1 / 40

Computer System Security CSE 5339/7339

Computer System Security CSE 5339/7339. Session 16 October 14, 2004. Contents. A4  out Midterm Key – Part-1 (Questions 5-8) OS Security Access Control Krishan (Mehmet)’s presentation. Midterm Question 5.

salvador-spencer
Download Presentation

Computer System Security CSE 5339/7339

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer System SecurityCSE 5339/7339 Session 16 October 14, 2004

  2. Contents • A4  out • Midterm Key – Part-1 (Questions 5-8) • OS Security • Access Control • Krishan (Mehmet)’s presentation

  3. Midterm Question 5 By Fermat’s theorem, what is the multiplicative inverse of 2 in the field of integers mod 11? The inverse of a is x such that a*x mod p = 1 (Definition of inverse) ap-1 mod p = 1 (Fermat’s Theorem) a*x mod p = ap-1 mod p x = ap-2 mod p

  4. Midterm Question 6 For each of the following pairs of numbers determine whether or not they are relatively prime: • 89 and 934 • 712 and 183

  5. Midterm Question 7 Obtain the private and public keys in each of the following cases: • Merkle-Hellman scheme is used with the superincreasing knapsack = [2, 5, 8, 17] • RSA is used with P = 3 and q = 7

  6. Midterm Question 8 Using Merkle-Hellman scheme, decrypt the following ciphertext: 2 4 10 7 6 Assume the following: Public key = [2, 4, 10, 7] Private key = [1, 2, 5, 9] w = 2, n = 11

  7. Trusted OS • Memory Protection. • File Protection • User Authentication • General Object Access Control

  8. Access Control Policies • Specification of how each user is authorized to use each resource. • In practice, no computer applies a single policy to manage all of its resources. • Scheduling algorithms for CPU  SJF, RR • Storage  paging, segmentation

  9. ACCESS Control Matrix (Butler Lampson) Every object to be protected is within one or more protection domains O2 Domain 1 O1 Domain 2 Domain 3 O2 O4 O1 O3

  10. ACCESS Rights <O2, {execute}> <O1, {read,write}> Domain 1 Domain 3 Domain 2 <O1, {execute}> <O3, {read}> <O2, {write}> <O4, {print}>

  11. What does that mean? • O1 can be read and written in domain 1 and executed in domain 3, O2 can be executed in domain 1 and written in domain 2, O3 can be read in domain 3, and O4 can be printed in domains 2 and 3. • At any given time, the domain is which a user is operating determines what actions are and are not permitted. • If Matthew is in domain 1, he is permitted to: • Read or write object 1 • Execute object 2

  12. Accesses Control Matrix

  13. Access Control Matrix (cont.) • The matrix designates the protection policy. A mechanism is required to enforce the policy. • The OS stores the matrix in memory • Large and sparse matrix • Ordered triples instead

  14. List of Ordered Triples (Domain 1, Object 1, {read,write}) (Domain 1, Object 2, {execute}) (Domain 2, Object 2, {write}) (Domain 2, Object 4, {print}) (Domain 3, Object 1, {execute}) (Domain 3, Object 3, {read}) (Domain 3, Object 4, {print})

  15. List of Ordered Triples (Cont.) For each attempt by a user in Domain i to perform operation O on object j, the OS consults the list of triples. If it finds a triple (i,j,R) where O is a member of the access rights, R, the operation is allowed to proceed; otherwise it is not. The list must be protected from tampering by users Could be very large Search may become a problem Does not take advantage of special grouping of objects

  16. Access lists Object 1: (<Domain 1, {read,write}>, < Domain 3, {execute}>) Object 2: (< Domain 1, {execute} >, < Domain 2, {write} >) Object 3: (<Domain 3, {read}>) Object 4: (<Domain 2, {print}>, < Domain 3, {print} >) An attempt by a user in Domain i to perform operation O on object j causes the OS to consult the entry of the access list for object j. Object j’s list is searched for Domain i’s entry, and the operation is permitted if there is an access right for O.

  17. Default Object 2: (<Default, {read}>, < Domain 1, {execute} >, < Domain 2, {write} >)

  18. Capability List (Object, rights)  capability Domain 1: (<Object 1, {read,write}>, < Object 2, {execute}>) Domain 2: (< Object 2, {write} >, < Object 4, {print} >) Domain 3: (<Object 1, {execute>, <Object 3, {read}> < Object 4, {print} >) Users are given a copy of the capability list for the domain in which they are operating .

  19. How does it work? Domain 1: (<Object 1, {read,write}>, < Object 2, {execute}>) Domain 2: (< Object 2, {write} >, < Object 4, {print} >) Domain 3: (<Object 1, {execute>, <Object 3, {read}> < Object 4, {print} >) When a user wants to perform some operation O, on object j, it passes its capability for j as one of the parameters of O. For example, a user might request to write to Object 2 and passes its copy of <object 2, {write}>. The OS verifies.

  20. Encrypting Capabilities • OS must ensure that users cannot create their own capabilities or alter capabilities they are given. • OS may encrypt capabilities using a secret key before giving them to users. • The OS decrypts and checks the capability each time it is used.

  21. Security Policy A security policy is a statement of the security we expect the system to enforce. A system can be trusted only in relation to its security policy, that is, to the security needs the system is expected to satisfy.

  22. Military Security policy Unclassified Restricted Confidential Secret Top Secret

  23. Access to Information Information access is limited by the need-to-know rule. Compartment: Each piece of classified information may be associated with one or more projects called compartments

  24. Compartments and Sensitivity Levels Top Secret Compartment 1 Secret Compartment 2 Confidential Compartment 3 Restricted Unclassified

  25. Classification & Clearance <rank; compartments>  class of a piece of information Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity. <rank; compartments>  clearance of a subject

  26. Dominance Relation We say that s dominates o (or o is dominated by s) if o <= s. For a subject s and an object o, o <= s if and only if rank(o) <= rank(s) and compartments(o) is subset of compartments(s) A subject can read an object if the subject dominates the object.

  27. Example Information classified as <secret; {Sweden}> Which of the following subject clearances can read the above information?: <top secret; {Sweden}> <secret; {Sweden, crypto}> <top secret; {crypto}> <confidential; {Sweden}> <secret; {France}>

  28. Models of Security • Security models are used to • Test a particular policy for completeness and consistency • Document a policy • Help conceptualize and design an implementation • Check whether an implementation meets the requirements

  29. Upper bound Lattice Lower bound

  30. Bell-La Padula Model • Formal description of the allowable paths of information flow in a secure system. • Set of subjects and another set of objects • Each subject s has a fixed security clearance C(s) • Each object o has a fixed security class C(o)

  31. Bell-La Padula Model (Cont.) • Two properties characterize the secure flow of information: • A subject s may have read access to an object o only if C(o) <= C(s) • A subject s who has read access to an object o may have write access to an object p only if C(o) <= C(p).

  32. o5 High Illustration s2 o4 o3 s1 o2 Low o1

  33. Harrison, Ruzzo, and Ullman (HRU) Model

  34. HRU Model (cont.) • HRU allows the state of the protraction system to be changed by a well defined set of commands: • Add subject s to M • Add object o to M • Delete subject s from M • Delete object o from M • Add right r to M[s,o] • Delete right r from M[s,o] Owner can change rights of an object

  35. Take Grant Model • Unlimited number of subjects and objects • States and state transitions • Directed graph • Four primitive operations: • take • create • grant • revoke

  36. Take Grant Model (Cont.) S2 read O2 execute Read, write read O1 O3 S1 read execute S3

  37. Create S O S becomes rights

  38. Revoke S O S O becomes r1, r2 r1, r2, r3

  39. Take S2 O S1 read take becomes read S2 O S1 read take

  40. Grant read S2 O S1 grant becomes read S2 O S1 read grant

More Related