ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security

ACCESS CONTROL & SECURITY MODELS (REVIEW)

Center of gravity of computer security

Access Control Srini & Nandita 2

CSE2500 System Security & Privacy

Fundamental Model of Access Control

subject Access request Reference

Monitorsobject



Possible Access Control Mechanisms are Control Matrix Control lists Groups and Roles Extension to Distributed (+file) Systems



Example Access Control Matrix for Bookkeeping

Operating system

Accounts Program

Accounting Data

Audit Trail

Sam rwx rwx r r

Alice rx x - -

Accounts program

rx r rw w

Bob rx r r r

Srini rx r r r



Basic UNIX file security-rw-rw-r-- 1 root sys 1344 Jul 2 22:57 /etc/vfstab

Owner

Group

-rwxrwxrwx Owner permissions

-rwxrwxrwx Group permissions

-rwxrwxrwx Other permissions

Others



SUID and SGID Security

Owner of a program can mark it as suid, enabling a user, special privileges of access control attributes

sgid for groups What is the security issue here?



SUID and SGID Security(cont.)

SUID root programs are particularly vulnerable to attack.

If it is possible to subvert the program in some way, then root access can be gained.

A very well known method of such subversion is the buffer overflow.

Buffer overflow vulnerability results from bad coding practices on the part of the original programmer of the SUID root program!

ACCESS CONTROL & SECURITY MODELS(2)

Center of gravity of computer security



Buffer OverflowHundreds of Buffer Overflow vulnerabilities have been documented in various versions of UNIX

Not restricted to UNIX, Windows and other operating systems can also be vulnerable.

Writing a buffer overflow attack requires some knowledge of the stack architecture for the particular hardware (e.g. Intel stacks implemented in a different way from SPARC stacks)



Buffer Overflow – The problem

void function(char *str) {char buffer[16];strcpy(buffer,str);}

void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}





Buffer Overflow

string

…

…

…

string pushed onto stack





Buffer Overflow

return address

string

…

…

return address pushed onto stack





Buffer Overflow

buffer[0]

buffer[1]

…

buffer[15]

return address

string

…

buffer[16] (local variable) pushed onto stack





Buffer Overflow

A

A

A

A

A

A

A

…

Segmentation Fault

Segmentation Fault

Segmentation Fault

Segmentation Fault

Segmentation Fault

Segmentation Fault



Buffer Overflow Attack Instead of writing ‘A’ past the allocated local buffer and

into the rest of the stack, write data into the stack such that:

– The return address is replaced by an address which points to a bit of code written by the attacker (which can also be written onto the stack)

– This code may, for example, spawn a shell.

– If the original program was SUID root, this will be a root shell!



Buffer Overflow Attack

If no patch is available from O/S vendor to fix the vulnerability, then at least remove SUID root permissions from the program in question.



Authentication means

to establish the proof of identity. Authentication techniques may vary

depending on the kind of resource being accessed.

The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)



Trusted hosts

UNIX allows hosts to trust another. If host A trusts host B, then a user who has

the same user name on B and A can access resources on A from B without a password.

Implemented using .rhosts and /etc/hosts.equiv

rlogin, rsh, rcp



Trusted hosts - advantages

Password cannot be sniffed because it is not transmitted.

Users can log in once and then subsequently move to any machine in the trusted network.

Convenience.



Trusted hosts - disadvantages

If one host is compromised (e.g. boot B to single user mode then change to any user you like), then the other host is also compromised – read that user’s files on A.

Even if B cannot be booted to single user mode without a password, can physically replace B with another machine.

Trusted hosts uses IP address authentication. Vulnerable to IP spoofing.



NFS

Network File System Developed by Sun Microsystems Supported by most UNIX systems Allows remote access to local file systems



NFS example (Solaris)

mount –t nfs A:/files /mnt/files

/files

Host ANFS Server

Host B

NetworkNetwork

share -F nfs -o rw=B,root=B /files

NFS calls

NFS calls



NFS Security Considerations Export only to trusted hosts Export only those parts of the filesystem which

require remote access Export read-only unless writing absolutely

required Be very careful mapping root on the server to root

on the client. Remove group write permissions for exported

files and directories. Be careful exporting user home directories



NFS Security Considerations

Do not allow users to log into NFS server. Do not accept incoming NFS call requests

on non-privileged ports. Use Secure NFS. Don’t use NFS! (Is it absolutely necessary?)



Threats to Availability

“Denial of Service” attacks Probably more of a threat when carried out

via the network than on the local machine alone.

Not UNIX specific



Windows accounts

Each user has an account– On a computer and/or an Active Directory domain– Non-human accounts are for system processes

Account typically has name and password– Authentication based on Kerberos or hashed password

(for NT compatibility only)– OS supports password strength, aging policies– Certificates and smartcards are also supported (in

2000/XP, but not commonly used yet) A user may belong to many groups

– Has the union of the groups’ rights at any time



Windows file systems (1/3) FAT (for backward compatibility)

– FAT supports no access control

NTFS (NT File System)– Access control based on user IDs and file permissions

– Basic permissions are Read, Write, Execute, Delete, Change Permissions, Take Ownership RWXDPO

– Standard permissions are basic ones combined

– Different permissions to a file can be granted to individual users/groups using ACL

– More fine-grained, flexible than UNIX



Windows file systems (2/3)

The following access permissions apply to files:

NoAccess Read(RX): read and execute Change(RWXD): read,write,exe,delete Full Control(all): RWXDPO Special Access: any combination of

RWXDPO



Windows file systems (2/3) Files sharing using Common Internet File System

(CIFS)– Shares are managed in directory (in common with

domain management – more later)– Machine access to shares is based on computer account

in domain and inter-domain trust– User access to shares is based on share passwords or

standard ACLs– NT systems use hashed password SMB auth.– Windows 2000/XP use Kerberos authentication

Encrypting File System (EFS)– Files encryption using random secret keys, which are in

turn encrypted with EFS public keys



Windows networking

Essentially similar tools– telnet, ftp with clear-text passwords– SSH, and augmented versions of telnet, ftp

more secure

Integrated networking explained later– Server Message Block (SMB) based integrated

domain authentication, file shares access



Windows security internals: Architecture (1/2)

Windows (NT/2000/XP) have layered components on top of a kernel

Security Reference Monitor (SRM)– Part of the kernel

– Handles core of access control checks

Protected security services include– Winlogon process

– Local Security Authority (LSA) and policy database

– Security Account Manager (SAM) and database

– These services perform user authentication, and non-core part of access control



Windows security internals: Architecture (2/2)

Security identifiers (SID)– Represent uniquely each user or group

Access control entry (ACE)– Contains permissions to an object explicitly denied or granted

to a subject (SID)

Access control list (ACL)– List of ACE’s for an object

Security descriptor of an object– Contains is owner SID, primary group SID, its ACL, the

applicable system ACL

Access token for a logged on user– Contains the user’s SID, primary group SID, etc.



Windows security internals: Authentication

NT uses NTLM authentication– NT (MD4) and LM (DES-based) hashed password– Domains integration relies on sending hashed passwords

through insecure SMB protocols– Inter-domain trusts are one-way, non-transitive

Windows 2000/XP in domains use Kerberos– NTLM supported for backward compatibility– Domains are managed by Active Directory– Integrated Kerberos auth. as domain controllers are KDCs– Enable hierarchical organisation and delegation– Inter-domain trusts are two-way, transitive thereby simplifying

trust management Logged on users run processes with their access tokens,

basis for access control, impersonation



Windows security internals: Access control

Discretionary access control– Based on subject SIDs and object ACLs

– Each object has an ACL• Null ACL or empty means no restrictions or no access

– Each process has access token with owner SID, group SIDs

– Access control check matches of access tokens against ACLs

– Administrators group can access everything

– SRM performs core matching

Less so discretionary access control– Some system-wide policies applying to subjects, regardless of

individual object’s ACL



Windows security internals: Impersonation

No equivalence of UNIX suid, sgid or “su”, “sudo” programs

But processes frequently programmatically impersonate others– A thread takes on access token of another subject

– This access token may be exact copy or variant of a primary access token

– Thread gets security privileges of the impersonated subject

Impersonation is application-controlled, as opposed to administrator-controlled in UNIX



Windows security internals: Logging & auditing

The LSA and SRM create logs through the system event logger

The LSA logs mostly logon events based on its audit policy

The SRM logs access check events based on the system access control list (SACL)– Each object has an SACL

Logs are stored locally



UNIX and Windows security: some evaluations Windows security more complex, less mature

– More susceptible to faults

Windows integrated Kerberos auth. more secure than hashed passwords

Windows access control more fine-grained But Windows has more viruses?

– Default security leaves programs writable

– Users education

Historically more UNIX buffer flow attacks?– Longer lifetime, more accessible source code

– Windows code inaccessible, but faults will show up eventually (obscurity not good security)



Other Access Control methods

Sandboxing– Software that provides limited access rights to

programs of unknown origins

Proof-carrying code– Programs to be executed must carry a proof that

it doesn’t do anything that contravenes the local security policy



Policies (1) Historical considerations

– The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems.

Mandatory Security Policies– A system wide policy decrees that all subjects and all objects

are classified. Access classes are associated with every subject-object pair.

– Access rights depend on the triple subject-object-access class for all triplets

<Sam, Production Log, Write>



Policies (2) Discretionary Security Policies

– Users are allowed to grant access to other users - often the OWNER of an object can grant access privileges to other users, (at the owners discretion )

Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data



Security Models Formal Methods

One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled

For real systems, modeling is not easy



Access Control - Ranked Model (1)

Multi-level Often called Lattice methods Basis of military and commercial security Set of ordered security levels, users assigned to a

level User subjects are privileged to access a rank

and all lower ranks Students do not need to master the notation used

in ‘Gollman’



Access Control - Ranked Model (2)

We are also concerned about need to know

Compartment the information to be secured Granting access :

– A subject is cleared to access object – only if rank(subject) >= rank (object) AND– The set of all compartments that contain the object are

contained within the set of compartments that the subject is cleared to access

– (The personnel manager will not be allowed to access confidential production data)



Access Control - Ranked Model (3) Companies often use the ranks:

– Public, Company Confidential, Executive-only

Deciding what lies in what compartment keeps security staff occupied



Bell - LaPadula (1) Earliest formal model Each user subject and information object

has a fixed security class Use the notation >= to indicate dominance Simple Security (ss) property:

the no read-up (NRU) property– A subject has read access to an object if the – class of the subject C(s) is greater than or equal to the

class of the object C(o)– need C(s) >= C(o)



Bell - LaPadula (2) * property (star):

the no write-down (NRD) property

– While a subject has read access to object O, the subject can only write to object P ifC(P) >= C (O)

Leads to concentration of irrelevant detail at upper levels

Discretionary Security (ds) propertyIf discretionary policies are in place, accesses are further limited to this access matrix

– Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !



Transitions If a system starts in a secure state, and all

transitions are secure, then the system remains in a secure state.

But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes are allowed for each entry

?

So we need to beware of transitions that change access rights



Tranquility Gollman p 49 Pfleeger (3ed) p 305 Starting with a Bell-LaPadula model, with ranked

classes of users– Say Executive, Company-confidential, Public

And segregated compartments, – Say Sales, Production

And all users assigned a rank, And all files assigned a rank and a compartment

TRANQUILITY is when these assignments do not change – or are not allowed to change



Tranquility in practice

Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed.

For systems with mandatory security, these entities all need labels and levels.

In practice assigning security levels to these sorts of entities is not easy.



Limitations of BLP model

Only deals with confidentiality aspect of security and not integrity

Not addressing the management of access control

Containing covert channels



Chinese Wall Model(1/2) Suppose a consultancy has several airlines as clients

– It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment

– Security policy builds on 3 levels of abstraction:• Objects: lowest levels, eg. Files• Company groups : all objects concerning a particular company are

grouped together• Conflict classes: at the highest level, all groups of objects for

competing companies are clustered.

– No information flow that causes a conflict of interest• For this model to work, a history of access rights has to be

maintained

– (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)



Chinese Wall Model(2/2)

Simple security(ss) policy:Access is granted only if the object requested

belongs to a company dataset already held by user or entirely different conflict of interest class

*-property:A subject is granted write access to an object

if no other object can be read which is in a different company dataset.



Biba Concerned with integrity of information We wish to prevent the spread of untrusted information A Cold war issue - the intelligence services of the UK

were known to have been compromised by the Soviets.

How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ?

Simple integrity property: Subject s can only modify object o

if I(s) >= I(o) ( no write up)

Integrity * propertyIf s can read o, s can only write to p if I(o) >= I(p)

So ‘clean’ objects do not become ‘contaminated’



Biba(1/2)

Covers untrustworthy information in a natural way.

Suppose John is untruthful, all documents created/modified by John are untrustworthy

An untrusted subject who has write access to an object reduces the integrity of that object

Low integrity of source objects implies low integrity for any object based on the source object.



Clark-Wilson (1/3) The security requirements of commercial transactions

are about data integrity, and the prevention of error and fraud.

There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud.

Clark-Wilson aim to define well-formed transactions, so users cannot directly access data,

and specific data items can only be modified by defined programs.



Clark-Wilson (2/3) Internal consistency of data items should be

ensured by the system Overall:– Subjects have to be identified and authenticated– Objects can be manipulated by a restricted set of

programs– Subjects can execute only a restricted set of

programs– A proper audit has to be maintained.– The system has to be certified to work properly.

An application oriented IT system model, a framework and guideline for security policy



Clark-Wilson (3/3)

Policy in terms of constrained data items(CDI)

CDIs are processed by transformation procedures(TP)

TP is like a monitor that performs only particular operations on specific data items

Access triples combine TP, one or more CDI and user ID who is authorised to operate on those CDIs by means of the TP.

Documents

ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security