ACCESS CONTROL & SECURITY MODELS Center of gravity of computer security

ACCESS CONTROL & SECURITY MODELS

Center of gravity of computer security

Access Control Srini & Nandita 2

CSE2500 System Security & Privacy

Fundamental Model of Access Control

subject Access request Reference

Monitorsobject



Controlling Access Access control policy: what can be used to

indicate who is allowed to do what to/with whom on the system.

Who is who ? Subject is what we call active entities(processes, users, other computers) that want to

“do something” The what the subject does with the object can

be just about anything, and it may be multi-part. Typical manipulations include READ, MODIFY,

CREATE, CHANGE, DELETE



Access Control Policy Access right or privilege:

– An indication that a SUBJECT may legitimately use a specific type of ACCESS or MANIPULATION with respect to a particular OBJECT or set of OBJECTS.

The underlying system itself determines which primitive (or bottom level) access rights are available for which user/object combinations



Levels of Access Control

Application Middleware Operating system Hardware



Operating System Access Controls

Authenticate prinicipals/users– Passwords– Kerberos

Mediate access– Files– Communication ports– System resources



Models of Security

Need for a model– High assurance security system

What a model supposed to do?– Express the security policy in a formal way– Describe the entities governed by the policy– State the rules that decide who gets access to

your data

Scope and limitations of models



Security Models : Bell-LaPadula

– The Bell-LaPadula model is about information confidentiality, and this model formally represents the long tradition of attitudes to the flow of information concerning national secrets.

– Multi-level security (MLS)



Security Models: Chinese Wall

– Large consultancies can easily find there are conflicts of interest if individual consultants are given access to all information held by the consultancy. Chinese Wall models a particular way of restricting information flow.



Security Models : Biba We need models – continued Based on the Cold War experiences,

information integrity is also important, and the Biba model, complementary to Bell-LaPadula, is based on the flow of information where preserving integrity is critical.



Security Models: Clarke-Wilson

In the commercial sphere, the need is to engage in well-formed transactions which can only be undertaken by authorised personnel, and the Clarke-Wilson model is an attempt to formally model a policy based on well-formed transactions.



Possible Access Control Mechanisms are Control Matrix Control lists Groups and Roles Extension to Distributed (+file) Systems



Access Control Matrix

Object

Users

Operating system

Accounts Program

Accounting Data

Audit Trail

Sam rwx rwx rw r

Alice x x rw -

Bob rx r r r



Example Access Control Matrix for Bookkeeping

Operating system

Accounts Program

Accounting Data

Audit Trail

Sam rwx rwx r r

Alice rx x - -

Accounts program

rx r rw w

Bob rx r r r

Srini rx r r r



Access Control Matrices

2/3 dimensions used to implement protection mechanisms and model them

Do not scale well– A bank with 50,000 staff & 300 objects

15million entries– Update and performance problem– Prone to administrators’ mistakes

A more compact way is required



Groups and Roles

Group is a list of users/principals-- categories

Role is a fixed set of access permissions that one or more principals may assume

Group manager is a rank while the role of acting manager can be taken up by an assistant accountant standing in while the manager, deputy manager and accountant are all sick



Let us look at the example once againOperating

systemAccounts Program

Accounting Data

Audit Trail

Sam rwx rwx r r

Alice rx x - -

Accounts program

rx r w w

Bob rx r r r

Srini rx r r r



ACLs per subject(Capabilities list)

Sam

rwx

rwx

r

r

Alice

rx

x

-

-

Acc.pgm

rx

r

rw

w

Bob

rx

r

r

r

Srini

rx

r

r

r

User

OS

A/C Prgm

A/C Data

Audit trail



Access Control Lists

User Accounting Data

Sam rw

Alice rw

Bob r

Srini r



Access Control Lists/Capabilities

How do you modify the entries in the lists?– add a new entry– delete an existing entry– modify the access right to an object?



Access Control Triples

Subject Object Access r, w, x, ?



Capabilities While ACLs are kept by the

O/S,capabilities are kept by the subject. Capabilities give the possessor (of the

token) certain rights to an object Capabilities do not require authentication

of subjects, but do require that the token be unforgeable (encrypted or in inaccessible storage) and that the propagation of capabilities be controlled.



Access Control lists (cont.)

Users manage their own file security, Unix Data-oriented protection, for centrally set access

control policy OS checks the ACL at each file access Not efficient security checking at runtime, though

simple to implement Tedious to find all files to which a user has access

or perform system-wide checks



Let us look at an example of ACL implementations UNIX NT



Unix Operating System Security

Superuser account on Unix is root – UID (user identifier) equal to ‘0’

The superuser can effectively do anything within the system

Superuser password is the most valuable password in the system

Don’t share the superuser password outside the administrative group.



Basic file security-rw-rw-r-- 1 root sys 1344 Jul 2 22:57 /etc/vfstab

Owner

Group

-rwxrwxrwx Owner permissions

-rwxrwxrwx Group permissions

-rwxrwxrwx Other permissions

Others



Basic file security Important system files must have appropriate file

permissions e.g:

-r--r--r-- 1 root other /etc/passwd-r-------- 1 root sys /etc/shadow-rw-r--r-- 1 root sys /etc/profile drwxr-xr-x 18 root sys /usr

A finer granularity of file permissions can be achieved with access control lists (ACLs), e.g. AIX, HP-UX.



Unix Operating System Security(cont.)

A common defense against root compromise by hackers -- is system log to a printer in a locked room or to another machine/server, eg. Berkeley, FreeBSD

ACLs have only names of users, not of programs

Indirect method => suid and sgid file attributes



SUID and SGID Security

Owner of a program can mark it as suid, enabling a user, special privileges of access control attributes

sgid for groups What is the security issue here?



SUID and SGID Security(cont.)

SUID root programs are particularly vulnerable to attack.

If it is possible to subvert the program in some way, then root access can be gained.

A very well known method of such subversion is the buffer overflow.

Buffer overflow vulnerability results from bad coding practices on the part of the original programmer of the SUID root program!



Authentication means

to establish the proof of identity. Authentication techniques may vary

depending on the kind of resource being accessed.

The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)



Trusted hosts

UNIX allows hosts to trust another. If host A trusts host B, then a user who has

the same user name on B and A can access resources on A from B without a password.

Implemented using .rhosts and /etc/hosts.equiv

rlogin, rsh, rcp



Trusted hosts - advantages

Password cannot be sniffed because it is not transmitted.

Users can log in once and then subsequently move to any machine in the trusted network.

Convenience.



Trusted hosts - disadvantages

If one host is compromised (e.g. boot B to single user mode then change to any user you like), then the other host is also compromised – read that user’s files on A.

Even if B cannot be booted to single user mode without a password, can physically replace B with another machine.

Trusted hosts uses IP address authentication. Vulnerable to IP spoofing.



NFS

Network File System Developed by Sun Microsystems Supported by most UNIX systems Allows remote access to local file systems



NFS example (Solaris)

mount –t nfs A:/files /mnt/files

/files

Host ANFS Server

Host B

NetworkNetwork

share -F nfs -o rw=B,root=B /files

NFS calls

NFS calls



NFS Security Considerations Export only to trusted hosts Export only those parts of the filesystem which

require remote access Export read-only unless writing absolutely

required Be very careful mapping root on the server to root

on the client. Remove group write permissions for exported

files and directories. Be careful exporting user home directories



NFS Security Considerations

Do not allow users to log into NFS server. Do not accept incoming NFS call requests

on non-privileged ports. Use Secure NFS. Don’t use NFS! (Is it absolutely necessary?)



Threats to Availability

“Denial of Service” attacks Probably more of a threat when carried out

via the network than on the local machine alone.

Not UNIX specific



Windows NT

Based on ACLs Attributes to users & groups

– Read, Write, Execute– Take ownership, change permissions, and

delete

Multiple values to attributes instead of on/off– AccessDenied, AccessAllowed, SystemAudit



Benefits

Less than full administrator privileges required for routine tasks, eg. installing printers

Users and resources can be partitioned into domains with distinct administrators

Trust can be inherited between domains in one direction or both

Registry is the data structure used to hide the ACL details from the user interface



Problems Not very suitable for large organisations Naming issues Domains scale badly when number of

principals increase Complex interactions between local and

global groups due to restrictions that a user in another domain can’t be administrator

Peculiarity of ‘everyone’ is a principal, and a resource can be locked quickly



Other Access Control methods

Sandboxing– Software that provides limited access rights to

programs of unknown origins

Proof-carrying code– Programs to be executed must carry a proof that

it doesn’t do anything that contravenes the local security policy



Policies (1) Historical considerations

– The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems.

Mandatory Security Policies– A system wide policy decrees that all subjects and all objects

are classified. Access classes are associated with every subject-object pair.

– Access rights depend on the triple subject-object-access class for all triplets

<Sam, Production Log, Write>



Policies (2)

Discretionary Security Policies– Users are allowed to grant access to other users

- often the OWNER of an object can grant access privileges to other users, (at the owners discretion )

Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data



Security Models Formal Methods

One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled

For real systems, modeling is not easy



Access Control - Ranked Model (1)

Multi-level Often called Lattice methods Basis of military and commercial security Set of ordered security levels, users assigned to a

level User subjects are privileged to access a rank

and all lower ranks Students do not need to master the notation used

in ‘Gollman’



Access Control - Ranked Model (2)

We are also concerned about need to know

Compartment the information to be secured Granting access :

– A subject is cleared to access object – only if rank(subject) >= rank (object) AND– The set of all compartments that contain the object are

contained within the set of compartments that the subject is cleared to access

– (The personnel manager will not be allowed to access confidential production data)



Access Control - Ranked Model (3) Companies often use the ranks:

– Public, Company Confidential, Executive-only

Deciding what lies in what compartment keeps security staff occupied



Bell - LaPadula (1) Earliest formal model Each user subject and information object

has a fixed security class Use the notation >= to indicate dominance Simple Security (ss) property:

the no read-up (NRU) property– A subject has read access to an object if the – class of the subject C(s) is greater than or equal to the

class of the object C(o)– need C(s) >= C(o)



Bell - LaPadula (2) * property (star):

the no write-down (NRD) property

– While a subject has read access to object O, the subject can only write to object P ifC(P) >= C (O)

Leads to concentration of irrelevant detail at upper levels

Discretionary Security (ds) propertyIf discretionary policies are in place, accesses are further limited to this access matrix

– Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !



Transitions If a system starts in a secure state, and all

transitions are secure, then the system remains in a secure state.

But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes are allowed for each entry

?

So we need to beware of transitions that change access rights



Tranquility Gollman p 49 Pfleeger (3ed) p 305 Starting with a Bell-LaPadula model, with ranked

classes of users– Say Executive, Company-confidential, Public

And segregated compartments, – Say Sales, Production

And all users assigned a rank, And all files assigned a rank and a compartment

TRANQUILITY is when these assignments do not change – or are not allowed to change



Tranquility in practice

Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed.

For systems with mandatory security, these entities all need labels and levels.

In practice assigning security levels to these sorts of entities is not easy.



Chinese Wall Model Suppose a consultancy has several airlines as clients

– It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment

– Security policy builds on 3 levels of abstraction:

• Objects: lowest levels, eg. Files• Company groups : all objects concerning a particular company are

grouped together• Conflict classes: at the highest level, all groups of objects for

competing companies are clustered.

– No information flow that causes a conflict of interest• For this model to work, a history of access rights has to be

maintained

– (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)



Biba Concerned with integrity of information We wish to prevent the spread of untrusted information A Cold war issue - the intelligence services of the UK

were known to have been compromised by the Soviets.

How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ?

Subject s can only modify object o if I(s) >= I(o) ( no write up)

Integrity * propertyIf s can read o, s can only write to p if I(o) >= I(p)

So ‘clean’ objects do not become ‘contaminated’



Clark-Wilson (1) The security requirements of commercial transactions

are about integrity, and the prevention of error and fraud.

There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud.

Clark-Wilson aim to define well-formed transactions, so users cannot directly access data,

and specific data items can only be modified by defined programs.



Clark-Wilson (2) Internal consistency of data items should be

ensured by the system Overall:– Subjects have to be identified and authenticated– Objects can be manipulated by a restricted set of

programs– Subjects can execute only a restricted set of

programs– A proper audit has to be maintained.– The system has to be certified to work properly.

An application oriented IT system model, a framework and guideline for security policy

Documents

ACCESS CONTROL & SECURITY MODELS Center of gravity of computer security