ACCESS CONTROL Access Control Concepts. SECURITY INNOVATION ©2003 2 Access Control What is access control?

ACCESS CONTROLACCESS CONTROL

Access Access Control Control

ConceptsConcepts

SECURITY INNOVATION ©20032

Access ControlAccess Control

What is access control?What is access control?



• Provides limits on who can do what with Provides limits on who can do what with objects on the computerobjects on the computer

• Can’t happen without identification and Can’t happen without identification and authenticationauthentication

• Is not the same as identification and Is not the same as identification and authenticationauthentication



Policy-Based Control of:

WHO has access to specific systems

WHAT they can do with them, and

WHEN they are allowed access


Access Control Layers:Access Control Layers:

Technical

Physical

Administrative


Administrative Access Administrative Access ControlsControls

• Security Policies & ProceduresSecurity Policies & Procedures• Security Awareness & TrainingSecurity Awareness & Training• Separation of DutiesSeparation of Duties• Hiring ProceduresHiring Procedures• Employee Termination PolicyEmployee Termination Policy• Disaster Recovery & Contingency PlanDisaster Recovery & Contingency Plan• User Registration for Computer AccessUser Registration for Computer Access


Physical Access ControlsPhysical Access Controls

• Network SegregationNetwork Segregation• Perimeter SecurityPerimeter Security• Security GuardsSecurity Guards• Badge SystemsBadge Systems• Biometric Access ControlsBiometric Access Controls• Closed Circuit TV Closed Circuit TV

MonitoringMonitoring• Sensors & Alarms Sensors & Alarms

http://www.un.org/Depts/unscom/presspack/prints/42_SECURITYCAM-2.JPG


Technical (Logical) Technical (Logical) ControlsControls

• Administrative and physical access Administrative and physical access controls are based on traditional security controls are based on traditional security threats and thus are well understoodthreats and thus are well understood

• Technical or logical access controls mirror Technical or logical access controls mirror new software systems technology and the new software systems technology and the evolving threat model. For these reasons evolving threat model. For these reasons a discussion of technical controls is more a discussion of technical controls is more complex and we address access control complex and we address access control within this context. within this context.


Technical (Logical) Technical (Logical) ControlsControls

In general technical controls In general technical controls involve….involve….

• Access Control SoftwareAccess Control Software• PasswordsPasswords• Smart CardsSmart Cards• EncryptionEncryption• System AccessSystem Access• Network AccessNetwork Access


Analogy of Analogy of Organizational SecurityOrganizational Security

• Multi-level security policies (MLS-policies)Multi-level security policies (MLS-policies)• Different levels of securityDifferent levels of security

– E.g. top secret, secret, confidential, publicE.g. top secret, secret, confidential, public

• Relating security levelsRelating security levels – To subjects (persons) and objects (rooms or items) To subjects (persons) and objects (rooms or items)

• ControlControl– Access right is only granted if person has the Access right is only granted if person has the

appropriate authorization, i.e. security levelappropriate authorization, i.e. security level



• Protection objectsProtection objects: system resources : system resources for which protection is desirablefor which protection is desirable– Memory, file, directory, hardware resource, Memory, file, directory, hardware resource,

software resources, etc.software resources, etc.

• SubjectsSubjects: active entities requesting : active entities requesting accesses to resourcesaccesses to resources– User, owner, program, etc.User, owner, program, etc.

• Access modeAccess mode: type of access: type of access– Read, write, executeRead, write, execute


Access Control Access Control RequirementRequirement

• Cannot be bypassedCannot be bypassed• Enforce least-privilege and need-to-Enforce least-privilege and need-to-

know restrictionsknow restrictions• Enforce organizational policyEnforce organizational policy



• Access controlAccess control: ensures that all : ensures that all direct direct accessesaccesses to object are authorized to object are authorized

• Protects against accidental and Protects against accidental and maliciousmalicious threats by regulating the threats by regulating the reading, writing and executionreading, writing and execution of data of data and programsand programs

• Need:Need:– Proper Proper user identification user identification andand authentication authentication– Information specifying the Information specifying the access rights is protectedaccess rights is protected

form modificationform modification


Access ControlAccess Control• Access control components:Access control components:

– Access control policyAccess control policy: specifies the : specifies the authorized accesses of a systemauthorized accesses of a system

– Access control mechanismAccess control mechanism: implements and : implements and enforces the policyenforces the policy

• Separation of components allows to:Separation of components allows to:– Define access requirements independently Define access requirements independently

from implementationfrom implementation– Compare different policiesCompare different policies– Implement mechanisms that can enforce a Implement mechanisms that can enforce a

wide range of policies wide range of policies


Closed v.s. Open Closed v.s. Open SystemsSystems

Closed systemClosed system

Access requirement

s

Exists Rule?

Access permitted

Access denied

Allowed accesses

yes no

(minimum privilege)Open SystemOpen System

Access requirements

Exists Rule?

Access denied

Access permitted

Disallowed accesses

yesno

(maximum privilege)



• Active subjects: Active subjects: – e.g. processes, e.g. processes, persons, groups …. persons, groups ….

• Passive objects: Passive objects: – e.g. data, memory banks, ... e.g. data, memory banks, ...

Access

ControlObjectsSubjects

Reference monitor


How It WorksHow It Works

A

A.A. Subject – User or ProcessSubject – User or Process B.B. Request for AccessRequest for AccessC.C. Reference Monitor – Decides on the AccessReference Monitor – Decides on the AccessD.D. Reference Monitor Grants or Denies Access Reference Monitor Grants or Denies Access

RequestRequestE.E. Object – File / Printer / Nodes on NetworkObject – File / Printer / Nodes on Network

SUBJECT OBJECTREFERENCE MONITOR

EDB

C


ProgramProgram

Program ExecutionProgram Execution

MonitorMonitor

MemoryMemory

NetworkNetwork

DiskDisk

User XUser X


Reference MonitorReference Monitor

• Makes access control workMakes access control work• You can tell itYou can tell it

– What a subject is allowed to doWhat a subject is allowed to do– What may be done with an objectWhat may be done with an object

• In order to specify these things, you In order to specify these things, you need to know all the possibilities, or you need to know all the possibilities, or you need to define things narrowly so that need to define things narrowly so that what you don't know doesn’t become what you don't know doesn’t become allowedallowed


Reference MonitorsReference Monitors

• Single levelSingle level• Easy to implement…..BUT Easy to implement…..BUT • May become a bottle-neck…May become a bottle-neck…

IFIF the access-control monitor is defeated, the access-control monitor is defeated, THENTHEN all accesses are vulnerable all accesses are vulnerable


Ideal Reference MonitorIdeal Reference Monitor

• Sees Sees everythingeverything a program is about to a program is about to do before it does itdo before it does it

• Can Can instantlyinstantly and and completelycompletely stop stop program execution (or prevent action)program execution (or prevent action)

• Has Has no other effectno other effect on the program or on the program or systemsystem

Can we build this? Can we build this? Probably not unless we can build a Probably not unless we can build a

time machine...time machine...

ReaReall most thingsmost things

limitedlimited


Protecting the Reference Protecting the Reference MonitorMonitor

• It must not be possible to circumvent the It must not be possible to circumvent the reference monitor by corrupting itreference monitor by corrupting it

• MechanismsMechanisms– Type checkingType checking– Sandboxing: run processes in isolationSandboxing: run processes in isolation– Software fault isolation: rewrite memory Software fault isolation: rewrite memory

access instructions to perform bounds access instructions to perform bounds checkingchecking

– User/Kernel modesUser/Kernel modes– Segmentation of memory (OS resources Segmentation of memory (OS resources

aren’t part of virtual memory system)aren’t part of virtual memory system)


Example Reference Example Reference MonitorsMonitors

• Operating SystemsOperating Systems– File systemFile system– Memory (virtual memory, separate address Memory (virtual memory, separate address

spaces)spaces)

• FirewallsFirewalls– Regulate network accessRegulate network access

• Java Virtual MachineJava Virtual Machine– Regulates Java programs’ resource usageRegulates Java programs’ resource usage

Operate at different levels of abstractionOperate at different levels of abstraction– Interface (Subjects, Objects, Actions) variesInterface (Subjects, Objects, Actions) varies


Reference MonitorsReference Monitors

• Cannot enforce all Security PoliciesCannot enforce all Security Policies• Some policies depend on:Some policies depend on:

– Knowing about the futureKnowing about the future• If the program charges the credit card, it must If the program charges the credit card, it must

eventually ship the goodseventually ship the goods

– Knowing about all possible executionsKnowing about all possible executions• Information flow – can’t tell if a program reveals Information flow – can’t tell if a program reveals

secret information without knowing about other secret information without knowing about other possible executionspossible executions



• You want to protect some of the files you createYou want to protect some of the files you create– Is confidentiality an issue ?Is confidentiality an issue ?

• Operating systems are designed to protect users Operating systems are designed to protect users from each otherfrom each other– Is integrity an issue ?Is integrity an issue ?

• TerminologyTerminology– An active An active subjectsubject wishes to use an wishes to use an access operationaccess operation on a on a

passive passive objectobject..• (Sam wishes to read the production log)(Sam wishes to read the production log)

– The same entity can sometimes be either subject or objectThe same entity can sometimes be either subject or object• (Sam wishes to execute the production program(Sam wishes to execute the production program

– The production program wishes to read the production log)The production program wishes to read the production log)• We could specify what the subject is allowed to do,We could specify what the subject is allowed to do,

or what may be done with the object or what may be done with the object


Access Control - ModesAccess Control - Modes• There is a lot of computing history behind the There is a lot of computing history behind the

four access modesfour access modes– Execute (Execute (usuallyusually includes Read capability) includes Read capability)– ReadRead– Append (blind write)Append (blind write)– Write -which includes Read capability Write -which includes Read capability

• Note that these modes do not directly allow for Note that these modes do not directly allow for entities (say an active user) to entities (say an active user) to create create objects, objects, and to and to grantgrant access modes to that object access modes to that object– Sam needs to create a file for the latest production Sam needs to create a file for the latest production

report, and needs all members of the production report, and needs all members of the production team to have read access to that file team to have read access to that file


Basic Access ControlBasic Access Control

• 1 : Type of file.1 : Type of file.• 2 – 4 : Owner’s permission.2 – 4 : Owner’s permission.• 5 – 7 : Group’s permission.5 – 7 : Group’s permission.• 8 – 10 : Other’s permission.8 – 10 : Other’s permission.

PERMISSIONPERMISSION MEANINGMEANING

- rwx rwx rwx- rwx rwx rwx File. Everyone can read, write and execute this.File. Everyone can read, write and execute this.

- rwx r-x r-x- rwx r-x r-x File. Everyone can read and execute this but only File. Everyone can read and execute this but only the owner can write to it.the owner can write to it.

- r-- r-- ---- r-- r-- --- File. The owner and everyone in his group can only File. The owner and everyone in his group can only read this file, but the others have no access to it.read this file, but the others have no access to it.

d rw- rw- rw-d rw- rw- rw- Directory. Everyone can read and write. No one Directory. Everyone can read and write. No one including the owner can traverse it.including the owner can traverse it.

l rwx r-x r-xl rwx r-x r-x Link. The permissions for a link generally do not Link. The permissions for a link generally do not matter.matter.


Access Control ListAccess Control List UNIXUNIX

• An access control list (ACL) is an ordered An access control list (ACL) is an ordered list of access control entries that define list of access control entries that define the protections that apply to an object the protections that apply to an object and its propertiesand its properties

• ACLs entry containsACLs entry contains– Attributes:Attributes:

• Defines special file modesDefines special file modes

– Base permissions:Base permissions:• Reflect the basic access rightsReflect the basic access rights

– Extended permissions:Extended permissions:• specify, permit, denyspecify, permit, deny


Access Control ListAccess Control List

ACL EntriesACL Entries DescriptionDescription

1. attributes: setuid,setgid,stickybit1. attributes: setuid,setgid,stickybit Special file modes.Special file modes.

2. base permissions2. base permissions Standard Unix file permissions.Standard Unix file permissions.

3. owner(owner_user): rwx3. owner(owner_user): rwx owner and access rightsowner and access rights

4. (owner_group): r-x4. (owner_group): r-x group and access rightsgroup and access rights

5. others: r--5. others: r-- other's rightsother's rights

6. extended permissions6. extended permissions Additional ACL entries.Additional ACL entries.

7. enabled7. enabled enabled or disabledenabled or disabled

8. permit --x u:some_user, g:some_group8. permit --x u:some_user, g:some_groupPermits access to the specified user-group Permits access to the specified user-group

combination in a boolean AND manner.combination in a boolean AND manner.

9. deny rwx g:a_group9. deny rwx g:a_groupForbids access to the specified user-group Forbids access to the specified user-group

combination in a boolean AND manner.combination in a boolean AND manner.


AuditingAuditing• Is a feature which provides Is a feature which provides

accountability to all system activities accountability to all system activities from file access to network and databasefrom file access to network and database

• Each audit event such as user login is Each audit event such as user login is formatted into fields such as the event formatted into fields such as the event type, user id, file names and timetype, user id, file names and time

• Audit eventsAudit events Administrative event classAdministrative event class

• Security administrator eventsSecurity administrator events• System administrator eventsSystem administrator events• Operator eventsOperator events

Audit event classAudit event class• Describes the operation of the audit system itselfDescribes the operation of the audit system itself


Audit TrailAudit Trail

• Record of both completed and Record of both completed and attempted access and service attempted access and service chronological record of system activitieschronological record of system activities

• Enables reconstruction and examination Enables reconstruction and examination of the sequence of events and changes of the sequence of events and changes in audit eventin audit event

• Monitoring system changesMonitoring system changes Files system permission & checksum should Files system permission & checksum should

be set, snapshots taken & made read onlybe set, snapshots taken & made read only Snapshots are made regularly and compared Snapshots are made regularly and compared

with the original for changeswith the original for changes Eg: tripwire, rdist utility, securemax (from Eg: tripwire, rdist utility, securemax (from

open Vision), ESM….open Vision), ESM….


Windows 2000 File Windows 2000 File SystemSystem

• Supports two file systemSupports two file system– FAT (File Allocation Table)FAT (File Allocation Table)

• File system does not record security information File system does not record security information such as owner or access permission of a file or such as owner or access permission of a file or directorydirectory

– NTFS (New Technology Files System)NTFS (New Technology Files System)• Supports a variety of multi-user security modelsSupports a variety of multi-user security models

• NTFS Vs FATNTFS Vs FAT Fault toleranceFault tolerance Access Control by directory or fileAccess Control by directory or file Can compress individual or directoriesCan compress individual or directories POSIX supportPOSIX support


Windows 2000 AuditingWindows 2000 Auditing

• Windows 2000's object access is an Windows 2000's object access is an important source of OS-level information important source of OS-level information about how users employ your network. about how users employ your network. This category can track the source, time, This category can track the source, time, and method of access to files, folders, and method of access to files, folders, registry keys, and printers. It can gather registry keys, and printers. It can gather specific details about the logon session specific details about the logon session under which an access attempt occurred under which an access attempt occurred or the application through which a user or the application through which a user tried to open an object. Object-access tried to open an object. Object-access events can be linked to corresponding events can be linked to corresponding logon or process-tracking events.logon or process-tracking events.


Windows 2000 Access Windows 2000 Access ControlControl

• Each object has two Access Control Each object has two Access Control Lists.Lists.– A discretionary Access Control List (DACL)A discretionary Access Control List (DACL)– A system Access Control List (SACL). A system Access Control List (SACL).

• Windows 2000 auditing is able to track Windows 2000 auditing is able to track object access at both the system level object access at both the system level and the object level. This is and the object level. This is accomplished by first enabling the accomplished by first enabling the Audit object accessAudit object access category for category for success and failure events. Second, you success and failure events. Second, you need to enable auditing for each object need to enable auditing for each object you want to monitor. you want to monitor.


Discretionary Access Discretionary Access Control List (DACL)Control List (DACL)

• The DACL controls The DACL controls who can access the who can access the object and how. object and how.

permissions for only one user or one group at a

time

the object's Access Control

Settings


System Access Control System Access Control List (SACL).List (SACL).

• The SACL defines the The SACL defines the actions for which actions for which Windows 2000 audits Windows 2000 audits an object. An object's an object. An object's SACL consists of SACL consists of access control entries access control entries (ACEs). An ACE (ACEs). An ACE defines exactly which defines exactly which types of access types of access Windows 2000 Windows 2000 records in the Security records in the Security log when a specified log when a specified user or group user or group accesses the object. accesses the object.

audit the Everyone group's successful attempts to gain

write access and failed attempts to gain read

access.


Access Control ListAccess Control List

• Data structure of an ACLData structure of an ACL

ACL size - # of bytes of memory ACL size - # of bytes of memory allocatedallocatedACL Revision – revision # for the ACL Revision – revision # for the ACL’s data structureACL’s data structureACE Count - # of ACE’s in the ACLACE Count - # of ACE’s in the ACL


Access Control EntriesAccess Control Entries

• Contains the following access control Contains the following access control informationinformation– A security identifier (SID)A security identifier (SID)– An access mask – specifies access rightsAn access mask – specifies access rights– A set of bit flags that determines which child A set of bit flags that determines which child

objects can inherit the ACEobjects can inherit the ACE– A flag that indicates the type of ACEA flag that indicates the type of ACE


ACE TypesACE Types

TypeType DescriptionDescription

Access-Access-denieddenied

Used in a DACL to deny access.Used in a DACL to deny access.

Access-Access-allowedallowed

Used in a DACL to allow access.Used in a DACL to allow access.

System-auditSystem-audit Used in a SACL to log attempts to Used in a SACL to log attempts to access.access.

TypeType DescriptionDescription

Access-denied, Access-denied, object-specificobject-specific

Used in a DACL to deny access to a property or property set, or to limit Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.inheritance to a specified type of child object.

Access-allowed, Access-allowed, object-specificobject-specific

Used in a DACL to allow access to a property or property set, or to limit Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.inheritance to a specified type of child object.

System-audit, System-audit, object-specificobject-specific

Used in a SACL to log attempts to access a property or property set, or to limit Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child objectinheritance to a specified type of child object

• 3 Generic types3 Generic types

• Object-Specific ACE Object-Specific ACE typestypes


Access RightsAccess Rights• Generic Access RightsGeneric Access Rights

• Standard Access RightsStandard Access Rights

– Other rights like, SACL access rights, Other rights like, SACL access rights, Object-specific access rights, user Object-specific access rights, user rightsrights

Constant in Win32 APIConstant in Win32 API MeaningMeaning

GENERIC_ALLGENERIC_ALL Read, write, and execute accessRead, write, and execute access

GENERIC_EXECUTEGENERIC_EXECUTE Execute accessExecute access

GENERIC_READGENERIC_READ Read accessRead access

GENERIC_WRITEGENERIC_WRITE Write accessWrite access

Constant in Win32 APIConstant in Win32 API MeaningMeaning

DELETEDELETE The right to delete the object.The right to delete the object.

READ_CONTROLREAD_CONTROL The right to read the information in the object's security descriptor, not The right to read the information in the object's security descriptor, not including the information in the SACL.including the information in the SACL.

SYNCHRONIZESYNCHRONIZE The right to use the object for synchronization. Some object types do not The right to use the object for synchronization. Some object types do not support this access right.support this access right.

WRITE_DACWRITE_DAC The right to modify the DACL in the object's security descriptor.The right to modify the DACL in the object's security descriptor.

WRITE_OWNERWRITE_OWNER The right to change the owner in the object's security descriptor.The right to change the owner in the object's security descriptor.


Access Control: How does it Access Control: How does it Work? The Windows ModelWork? The Windows Model


Access Checking & Audit Access Checking & Audit GenerationGeneration

• Function “Function “AccessCheckAndAuditAlarmAccessCheckAndAuditAlarm” determines ” determines whether the subject is allowed or denied access whether the subject is allowed or denied access and then determines is there a need to generate an and then determines is there a need to generate an auditing entry in the security log.auditing entry in the security log.

• It considers the followingIt considers the following– Subjects access tokenSubjects access token– Subject’s desired access mask (a data structure 32 Subject’s desired access mask (a data structure 32

bit log, each bit corresponding to a particular access bit log, each bit corresponding to a particular access rights)rights)

– Object’s security descriptorObject’s security descriptor

• After the access-checking is complete, this After the access-checking is complete, this function returns a granted access mask (it is function returns a granted access mask (it is identical to desired access mask except that all identical to desired access mask except that all bits are initially turned off)bits are initially turned off)


AuditingAuditing

• Here, we generate entries in the security Here, we generate entries in the security log for successful or failed attempts to log for successful or failed attempts to access an objectaccess an object

• After the access checking is over, the After the access checking is over, the function will tell us what need to be logged function will tell us what need to be logged inin– Subject’s access tokenSubject’s access token– Desired access mask – subject Desired access mask – subject – Granted access mask – access check Granted access mask – access check – Object’s SACLObject’s SACL


Access Control - Access Control - StrategiesStrategies

TYPES:TYPES:

• Discretionary Access Control Discretionary Access Control (DAC)(DAC)• Roles-Based Access Control Roles-Based Access Control (RBAC)(RBAC)• Mandatory Access Control Mandatory Access Control (MAC)(MAC)


Access Control - Access Control - StrategiesStrategies

• Discretionary access control:Discretionary access control:– Owner principle: owner decides about access Owner principle: owner decides about access

controlcontrol

• Role-based access control:Role-based access control:– Access rights depend on the roles of subjectsAccess rights depend on the roles of subjects

• Mandatory access control:Mandatory access control:– System rules (MAC) decide about accessSystem rules (MAC) decide about access– System rules govern owner principleSystem rules govern owner principle– Examples: SE-VMS, Trusted SolarisExamples: SE-VMS, Trusted Solaris


Discretionary Access Discretionary Access ControlControl (DAC) (DAC)

• Owner principle: owner decides about Owner principle: owner decides about access controlaccess control

• Conditions:Conditions:– There is a subjectThere is a subject– There is an objectThere is an object– There are other usersThere are other users

DAC:DAC: “The subject (a) decides “The subject (a) decides who among users (c) has what who among users (c) has what

level of access on the object (b)”level of access on the object (b)”


Discretionary Access Discretionary Access ControlControl

• Owner of an object can arbitrarily grant Owner of an object can arbitrarily grant access rights to other subjectsaccess rights to other subjects

• Problem of how to limit propagation of Problem of how to limit propagation of rightsrights– Granted access rights can be granted again Granted access rights can be granted again

to other subjectsto other subjects

• Problem of Trojan horsesProblem of Trojan horses


DAC and the Trojan Horse DAC and the Trojan Horse ScenarioScenario

Classified

Non Classifie

d

Robert: read, write

Ivan: read, write

Read Classified

REJECTED!REJECTED!Black is not allowed To access Classified

Ivan

Robert


DAC and the Trojan Horse DAC and the Trojan Horse ScenarioScenario

Robert’s Robert’s ClassifiedClassified

Robert’s ClassifiedRobert’s Classified

Robert: read, writeRobert: read, write

Ivan, Robert: read, writeIvan, Robert: read, write

RobertRobert

IvanIvan

Word Word ProcessProcess

oror

Inserts Trojan HorseInserts Trojan HorseInto shared programInto shared program

Uses shared programUses shared program

THTHReads Reads

ClassifieClassifiedd

THTHCopiesCopies

ClassifiedClassifiedTo Ivan’sTo Ivan’sDirectoryDirectory


Discretionary Access Discretionary Access ControlControl

• DAC mechanisms have an inherent DAC mechanisms have an inherent weakness.weakness.

• They are vulnerable to Trojan Horse They are vulnerable to Trojan Horse attacks.attacks.


DAC WeaknessDAC Weakness• How great is the threat of malicious software?How great is the threat of malicious software?• Consider the following points:Consider the following points:

– How much software on your own system did you write?How much software on your own system did you write?– How much software on your system can you absolutely How much software on your system can you absolutely

vouch for?vouch for?– More and more software is written overseas these days.More and more software is written overseas these days.– It only takes one bad engineer in a group of a thousand It only takes one bad engineer in a group of a thousand

good engineers to embed a Trojan Horse in a product.good engineers to embed a Trojan Horse in a product.– If you store information that is worth stealing, the Trojan If you store information that is worth stealing, the Trojan

Horse attack is very attractiveHorse attack is very attractive– Are you running a browser that downloads and executes Are you running a browser that downloads and executes

Java applets?Java applets?


DAC WeaknessDAC Weakness

Want to know more?Want to know more?

A Guide to Understanding A Guide to Understanding Discretionary Access Control Discretionary Access Control in Trusted Systems, NCSC-in Trusted Systems, NCSC-

TG-003TG-003


Role-Based Access Role-Based Access Control (RBAC)Control (RBAC)

• Access Based on Organizational Roles Access Based on Organizational Roles or Functionsor Functions

• Enforces Security PoliciesEnforces Security Policies

• Reduces Complexity & CostReduces Complexity & Cost


RBAC MechanismRBAC Mechanism

• Users are associated with roles.• Roles are associated with permissions.• A user has a permission only if the user

has an authorized role which is associated with that permission.


Role-Based Access Role-Based Access ControlControl

• Role-based security model is a tupelRole-based security model is a tupel– RBAC = (S, O, RL, P, sr, pr, session)RBAC = (S, O, RL, P, sr, pr, session)

Such that:Such that:S is a set of users of a systemS is a set of users of a systemO is a set of objectsO is a set of objectsRL is set of rolesRL is set of rolesP is a set of access rightsP is a set of access rightssr (subject roles), pr (privileges), sess sr (subject roles), pr (privileges), sess (sessions) are relations(sessions) are relations


RBAC MechanismRBAC MechanismExample: The Three Musketeers

(User/Permission Association)

palace

weapons

uniform

AthosAthos

PorthoPorthoss

AramisAramis

D'ArtagnaD'Artagnann


RBAC MechanismRBAC Mechanism

Musketeer

palace

weapons

uniform

AthosAthosPorthosPorthosAramisAramis

D'ArtagnanD'Artagnan

palace

weapons

uniform

AthosAthos

PorthosPorthos

AramiAramiss

D'ArtagnanD'Artagnan


RBAC MechanismRBAC MechanismExample: (D’Artagnon becomes a Example: (D’Artagnon becomes a Musketeer)

Musketeer

palace

weapons

uniformD'ArtagnaD'Artagnann

palace

weapons

uniformD'ArtagnanD'Artagnan


Role-Based Access Role-Based Access ControlControl

• Roles (instead of persons) determine Roles (instead of persons) determine access rightsaccess rights

• Subjects may have different roles Subjects may have different roles according to their tasksaccording to their tasks

• Example Trusted Solaris (root is divided Example Trusted Solaris (root is divided into 4 roles)into 4 roles)– Security officier, system admin, ...Security officier, system admin, ...

• Example Banking:Example Banking:– teller, account executive, manager, V.P., teller, account executive, manager, V.P.,

customercustomer


RBAC ModelRBAC Model

• Role Hierarchies, e.g, teller inherits employee

• Conflict of Interest Constraints:– Static Separation of Duty: user cannot be

authorized for both roles, e.g., teller and auditor– Dynamic Separation of Duty: user cannot act

simultaneously in both roles, e.g., teller and account holder

• Role Cardinality: maximum number of users authorized for role, e.g., branch manager


Banking Example: Banking Example: Hierarchy of RolesHierarchy of Roles

Teller

V.P.

CustomerEmployee

Accountexecutive

Manager


Role-Based Access ControlRole-Based Access ControlSummarySummary

• Express organizational policiesExpress organizational policies– Separation of dutiesSeparation of duties– Delegation of authorityDelegation of authority

• Flexible: easy to modify to meet new security Flexible: easy to modify to meet new security requirementsrequirements

• SupportsSupports– Least-privilegeLeast-privilege– Separation of dutiesSeparation of duties– Data abstractionData abstraction

RBAC is independent from DAC and RBAC is independent from DAC and MAC (they may coexist)MAC (they may coexist)


Mandatory Access Control Mandatory Access Control (MAC)(MAC)

• Why Do We Need a MAC Policy? Why Do We Need a MAC Policy? • We know that DAC policies inherently We know that DAC policies inherently

cannot prevent a malicious software cannot prevent a malicious software (Trojan horse) attack. A policy is needed (Trojan horse) attack. A policy is needed that can address the malicious software that can address the malicious software problem. problem.


Mandatory Access Control Mandatory Access Control (MAC)(MAC)

• A Mandatory Access Control policy is a A Mandatory Access Control policy is a policy in which people do not have control policy in which people do not have control over the authorization of people to over the authorization of people to information. information.

Note how this policy differs from a Note how this policy differs from a DAC policy.DAC policy.


Mandatory Policies are Mandatory Policies are ….….

• Global - sensitivity of information does Global - sensitivity of information does not change relative to its "location" in not change relative to its "location" in the systemthe system

• Persistent- sensitivity of information Persistent- sensitivity of information does not change with respect to time. does not change with respect to time. For example, time does not state that For example, time does not state that information is TS on MWF but only C the information is TS on MWF but only C the remaining days of the week remaining days of the week


Mandatory Access Control Mandatory Access Control Policy Definitions Policy Definitions

• Access Class Access Class – User - Clearance User - Clearance – Information - Sensitivity Information - Sensitivity – Clearance and Sensitivity can be mapped to system Clearance and Sensitivity can be mapped to system

attributes call Access Classes. attributes call Access Classes.

• ObjectObject– Any passive entity that contains information. It may Any passive entity that contains information. It may

be helpful to consider this as a file.be helpful to consider this as a file.

• SubjectSubject– Active entities operating on behalf of users. It may be Active entities operating on behalf of users. It may be

helpful to consider this as being associated with a helpful to consider this as being associated with a process.process.


MAC Policy MAC Policy Implementation Implementation

• Each subject has a label (or access Each subject has a label (or access class). class).

• Each object has a label (or access class). Each object has a label (or access class). – The ability of a subject to access an object is The ability of a subject to access an object is

based upon a comparison of the subject’s based upon a comparison of the subject’s label and the object’s label. label and the object’s label.

– Two labels are compared using the Two labels are compared using the "dominance" operator "≥"."dominance" operator "≥".i.e., if label A dominates label B, we write A i.e., if label A dominates label B, we write A ≥ B.≥ B.Object labels and subject labels are a Object labels and subject labels are a

requirement of MAC policy requirement of MAC policy implementations.implementations.


MAC Policy ImplementationMAC Policy ImplementationExampleExample

• As an example, consider the set of military As an example, consider the set of military classification levels classification levels

• {Top Secret, Secret, Confidential, {Top Secret, Secret, Confidential, Unclassified}. Unclassified}.

• Where: Where: – Top Secret ≥ Secret Top Secret ≥ Secret – Top Secret ≥ Confidential ≥Top Secret ≥ Confidential ≥– Top Secret ≥ Unclassified ≥Top Secret ≥ Unclassified ≥– Secret ≥ Confidential ≥ etc.Secret ≥ Confidential ≥ etc.

• Technically , Top Secret ≥ Top Secret. Secret ≥ Technically , Top Secret ≥ Top Secret. Secret ≥ Secret , etc.Secret , etc.


Access Control is Defined Access Control is Defined by…by…

• PoliciesPolicies• Access Control MethodsAccess Control Methods

– Access Matrix, Capabilities, Access Control Access Matrix, Capabilities, Access Control Lists (ACLs)Lists (ACLs)

• Trusted ComputingTrusted Computing• Operating System CertificationOperating System Certification


Security ModelsSecurity Models

• Security ModelsSecurity Models– Bell-LaPadulaBell-LaPadula– BibaBiba– Chinese WallsChinese Walls– Clark-WilsonClark-Wilson


Bell and LaPadula Model Bell and LaPadula Model (BLP)(BLP)

• David Bell and Len LaPadula, 1973 on initiative David Bell and Len LaPadula, 1973 on initiative of US Air Forceof US Air Force

• The Bell and LaPadula Model is a mathematical The Bell and LaPadula Model is a mathematical description of a Security Policydescription of a Security Policy– A state machine model written at MITRE, Bedford MA A state machine model written at MITRE, Bedford MA

for the Multics operating systemfor the Multics operating system

• Has been the most influential model of security Has been the most influential model of security over the past ~30 years.over the past ~30 years.– The policy in the BLP model and some of the elements The policy in the BLP model and some of the elements

of the model are embedded within the TCSEC. It of the model are embedded within the TCSEC. It purports to implement the Department of Defense purports to implement the Department of Defense (DoD) security policy.(DoD) security policy.


What is the TCSEC?What is the TCSEC?• The Trusted Computer System Evaluation The Trusted Computer System Evaluation

CriteriaCriteria– AKA “The Orange Book”AKA “The Orange Book”

• Written by the DoD to describe the security Written by the DoD to describe the security and assurance requirements necessary for and assurance requirements necessary for government and military systemsgovernment and military systems– Defined several “rating classes”, which were inclusive Defined several “rating classes”, which were inclusive

and increasing C2, B1, B2, B3, A1and increasing C2, B1, B2, B3, A1– Operating system centricOperating system centric

• Used for 17 years as the de facto standard for Used for 17 years as the de facto standard for trusted systemstrusted systems

• Retired in 1999 in favor of a new criteria and Retired in 1999 in favor of a new criteria and methodology called the Common Criteria.methodology called the Common Criteria.


Bell and LaPadula ModelBell and LaPadula Model

• The Bell and LaPadula Model specifies The Bell and LaPadula Model specifies read and write access between a subject read and write access between a subject and an object based upon the and an object based upon the dominance relationship between the dominance relationship between the subject’s label (or access class) and the subject’s label (or access class) and the object’s label (or access class).object’s label (or access class).

• Core of operating system is the Core of operating system is the reference monitor (security kernel) that reference monitor (security kernel) that checks all accesseschecks all accesses


Bell and LaPadula ModelBell and LaPadula Model• The Bell and LaPadula Model is the most The Bell and LaPadula Model is the most

common model for MAC policies. common model for MAC policies. • Applies only to secrecy (not integrity) of Applies only to secrecy (not integrity) of

information.information.• It includes both discretionary and mandatory It includes both discretionary and mandatory

access rulesaccess rules• Both checks are made upon request for access.Both checks are made upon request for access.• We will only look at the MAC aspects of the We will only look at the MAC aspects of the

model since we are using the model to model since we are using the model to demonstrate a MAC policy.demonstrate a MAC policy.


BLP Mandatory Access BLP Mandatory Access ControlControl

• Lets S be the set of all subjects in a Lets S be the set of all subjects in a system and O be the set of all objects in system and O be the set of all objects in a system.a system.

• For each subject s in S there exists a For each subject s in S there exists a label or access class for s called C(s).label or access class for s called C(s).

• For each subject o in O there exists a For each subject o in O there exists a label or access class for o called C(o).label or access class for o called C(o).


Simple Security and Star Simple Security and Star PropertyProperty

• The Simple Security Property: The Simple Security Property: – The normal "no read up" policy whereThe normal "no read up" policy where

Secret users can read Secret, Confidential and Secret users can read Secret, Confidential and Unclassified information (read down allowed) but Unclassified information (read down allowed) but

– Secret users cannot read Top Secret (no read up)Secret users cannot read Top Secret (no read up)

• Confinement property (the *-Property, Confinement property (the *-Property, pronounced ’Star Property’) pronounced ’Star Property’) – A subject has write access to an object only if classification A subject has write access to an object only if classification

of the object dominates the clearance of the subject. This is of the object dominates the clearance of the subject. This is required to prevent malicious software from writing required to prevent malicious software from writing down.down.

• Tranquility propertyTranquility property– The classification of an object does not change while the The classification of an object does not change while the

object is being processed by the system. object is being processed by the system.

Information cannot flow downward!Information cannot flow downward!


Why the *-Property is Why the *-Property is neededneeded

• Recall the shared word processor that Recall the shared word processor that contained a Trojan horse program. If a contained a Trojan horse program. If a Secret user uses the program on a system Secret user uses the program on a system that does not enforce the *-Property, the that does not enforce the *-Property, the Trojan horse could read Secret files and Trojan horse could read Secret files and write them to Unclassified files, where Ivan write them to Unclassified files, where Ivan (the person who installed the Trojan and (the person who installed the Trojan and who is an Unclassified user) can read them.who is an Unclassified user) can read them.

• If, however, a system enforces the *-If, however, a system enforces the *-Property, a Trojan horse cannot write Property, a Trojan horse cannot write down.down.


Mandatory Access Mandatory Access ControlControl

• In a computer system, a mandatory In a computer system, a mandatory policy can protect information in objects policy can protect information in objects from unauthorized access even in the from unauthorized access even in the face of malicious software.face of malicious software.


Summary of the BLP Summary of the BLP rules:rules:

• No read up and No write down.No read up and No write down.– The BLP Model is often described in terms of The BLP Model is often described in terms of

secure information flows. The Figure below secure information flows. The Figure below shows such a flow diagram. This is another shows such a flow diagram. This is another way of saying that there is "no read up" and way of saying that there is "no read up" and "no write down." "no write down."

• As indicated by the diagram on the next As indicated by the diagram on the next slide, a subject can only both read and slide, a subject can only both read and write an object if the object has the write an object if the object has the same access class value as the subject.same access class value as the subject.


Bell and LaPadula ModelBell and LaPadula Model

O1

S1

S2

O3

O2

ReadRead

ReadReadWriteWrite

WriteWrite

ReadRead

WriteWrite

ReadRead

O5

O4

WriteWrite

Subject Subject ObjectObject

HighHigh

LowLow


Bell and LaPadula Bell and LaPadula ExampleExample

• Consider the following objects and Consider the following objects and subjects:subjects:– File1 has an access class value of Secret. File1 has an access class value of Secret. – File2 has an access class value of Confidential.File2 has an access class value of Confidential.– File3 has an access class value of Top Secret. File3 has an access class value of Top Secret.

– Subject1 has an access class value of Top Subject1 has an access class value of Top Secret.Secret.

– Subject2 has an access class value of Subject2 has an access class value of ConfidentialConfidential


Bell and LaPadula Bell and LaPadula ExampleExample

• Under the BLP Model the following Under the BLP Model the following accesses are allowed:accesses are allowed:– Subject1 can read File1, File2 and File3.Subject1 can read File1, File2 and File3.– Subject1 can write only File3.Subject1 can write only File3.

– Subject2 can read File2.Subject2 can read File2.– Subject2 can write File1, File2 and File3.Subject2 can write File1, File2 and File3.


Bell and LaPadulaBell and LaPadula

• Can an Unclassified user blindly write to Can an Unclassified user blindly write to Secret?Secret?– Yes. The model allows it, but most Yes. The model allows it, but most

implementations prohibit arbitrary blind implementations prohibit arbitrary blind write-ups.write-ups.


Mandatory Access Control Mandatory Access Control IssuesIssues

• How does Alice, a Secret user, write How does Alice, a Secret user, write information to an Unclassified file?information to an Unclassified file?– Remember we can only write upRemember we can only write up

The Notion of SessionsThe Notion of Sessions


Mandatory Access Control Mandatory Access Control IssuesIssues

• Systems that support MAC policies, must Systems that support MAC policies, must also support the notion of a session level.also support the notion of a session level.– When a user logs on they request a session When a user logs on they request a session

level, which can be any level up to their level, which can be any level up to their clearance level.clearance level.• If Alice logs on and requests a session level of Secret, If Alice logs on and requests a session level of Secret,

a Secret level subject is created on her behalf. This a Secret level subject is created on her behalf. This subject can read files at or below Secret and can subject can read files at or below Secret and can write files at or above Secret.write files at or above Secret.

• While Alice is logged in, she can re-negotiate a new While Alice is logged in, she can re-negotiate a new session level to any other level that she is allowed to session level to any other level that she is allowed to operate at. This means if she needs to write an operate at. This means if she needs to write an unclassified file, she must negotiate an unclassified unclassified file, she must negotiate an unclassified session.session.

– Session negotiation should use the trusted pathSession negotiation should use the trusted path


Bell and LaPadulaBell and LaPadula

• Where does data integrity fit into a Where does data integrity fit into a Mandatory Access Control scheme that Mandatory Access Control scheme that enforces the BLP Model?enforces the BLP Model?

Nowhere!Nowhere!


IntegrityIntegrity

• The term integrity is used in two ways in The term integrity is used in two ways in the context of computer security.the context of computer security.

• Program or execution integrity refers to Program or execution integrity refers to a system’s ability to provide protected a system’s ability to provide protected domains of execution.domains of execution.

• Data integrity refers to keeping data Data integrity refers to keeping data free from unauthorized modificationfree from unauthorized modification


Secrecy versus IntegritySecrecy versus Integrity• Secrecy and data integrity concerns are distinct.Secrecy and data integrity concerns are distinct.

• Secrecy concerns the prevention of unauthorized Secrecy concerns the prevention of unauthorized disclosure of data or information.disclosure of data or information.

Secr

ecy Integrity

The Golden Triangle of COMPUSEC

Availability


Biba Integrity ModelBiba Integrity Model

• In addition to enforcing a policy for In addition to enforcing a policy for secrecy, we would like systems to secrecy, we would like systems to enforce a mandatory policy for data enforce a mandatory policy for data integrity too.integrity too.

• The Biba Integrity Model addresses the The Biba Integrity Model addresses the unauthorized modification problem by unauthorized modification problem by restricting read and write accesses.restricting read and write accesses.

• Uses integrity levels and integrity Uses integrity levels and integrity compartments much like sensitivity compartments much like sensitivity levels and sensitivity compartmentslevels and sensitivity compartments


Biba Integrity ModelBiba Integrity Model

• Focus on integrityFocus on integrity• Assurance of integrity requires that data not Assurance of integrity requires that data not

flow from a receptacle of lower integrity to a flow from a receptacle of lower integrity to a receptacle of higher integrityreceptacle of higher integrity

• If a process can write above its security level, If a process can write above its security level, trustworthy data could be contaminated by the trustworthy data could be contaminated by the addition of less trustworthy dataaddition of less trustworthy data

• Biba rules:Biba rules:– No write up.No write up.– No read down.No read down.


Chinese-Wall Model Chinese-Wall Model (Bresher-Nash)(Bresher-Nash)

• Drives commercial Security policies and is Drives commercial Security policies and is oriented towards confidentially.oriented towards confidentially.

• Previous actions of a subject determines (i.e. Previous actions of a subject determines (i.e. restricts) access rights i.e. rights are continually restricts) access rights i.e. rights are continually decreasingdecreasing

• Rights are usually read, write, executeRights are usually read, write, execute• Read-Access:Read-Access:

– Only if no previous access to another object of the Only if no previous access to another object of the same conflict class but different companysame conflict class but different company

• Conflict classes’ – group of competitive companiesConflict classes’ – group of competitive companies

• Write-Access:Write-Access:– Only if all previous read-accesses are concerned with Only if all previous read-accesses are concerned with

objects of the same company.objects of the same company.• Protects ‘leaking’ of informationProtects ‘leaking’ of information


Clark-Wilson ModelClark-Wilson Model

• Earlier models emphasized the Earlier models emphasized the government approach of confidentiality.government approach of confidentiality.

• The commercial approach is more The commercial approach is more concerned with integrityconcerned with integrity

• As opposed to subject/object pairs as As opposed to subject/object pairs as earlier lattice models used, C-W model earlier lattice models used, C-W model uses uses subject/program/model triplessubject/program/model triples

• Characterized by well-formed’ Characterized by well-formed’ transactions:transactions:– Exact order of known actionsExact order of known actions– Authentication of user performing actionsAuthentication of user performing actions


Clark-Wilson ModelClark-Wilson Model

• Addresses all 3 integrity goalsAddresses all 3 integrity goals– Prevents unauthorized users from making Prevents unauthorized users from making

modificationsmodifications– Maintains internal and external consistencyMaintains internal and external consistency– Prevents authorized users from making Prevents authorized users from making

improper modificationsimproper modifications

• Files cannot be tampered with while Files cannot be tampered with while being changedbeing changed

• All changes must be loggedAll changes must be logged• Integrity of data is consistentIntegrity of data is consistent


Mandatory Access Control Mandatory Access Control ConclusionsConclusions

• A MAC policy can prevent malicious A MAC policy can prevent malicious software (e.g., Trojan horses) from directly software (e.g., Trojan horses) from directly leaking information from high to low.leaking information from high to low.– Recall that we trust users to not give the store Recall that we trust users to not give the store

away, but we generally can’t say the same away, but we generally can’t say the same thing for software.thing for software.

– So we build systems that enforce a MAC policy So we build systems that enforce a MAC policy on applications and we don’t have to worry on applications and we don’t have to worry about the application software. about the application software.

– For example, a subject running at Secret For example, a subject running at Secret cannot write any information at a level below cannot write any information at a level below Secret.Secret.


Trojan horse can write Trojan horse can write between objects at the between objects at the

same level.same level.• For example, a Trojan horse can read For example, a Trojan horse can read

one Secret file and copy it to another one Secret file and copy it to another Secret file.Secret file.– Is this a problem?Is this a problem?


Mandatory Access Control Mandatory Access Control and the Trojan Horse and the Trojan Horse

ScenarioScenario• This scenario would require a bad guy (e.g., This scenario would require a bad guy (e.g.,

Ivan) to have a Secret clearance. (The reason Ivan) to have a Secret clearance. (The reason why personnel security is important.)why personnel security is important.)– He installs a Trojan horse into a shared word He installs a Trojan horse into a shared word

processor program. processor program. – Sue, a Secret user, uses the word processor and the Sue, a Secret user, uses the word processor and the

Trojan horse copies her Secret files into John’s Trojan horse copies her Secret files into John’s directory. But John is already cleared for Secret directory. But John is already cleared for Secret information so the Trojan horse does not get him any information so the Trojan horse does not get him any information he is not already cleared to see.information he is not already cleared to see.

– In general, systems that support a MAC policy also In general, systems that support a MAC policy also support a DAC policy to provide a convenient support a DAC policy to provide a convenient separation of user’s data.separation of user’s data.


A Potential Problem with A Potential Problem with the Mandatory Access the Mandatory Access

Control ApproachControl Approach

• Covert Channels can still leak Covert Channels can still leak information from high to low in spite of a information from high to low in spite of a MAC policy.MAC policy.


Covert ChannelsCovert Channels

• Covert channels are flows of information Covert channels are flows of information between access class levels counter to a between access class levels counter to a MAC policy but which are allowed by an MAC policy but which are allowed by an implementation.implementation.– Covert channels are a means of leaking Covert channels are a means of leaking

information from high to low, one bit at a information from high to low, one bit at a time. time.

– If the rate of transmitting bits across the If the rate of transmitting bits across the channel (the channel baud rate) is great, channel (the channel baud rate) is great, this threat is significant.this threat is significant.


Covert ChannelsCovert Channels

• Covert channels involve two programs, Covert channels involve two programs, of which one must be a Trojan horse. of which one must be a Trojan horse.

• Covert channels are a little complicated Covert channels are a little complicated to implement.to implement.

• However, if information being stored is However, if information being stored is very valuable, the covert channel threat very valuable, the covert channel threat is real.is real.


Covert Channels-Covert Channels-StorageStorage

• Covert storage channels exploit a Covert storage channels exploit a resource common to both a high subject resource common to both a high subject and a low subject.and a low subject.

• Automated flow analysis tools can Automated flow analysis tools can identify every storage channel in a identify every storage channel in a formal specification of a system’s formal specification of a system’s interface.interface.


Covert Channels-Covert Channels-TimingTiming

• Covert timing channels exploit a Covert timing channels exploit a mechanism where a high subject can mechanism where a high subject can affect the timing of low subject.affect the timing of low subject.

• No automatic means exist for identifying No automatic means exist for identifying every existing timing channel at a every existing timing channel at a system’s interface.system’s interface.

• Timing channels are identified by a Timing channels are identified by a examination of the interface.examination of the interface.


Covert Channels-Covert Channels-ExampleExample

The classic example of a covert The classic example of a covert storage channel is the disk storage channel is the disk

exhaustion channel.exhaustion channel.

Step 1Step 1• Ivan, (a low user) introduces a Trojan horse Ivan, (a low user) introduces a Trojan horse

program (e.g., Star Trek game) into the system program (e.g., Star Trek game) into the system and somehow gets a high user to execute it.and somehow gets a high user to execute it.

• When the high user plays the Star Trek game a When the high user plays the Star Trek game a sub-program is spawned and goes to sleep. sub-program is spawned and goes to sleep. The sub-program contains the Trojan horse and The sub-program contains the Trojan horse and wakes up and starts running at a time when wakes up and starts running at a time when activity on the system is low (e.g., at 0100).activity on the system is low (e.g., at 0100).


Covert ChannelsCovert Channels Step 2Step 2

• John starts another program (a low program) that John starts another program (a low program) that will wake up at 0105, (5 minutes later than the will wake up at 0105, (5 minutes later than the high program). This allows the high program time high program). This allows the high program time to initialize the channel.to initialize the channel.

• The high program finds a high file to copy (fileA).The high program finds a high file to copy (fileA).• The high program initializes the channel by The high program initializes the channel by

repeatedly creating files until the "disk full" repeatedly creating files until the "disk full" exception is returned.exception is returned.

• The two programs will synchronize with each The two programs will synchronize with each other by reading a system clock. The high other by reading a system clock. The high program will signal bits on every even program will signal bits on every even millisecond and the low program will receive bits millisecond and the low program will receive bits on every odd millisecond.on every odd millisecond.


Covert ChannelsCovert Channels Step 3Step 3

• The high program starts reading the bits out of The high program starts reading the bits out of FileA. The following steps are repeatedly FileA. The following steps are repeatedly performed until the high program is through performed until the high program is through reading the file.reading the file.– The high program does: (on even milliseconds)The high program does: (on even milliseconds)

• If a bit is a 0, the high program deletes one file. (Creating If a bit is a 0, the high program deletes one file. (Creating room on the disk for a file to be created.)room on the disk for a file to be created.)

• If a bit is a 1, the high program does not delete a file. (So If a bit is a 1, the high program does not delete a file. (So there is no room on the disk to create a file). there is no room on the disk to create a file).

– The low program does: (on odd milliseconds)The low program does: (on odd milliseconds)• The low program always tries to create a file. If there is The low program always tries to create a file. If there is

room on the disk, the create file call is successful.room on the disk, the create file call is successful.• If the call is successful, the low program writes a 0 into a If the call is successful, the low program writes a 0 into a

destination file.destination file.• If there is no room on the disk, the create file call will fail, If there is no room on the disk, the create file call will fail,

with the "disk full" exception. If the call is unsuccessful, with the "disk full" exception. If the call is unsuccessful, the low program writes a 1 into the destination file.the low program writes a 1 into the destination file.


Storage Channel Storage Channel Example Conclusions:Example Conclusions:

• The channel baud rate of the previous The channel baud rate of the previous example is 1 bit every 2 milliseconds.example is 1 bit every 2 milliseconds.

• This is 500 bits per second, which is This is 500 bits per second, which is 30,000 bits per minute.30,000 bits per minute.– The timing scheme used in the example is The timing scheme used in the example is

very conservative. Much higher baud rates very conservative. Much higher baud rates are generally attainable.are generally attainable.


Covert ChannelsCovert Channels CountermeasureCountermeasure

• One way to close the disk exhaustion channel is One way to close the disk exhaustion channel is to partition the disk into volumes and allocate to partition the disk into volumes and allocate each volume to a different security level. For each volume to a different security level. For example, volume 0 is for TS files, volume 1 is example, volume 0 is for TS files, volume 1 is for S files and volume 2 is for C files.for S files and volume 2 is for C files.

• Under this partitioning scheme, a C subject Under this partitioning scheme, a C subject cannot tell if the TS volume is full or not. Recall cannot tell if the TS volume is full or not. Recall that in the covert channel scenario, the C that in the covert channel scenario, the C subject determined if the disk was full by subject determined if the disk was full by attempting to create a file. Under the attempting to create a file. Under the partitioning scheme, C subjects create files on a partitioning scheme, C subjects create files on a separate volume than the TS subjects.separate volume than the TS subjects.


Covert Timing ChannelsCovert Timing Channels

• Covert timing channels exploit a mechanism where Covert timing channels exploit a mechanism where a high subject can affect the timing of a low subject.a high subject can affect the timing of a low subject.– A potential timing channel, which exists on single processor A potential timing channel, which exists on single processor

systems, uses the fact that both the high subject and the systems, uses the fact that both the high subject and the low subject use the same physical processor.low subject use the same physical processor.

• To signal a 1, the high subject performs a lengthy operation To signal a 1, the high subject performs a lengthy operation (e.g., disk I/O) and signals a 0 by performing a short operation.(e.g., disk I/O) and signals a 0 by performing a short operation.

• When the high subject finishes its operation, the low subject is When the high subject finishes its operation, the low subject is scheduled to run.scheduled to run.

• When the low subject gets scheduled, it reads the system When the low subject gets scheduled, it reads the system clock and determines how long the high subject operation clock and determines how long the high subject operation took.took.

Documents

ACCESS CONTROL Access Control Concepts. SECURITY INNOVATION ©2003 2 Access Control What is access control?