1 / 63

CSC 382: Computer Security

CSC 382: Computer Security. Access Control. Access Control. What is Access Control? Access Control Matrix Model Protection State Transitions Special Rights Principle of Attenuation of Privilege Groups and Roles Implementation of the Access Control Matrix

finn-ayala
Download Presentation

CSC 382: Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSC 382: Computer Security Access Control CSC 382: Computer Security

  2. Access Control • What is Access Control? • Access Control Matrix Model • Protection State Transitions • Special Rights • Principle of Attenuation of Privilege • Groups and Roles • Implementation of the Access Control Matrix • Access Control Lists: by column (object). • Capabilities: by row (subject). • UNIX, Windows NT, and SQL ACLs. • Hardware Protection CSC 382: Computer Security

  3. What is Access Control? “Its function is to control which principals (persons, processes, machines, …) have access to which resources in the system—which files they can read, which programs they can execute, how they share data with other principals, and so on.” • Ross Anderson, Security Engineering CSC 382: Computer Security

  4. Why study Access Control? • Center of gravity of computer security • Why do we authenticate users? • What security features do OSes provide? • What’s the purpose of cryptography? • Access Control is pervasive. • Access Control is where Computer Science meets Security Engineering. • We’ll start with theory (computer science) • Then examine implementations (engineering) CSC 382: Computer Security

  5. Access Control is Pervasive Application Middleware Operating System Hardware CSC 382: Computer Security

  6. Access Control is Pervasive • Application • Complex, custom security policy. • Ex: Amazon account: wish list, reviews, CC • Middleware • Database, system libraries, 3rd party software • Ex: Credit card authorization center • Operating System • File ACLs, IPC • Hardware • Memory management, hardware device access. CSC 382: Computer Security

  7. Access Control Matrix • Precisely describes protection state of system. P Q • Sets of system states: • P: Set of all possible states. • Q: Set of allowed states, according to security policy. • P-Q: Set of disallowed states. • ACM describes the set of states Q. CSC 382: Computer Security

  8. Access Control Matrix • As system changes, state changes. • State transitions. • Only concerned with protection state. • ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another. CSC 382: Computer Security

  9. Objects O = { o1,…,om } All protected entities. Subjects S = { s1,…,sn } Active entities, S  O Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects ACM Description CSC 382: Computer Security

  10. Example: File/Process • Processes p, q • Files f, g • Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo CSC 382: Computer Security

  11. Example: Concurrency Control • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call CSC 382: Computer Security

  12. Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc is read right that can be copied • Is copy flag copied when giving r rights? • Depends on model, instantiation of model CSC 382: Computer Security

  13. Own Right Usually allows possessor to change entries in ACM column • So owner of object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users CSC 382: Computer Security

  14. Attenuation of Privilege Principle: Subject may not give rights it does not possess to another. • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights. CSC 382: Computer Security

  15. How can we implement the ACM? • Problem: scale • Thousands of subjects. • Millions of objects. • Yet most entries are blank or default. • Solutions • Group subjects together as a single entities • Groups and Roles • Implement by row: Capabilities • Implement by column: Access Control Lists CSC 382: Computer Security

  16. Groups and Roles • Collect subjects together to express: • Need to share objects. • Security categories (e.g., admin, faculty, student, guest) • role: group that ties membership to function • Problem: loss of granularity. CSC 382: Computer Security

  17. Groups and Roles • Implementing groups: • static: groups are aliases for sets of subjects. • dynamic: user belongs to one group at a time; changes group to switch sets of rights. CSC 382: Computer Security

  18. Capabilities • Implement ACM by row. • Access Control associated with subject. • Example: UNIX file descriptors • System checks ACL on file open, returns fd. • Process subsequently uses fd to read and write file. • If ACL changes, process still has access via fd. CSC 382: Computer Security

  19. Capability Questions • How to prevent user from modifying capabilities? • How to prevent user from copying capabilities? • How to revoke rights to an object? CSC 382: Computer Security

  20. How to prevent user from modifying? • Memory protection • Capabilities are readable, but not writable. • Indirection • Capability is pointer to per-process table whose access control prevents user from touching. • Cryptography • Cryptographically secure checksum associated with capability and checked before usage. CSC 382: Computer Security

  21. How to prevent user from copying? • Copying capabilities allows users to grant rights to others. • Solution: • Use indirection or cryptographic techniques from prev slide to prevent direct access. • Add copy flag to capability, as a specific right given to copy capabilities in order to give rights to other users. CSC 382: Computer Security

  22. How to revoke rights to an object? • Direct solution • Check capabilities of every process. • Remove those that grant access to object. • Computationally expensive. • Alternative solution • Create a global object table. • Capabilities reference objects indirectly via their entries in the global object table. • Invalidate entry in global object table to revoke. CSC 382: Computer Security

  23. Access Control Lists (ACLs) • Implement ACM by column. • Access control by object. • Example: UNIX ACLs • Short “rwx” user/group/other. • Long POSIX ACLs. CSC 382: Computer Security

  24. Ethics Discussion A student discovers a flaw in a university computing system. To verify the existence of the flaw, the student exploits the flaw to gain additional privileges. These privileges allow the student to read any file on the system, including private files of other students and professors. • Did the student act ethically in exploiting the flaw? • Since the security mechanisms were insufficient to stop the student, was the action a violation of security or not? • When the student reports the problem, the university files charges against the student. Did the university act ethically? CSC 382: Computer Security

  25. ACL Questions • Which subjects can modify an object’s ACL? • Do ACLs apply to privileged users? • Do ACLs support groups and wildcards? • How are ACL conflicts resolved? • What are default permissions? • How can a subject’s rights be revoked? CSC 382: Computer Security

  26. Which subjects can modify an ACL? • Create an own right for an ACL. • Only subjects with own right can modify ACL. • Creating an object also creates object’s ACL. • Usually creator given own right at this time. • Other default rights may be set at creation too. • Some systems allow anyone with access to object to modify ACL. • What are the security implications of sharing access to a file on such a system? CSC 382: Computer Security

  27. Do ACLs apply to privileged users? • Many systems have privileged users. • UNIX: root. • Windows NT: administrator. • Should ACLs apply to privileged users? • Need read access to all objects for backups. • What security problems are produced by ignoring ACLs for privileged users? CSC 382: Computer Security

  28. Do ACLs support groups and *? • Easier to use ACLs when they support: • Groups • Wildcards CSC 382: Computer Security

  29. How are ACL conflicts resolved? • What happens when multiple ACL entries give different permissions to same subject? • First entry wins. • Last entry wins. • Deny wins over allow. CSC 382: Computer Security

  30. What are the default permissions? • Interaction of ACLs with base permissions. • POSIX ACLs modify UNIX base permissions. • How are default ACLs determined? • Subject • Subject sets default permissions, like UNIX umask. • Inheritance • Objects in hierarchical system inherit ACLs of parent object. • Subjects inherit sets of default permissions from their parent subjects. CSC 382: Computer Security

  31. How are rights revoked? • Removal of subject’s rights to object. • Delete entries for subject from ACL. • If ownership doesn’t control granting rights, matters can be complex: • If A has granted rights to B, what should happen to B’s rights if you remove A’s rights? • Removal of subject’s rights to all objects. • Very expensive (millions of objects.) • Most systems don’t support. • Why isn’t disabling subject’s account sufficient? CSC 382: Computer Security

  32. ACLs vs Capabilities ACLs • Slow: OS has to read ACL foreach object accessed. • Easy to find/change rights on a particular object. • Difficult to revoke privileges for a specific subject. Capabilities • Fast: OS always knows subject identity. • Easy to find/change rights on a particular subject. • Difficult to revoke privileges to a subject object. CSC 382: Computer Security

  33. UNIX Access Control Model • UID • integer user ID • UID=0 is root • GID • integer group ID • Users can belong to multiple groups • Objects have both a user + group owner CSC 382: Computer Security

  34. UNIX Access Control Model • OS checks EUID + EGID on object access • Usually: EUID=UID, EGID=GID • setuid/setgid programs run with different EUID/EGID, allowing you privileged access • ex: crontab, login, lp, passwd, su • Target for attackers wanting elevated privilege CSC 382: Computer Security

  35. UNIX File Permissions • Three sets of permissions: • User owner • Group owner • Other (everyone else) • Three permissions per group • read • write • Execute • UID 0 can access regardless of permissions • Files: directories, devices (disks, printers), IPC CSC 382: Computer Security

  36. UNIX File Permissions • Best-match policy • OS applies permission set that most closely matches. • You can be denied access by best match even if you match another set. • Directories • read = listing of directory • execute = traversal of directory • write = add or remove files from directory CSC 382: Computer Security

  37. Special File Permissions • Each object has set of special permission bits • sticky • On a directory, means users can only delete files that they own • setuid • Execute program with EUID = owner’s UID • setgid • Execute program with EGID = owner’s GID • On directories, causes default group owner to be that of directory owner’s GID. CSC 382: Computer Security

  38. Permission set specifiers u = user g = group o = other Permissions r = read w = write x = execute # remove other access chmod o-rwx *.c # add group r/w access chmod g+rw *.c # allow only you access chmod u=rwx * Changing Permissions: chmod CSC 382: Computer Security

  39. Octal Permission Notation • Each permissionset (u,g,o) is octal digit • Each permission (r,w,x) is one bit • ex: chmod 0644 file • u: rw, g: r, o: r • ex: chmod 0711 bin • u: rwx, g: x, o: x CSC 382: Computer Security

  40. Changing Ownership • newgrp • Group owner of files is your default group. • Changes default group to another group to which you belong. • chgrp • Changes group owner of existing file. • chmod • Changes owner of existing file. • Only root can use this command. CSC 382: Computer Security

  41. Default Permissions: umask • Determines access permissions given to newly created files • Three-digit octal number • Programs default to 0666 • Umask modifies to: 0666 & ~umask • ex: umask=022 => file has mode 0644 • ex: umask=066 => file has mode 0600 CSC 382: Computer Security

  42. setuid/setgid • Solution to UNIX ACLs inability to directly handle (user, program, file) triplets. • Process runs with EUID/EGID of file, not of user who spawned the process. • Follow principle of least privilege • create special user/groups for most purposes • Follow principle of separation of privilege • keep setuid functions/programs small • drop privileges when unnecessary CSC 382: Computer Security

  43. ACL Programming: fchmod #include <sys/types.h> #include <sys/stat.h> /* example: BSS, pp. 195-196 */ int set_perms_to_0600(FILE *f) { int fd = fileno(f); if( fchmod(fd, S_IRUSR | S_IWUSR) ) { perror(“set_perms_to_0600”); return -1; } return 0; } CSC 382: Computer Security

  44. ACL Programming: umask • Ensure that no one else can read files created by process: #include <sys/types.h> #include <sys/stat.h> mode_t set_safe_umask() { mode_t old_umask = umask(066); return old_umask; } CSC 382: Computer Security

  45. Limitations of Classic ACLs • ACL control list only contains 3 entries • Limited to one user. • Limited to one group. • Root (UID 0) can do anything. CSC 382: Computer Security

  46. POSIX Extended ACLs • Supported by most UNIX/Linux systems. • Slight syntax differences may exist. • getfacl • setfacl • chmod 600 file • setfacl -m user:gdoor:r-- file • File unreadable by other, but ACL allows gdoor CSC 382: Computer Security

  47. Immutable Files • Immutable Files on Linux • chattr +i • Cannot delete, rename, write to, link to • Applies to root too • Only root can remove immutable flag • Immutable Files on FreeBSD • chflags +noschg • Cannot be removed by root in securelevel >0 CSC 382: Computer Security

  48. Host-based Access Control • /etc/hosts.allow and /etc/hosts.deny • used by tcpd, sshd, other servers • Identify subjects by • hostname • IP address • network address/mask • Allow before Deny • use last rule in /etc/hosts.deny to deny all CSC 382: Computer Security

  49. Windows NT Access Control • Security IDs (SIDs) • users • groups • hosts • Token: user SID + group SIDs for a subject • ACLs on • files and directories • registry keys • many other objects: printers, IPC, etc. CSC 382: Computer Security

  50. Standard NT Permissions • Read: read file or contents of a directory • Write: create or write files and directories • Read & Execute: read file and directory attributes, view directory contents, and read files within directory. • List Folder Contents: RX, but not inherited by files within a folder. • Modify: delete, write, read, and execute. • Full Control: all, including taking ownership and changing permissions CSC 382: Computer Security

More Related