any combination of RWXDPO

29
Windows file systems (2/3)

• Files sharing using Common Internet File System
  (CIFS)
• Shares are managed in directory (in common with
  domain management more later)
• Machine access to shares is based on computer
  account in domain and inter-domain trust
• User access to shares is based on share passwords
  or standard ACLs
• NT systems use hashed password SMB auth.
• Windows 2000/XP use Kerberos authentication
• Encrypting File System (EFS)
• Files encryption using random secret keys, which
  are in turn encrypted with EFS public keys

30
Windows networking

• Essentially similar tools
• telnet, ftp with clear-text passwords
• SSH, and augmented versions of telnet, ftp more
  secure
• Integrated networking explained later
• Server Message Block (SMB) based integrated
  domain authentication, file shares access

31
Windows security internals Architecture (1/2)

• Windows (NT/2000/XP) have layered components on
  top of a kernel
• Security Reference Monitor (SRM)
• Part of the kernel
• Handles core of access control checks
• Protected security services include
• Winlogon process
• Local Security Authority (LSA) and policy
  database
• Security Account Manager (SAM) and database
• These services perform user authentication, and
  non-core part of access control

32
Windows security internals Architecture (2/2)

• Security identifiers (SID)
• Represent uniquely each user or group
• Access control entry (ACE)
• Contains permissions to an object explicitly
  denied or granted to a subject (SID)
• Access control list (ACL)
• List of ACEs for an object
• Security descriptor of an object
• Contains is owner SID, primary group SID, its
  ACL, the applicable system ACL
• Access token for a logged on user
• Contains the users SID, primary group SID, etc.

33
Windows security internals Authentication

• NT uses NTLM authentication
• NT (MD4) and LM (DES-based) hashed password
• Domains integration relies on sending hashed
  passwords through insecure SMB protocols
• Inter-domain trusts are one-way, non-transitive
• Windows 2000/XP in domains use Kerberos
• NTLM supported for backward compatibility
• Domains are managed by Active Directory
• Integrated Kerberos auth. as domain controllers
  are KDCs
• Enable hierarchical organisation and delegation
• Inter-domain trusts are two-way, transitive
  thereby simplifying trust management
• Logged on users run processes with their access
  tokens, basis for access control, impersonation

34
Windows security internals Access control

• Discretionary access control
• Based on subject SIDs and object ACLs
• Each object has an ACL
• Null ACL or empty means no restrictions or no
  access
• Each process has access token with owner SID,
  group SIDs
• Access control check matches of access tokens
  against ACLs
• Administrators group can access everything
• SRM performs core matching
• Less so discretionary access control
• Some system-wide policies applying to subjects,
  regardless of individual objects ACL

35
Windows security internals Impersonation

• No equivalence of UNIX suid, sgid or su, sudo
  programs
• But processes frequently programmatically
  impersonate others
• A thread takes on access token of another subject
• This access token may be exact copy or variant of
  a primary access token
• Thread gets security privileges of the
  impersonated subject
• Impersonation is application-controlled, as
  opposed to administrator-controlled in UNIX

36
Windows security internals Logging auditing

• The LSA and SRM create logs through the system
  event logger
• The LSA logs mostly logon events based on its
  audit policy
• The SRM logs access check events based on the
  system access control list (SACL)
• Each object has an SACL
• Logs are stored locally

37
UNIX and Windows security some evaluations

• Windows security more complex, less mature
• More susceptible to faults
• Windows integrated Kerberos auth. more secure
  than hashed passwords
• Windows access control more fine-grained
• But Windows has more viruses?
• Default security leaves programs writable
• Users education
• Historically more UNIX buffer flow attacks?
• Longer lifetime, more accessible source code
• Windows code inaccessible, but faults will show
  up eventually (obscurity not good security)

38
Other Access Control methods

• Sandboxing
• Software that provides limited access rights to
  programs of unknown origins
• Proof-carrying code
• Programs to be executed must carry a proof that
  it doesnt do anything that contravenes the local
  security policy

39
Policies (1)

• Historical considerations
• The history of information systems and their
  automation is a history of compromise.
  Automation had to fit into existing schemes of
  information management. Similarly, the addition
  of security mechanisms has to fit into existing
  structures and systems. Highly secure systems
  are often a consequence of redesign and
  re-engineering of existing systems.
• Mandatory Security Policies
• A system wide policy decrees that all subjects
  and all objects are classified. Access classes
  are associated with every subject-object pair.
• Access rights depend on the triple
  subject-object-access class for all triplets
  ltSam, Production Log, Writegt

40
Policies (2)

• Discretionary Security Policies
• Users are allowed to grant access to other users
  - often the OWNER of an object can grant access
  privileges to other users, (at the owners
  discretion )
• Discretionary Policies may allow one user to pass
  data to another user without the authority of the
  creator of the data

41
Security Models Formal Methods

• One benefit of using formal models is that
  mathematical (sometimes called formal) methods
  can be used to confirm that all transitions
  allowed by the model preserve the secure state of
  the system being modeled
• For real systems, modeling is not easy

42
Access Control - Ranked Model (1)

• Multi-level
• Often called Lattice methods
• Basis of military and commercial security
• Set of ordered security levels, users assigned to
  a level
• User subjects are privileged to access a rank
  and all lower ranks
• Students do not need to master the notation used
  in Gollman

43
Access Control - Ranked Model (2)

• We are also concerned about need to know
• Compartment the information to be secured
• Granting access
• A subject is cleared to access object
• only if rank(subject) gt rank (object) AND
• The set of all compartments that contain the
  object are contained within the set of
  compartments that the subject is cleared to
  access
• (The personnel manager will not be allowed to
  access confidential production data)

44
Access Control - Ranked Model (3)

• Companies often use the ranks
• Public, Company Confidential, Executive-only
• Deciding what lies in what compartment keeps
  security staff occupied

45
Bell - LaPadula (1)

• Earliest formal model
• Each user subject and information objecthas a
  fixed security class
• Use the notation gt to indicate dominance
• Simple Security (ss) propertythe no read-up
  (NRU) property
• A subject has read access to an object if the
• class of the subject C(s) is greater than or
  equal to the class of the object C(o)
• need C(s) gt C(o)

46
Bell - LaPadula (2)

• property (star) the no write-down (NRD)
  property
• While a subject has read access to object O, the
  subject can only write to object P ifC(P) gt
  C (O)
• Leads to concentration of irrelevant detail at
  upper levels
• Discretionary Security (ds) propertyIf
  discretionary policies are in place, accesses are
  further limited to this access matrix
• Although all users in the personnel department
  can read all personnel documents, the personnel
  manager would expect to limit the readers of a
  document that dealt with redundancies in the
  personnel department !

47
Transitions

• If a system starts in a secure state, and all
  transitions are secure, then the system remains
  in a secure state.
• But what if we allow users to downgrade all
  objects, and then modify the access control
  matrix so all modes are allowed for each entry
  ?
• So we need to beware of transitions that change
  access rights

48
Tranquility

• Gollman p 49 Pfleeger (3ed) p 305
• Starting with a Bell-LaPadula model, with ranked
  classes of users
• Say Executive, Company-confidential, Public
• And segregated compartments,
• Say Sales, Production
• And all users assigned a rank,
• And all files assigned a rank and a
  compartmentTRANQUILITY is when these
  assignments do not change or are not allowed to
  change

49
Tranquility in practice

• Production program systems need to open and use
  work files, and open and use spool print files,
  class or subroutine libraries need to be
  accessed.
• For systems with mandatory security, these
  entities all need labels and levels.
• In practice assigning security levels to these
  sorts of entities is not easy.

50
Limitations of BLP model

• Only deals with confidentiality aspect of
  security and not integrity
• Not addressing the management of access control
• Containing covert channels

51
Chinese Wall Model(1/2)

• Suppose a consultancy has several airlines as
  clients
• It is a conflict of interest if a consultant
  working with Quantas has access to confidential
  data on Gulf gathered from another assignment
• Security policy builds on 3 levels of
  abstraction
• Objects lowest levels, eg. Files
• Company groups all objects concerning a
  particular company are grouped together
• Conflict classes at the highest level, all
  groups of objects for competing companies are
  clustered.
• No information flow that causes a conflict of
  interest
• For this model to work, a history of access
  rights has to be maintained
• (Also, if confidential information is written
  across conflict classes, an effective conflict of
  interest is created)

52
Chinese Wall Model(2/2)

• Simple security(ss) policy
• Access is granted only if the object requested
  belongs to a company dataset already held by user
  or entirely different conflict of interest class
• -property
• A subject is granted write access to an object if
  no other object can be read which is in a
  different company dataset.

53
Biba

• Concerned with integrity of information
• We wish to prevent the spread of untrusted
  information
• A Cold war issue - the intelligence services of
  the UK were known to have been compromised by the
  Soviets. How then could the USA ensure that USA
  intelligence data was not corrupted by possibly
  misleading data flowing from UK sources ?
• Simple integrity property
• Subject s can only modify object o if I(s)
  gt I(o) ( no write up)
• Integrity propertyIf s can read o, s can
  only write to p if I(o) gt I(p)
• So clean objects do not become contaminated

54
Biba(1/2)

• Covers untrustworthy information in a natural
  way.
• Suppose John is untruthful, all documents
  created/modified by John are untrustworthy
• An untrusted subject who has write access to an
  object reduces the integrity of that object
• Low integrity of source objects implies low
  integrity for any object based on the source
  object.

55
Clark-Wilson (1/3)

• The security requirements of commercial
  transactions are about data integrity, and the
  prevention of error and fraud.
• There is an established principle of separation
  of duties, which aims to ensure that users must
  collaborate to validly manipulate data, and hence
  users must collude to commit fraud.
• Clark-Wilson aim to define well-formed
  transactions, so users cannot directly access
  data,
• and specific data items can only be modified by
  defined programs.

56
Clark-Wilson (2/3)

• Internal consistency of data items should be
  ensured by the system Overall
• Subjects have to be identified and authenticated
• Objects can be manipulated by a restricted set of
  programs
• Subjects can execute only a restricted set of
  programs
• A proper audit has to be maintained.
• The system has to be certified to work properly.
• An application oriented IT system model, a
  framework and guideline for security policy

57
Clark-Wilson (3/3)

• Policy in terms of constrained data items(CDI)
• CDIs are processed by transformation
  procedures(TP)
• TP is like a monitor that performs only
  particular operations on specific data items
• Access triples combine TP, one or more CDI and
  user ID who is authorised to operate on those
  CDIs by means of the TP.