Embed Size (px)
Citation preview
EE5552 Network Security and Encryption
block 3
Dr. T.J. Owens Cmath, FIMA, MIEEEDr T. Itagaki MIET, MIEEE, MAES
Block 3Access Control
Objectives (1)• To introduce Access Control• To explain basic concepts of operating system access
controls:– Access Control Matrices– Groups and Roles– Access Control Lists – Capabilities– Permission bits
Objectives (2)• To provide an overview of operating system
vulnerabilities: – Smashing the stack and other technical attacks – User interface failures – Remedies for buffer overflows
• To introduce the principle of least privilege
Access Control (1)Access control is described by Ross Anderson as the centre of
gravity of computer security.It controls which principals can access which system resources,
the files they can read, the programs they can execute, with which other principals they can share data, etc.
Access control works at a number of levels:– Application– Middleware– Operating system– Hardware
Access Control (2)At the application layer a user may see access controls
implementing a complex security policy which could assign them many roles.
Applications may be written on top of middleware which enforces a number of protection measures.
For example, – bookkeeping software may ensure a debit is always
matched by a credit.– parental control (lock) on digital TV– Smartcard lock for digital TV’s pay channels
Access Control (3)The middleware uses functions provided by the underlying
operating system. As this constructs resources such as files from lower level
components it acquires responsibility for providing ways to control access to them.
The operating system access controls usually rely on hardware features provided by the processor or memory management hardware. – These control the memory addresses a process can access.
Moving up from the hardware to the application layer the controls become more complicated and less reliable.
Access Control (4)Access control only makes sense in terms of protection goals
expressed in a security policy.In the following operating system access control mechanisms are
discussed, as their requirements usually drive the design of the hardware protection systems.
Operating system access controls (1)
The access controls provided with an operating system usually authenticate principals using a mechanism such as passwords or Kerberos and then mediate their access to files, communication ports, and other system resources.
The effect of operating system access controls can be modelled by an Access Control Matrix which is a matrix of access permissions with columns for resources and rows for principles.
Operating system access controls (2)
Let • R denote permission to read• W denote permission to write• E denote permission to execute a programThen the Access Control Matrix lists what users are allowed to
do with system resources: Data 1 Data 2 Program 1 Program 2 Alice RW E Bob R RW RWE Carol R E David RW R E RWE Eve R RE
Operating system access controls (3)
Then the Access Control Matrix lists what users are allowed to do with system resources:– Principals are active parties; they access– Resources are passive; they are accessed– When checking if access is allowed, both principal and resource must
be identified– Identities must be unique within their domain
Data 1 Data 2 Program 1 Program 2 Alice RW E Bob R RW RWE Carol R E David RW R E RWE Eve R RE
Operating system access controls (4)There are three ways to represent an access control matrix:• Access Control Lists
- registers per resource what rights the listed principals have to the resource
• Capability Lists- registers per principal what rights the principal has to the listed resources
• Permission bits- Explained by example later
Operating system access controls (5)
More formally,• Each row is a process (“subject”)• Each column is a file (“object”)• Each matrix entry is the access rights that subject has for that
object
Access Control Matrix Operations• System can transition from one ACM state to another• Primitive operations: create subject, create object; destroy
subject, destroy object; add access right; delete access right• Transitions are, of course, conditional
Access Control Lists (1)Simplify access rights management by storing the access control
matrix a column at a time along with the resource to which the column refers.
ACLs are widely used in environments where the users manage the security of their own files such as Unix systems.
Access Control Lists (2)Advantages:• Easy to understand• Easily answer the question "who has what kind of access to
this resource“• Work well in distributed systems; Rights stored together with
resources
Disadvantage:• May be inefficient. Determining rights may require searching
a long list
Groups and RolesStaff in large organizations usually fit into a small number of
categories, staff need to be assignable to a small number of groups or functional roles.
A group is a list of principals.
A role is a fixed set of access permissions that one or more principals may assume for a period of time. e.g. “root”, “super user”, “administrator”
Efficient use of ACLs (1)• Groups, to shorten lists• Rules if someone (through groups) appears twice in a list with
different rights• “Access: None” to create a temporary smaller group out of an
existing large one• Specific system manager rules
These points are demonstrated by example below. They can be extended to Role Based Access Control data bases which are discussed later.
Efficient use of ACLs (2)Groups in ACLs– Group1: Alice, Bob, Cynthia, David, Eve– Group2: Alice, Bob, Cynthia, David– Group3: Bob, Cynthia, David, Eve– File 1: Group 1, R; Group 3, RW
Suppose Eve wants to write to File 1• First relevant entry policy: Access denied• Any permission in list policy: Access allowed
Efficient use of ACLs (3)“First relevant entry” rule in ACL• Efficient (shorter searches on the average compared to “Any
permission”)• Order in ACL crucial• Effect of additions/deletions to list depends entirely on
previous/later items• Efficient use of already existing groups is possible
Efficient use of ACLs (4)“First relevant entry” effectsGroup1: Alice, Bob, Cynthia, David, RonGroup2: Alice, Bob, Cynthia, David, EveFile 1: Group1, R; Group2, R;………; Ron, RW
• The effect of “Remove Group2, R” is that everyone except Eve can still read the file
• Ron’s entry has no effect. He cannot write.• The only effect of “Remove Group1, R” is that Ron gets his
write permission!• Placing Ron’s entry first slows down list search
Efficient use of ACLs (5)“Any permission” rule in ACL• Longer search (always until a permission is found or list
exhausted)• Efficiency depends on order in ACL (frequent users should be
first in list)• Removal of one permission may be without effect
Efficient use of ACLs (6)“Any permission” effectsGroup1: Alice, Bob, Cynthia, David, RonGroup2: Alice, Bob, Cynthia, David, EveFile 1: Group1, R; Group2, R;………; Ron, RW
• Finding Ron’s write permission takes time• Remove “Group2, R”! and everyone except Eve can still read
the file
Efficient use of ACLs (7) “Access: None”
– Group1: Alice, Bob, Cynthia, David, Eve– Group2: Alice, Bob, Cynthia, David– File 1: Group1, RW– File 2: Group2, RW
is equivalent to– Group1: Alice, Bob, Cynthia, David, Eve– File 1: Group1, RW– File 2: Eve, None; Group1, RW
In this way Eve is denied access to File 2 without the need for a Group 2 to be explicitly defined.
Efficient use of ACLs (8)Unix Operating System Access Control Lists (1)In Unix, and its variant Linux, files are only allowed rwx attributes
for the resource owner, the group, and the world.The access control list as normally shown has a flag to show
whether the file is a directory, then r, w, x flags for the owner, group, and world. For a directory with all the flags set the ACL looks like:
drwxrwxrwx Alice Accounts
N.B. “d” indicates “directory” or “folder”
Efficient use of ACLs (9)Unix Operating System Access Control Lists (2)An example with an FTP client
Efficient use of ACLs (10)Unix Operating System Access Control Lists (3)The list-rw-r---- Alice Accountsstates the file is not a directory, the file owner Alice can read and
write to it, the members of the group Accounts can read it but not write to it, non-group members have no access to it.
N.B. -rwxrwxrwx owner, GROUP, others
Efficient use of ACLs (11)Unix Operating System Access Control Lists (4)an html file for www-rwxr-x-r-x index.htmlThe user can write/read and execute, but group members and
others can read and execute only.
an executable programme-rwx--x--x game.exe
N.B. drwxrwxrwx owner, GROUP, others
See also “http://en.wikipedia.org/wiki/Attrib”
Efficient use of ACLs (12)Unix Operating System Access Control Lists (5)While a directory for web materials are set to:drwx----- weband an html file under the directory is set to:-rwxr-xr-x index.html
Can a visitor to the site read the file?
<< hierarchical access control : “AND”, “OR”
Efficient use of ACLs (13)Unix Operating System Access Control Lists (6)Permission bits – modeIf you wish to set an html file “index.html” with-r-xr-xr-x index.htmlAccess control (= attribute), a command “chmod” is used.
chmod 555 index.html555 means 101(2) 101(2) 101(2)
Owner: rxGroup: rx Others: rx enabled.When the owner wants to make an amendment, you need to fire
“chmod 755 index.html” - 7 means 111(2) rwx enabled.
Efficient use of ACLs (14)Unix Operating System Access Control Lists (7)Permission bits – modeWindow XP
“Attributes”
Efficient use of ACLs (15)System administrator (1)• Usually the system administrator has default maximum
privilegeso This is the “root” in Unix where the root userid is usually made
available to the system administrator
• Often no checks are made for access as system administrator• Sometimes specific rights are given to the system
administrator in the ACL, meaning there are things on the system administrator only they can do
Efficient use of ACLs (16)System administrator (2)• System administrators can normally give themselves any
privilege they don’t already haveo This means it is difficult to implement an audit trail as a file the system
administrator cannot modifyo However, when a system administrator gives themselves a privilege
they were not assigned that event should be logged in non-erasable form
• The simplest and most common way to protect the system log file from being compromised by the system administrator is to keep it separate, this means sending it to another machine administered by someone else
Efficient use of ACLs (17)Owner• Usually the creator of an object has default maximum
privileges for the object• Granting access to others is one of those privileges• Sometimes only the owner and system administrator can ever
change the ACL for the object• Some systems allow ACLs to have ACLs
Capabilities and the full matrix (1)An access control matrix may be stored by rows called
capabilities.• A list is of course just the contents of a row of the access
control matrix• Tickets and attribute certificates are subsets of this.
o Tickets etc. do not reveal the subjects full permissions to the checking party
Capabilities and the full matrix (2)Capability listsThe strengths and weaknesses of capabilities are more or less
the opposite of ACLs.Capabilities were first presented as actual lists per subject.The main problem with capabilities is that changing a program’s
status, for example so no user may execute it, can be difficult because it can be hard to find out which users have permission to execute the program.
This equally applies to changing a files status and can be a problem when investigating an incident or preparing evidence of a crime.
Capabilities and the full matrix (3)Capability listsCapabilities are now commonly implemented in the form of
tickets or attribute certificates.Attribute certificates are closely related to public key certificates
which will be covered in detail later.Attribute certification in essence is a way of extending
authentication-oriented use of PKI to support tasks related to authorization. Attribute Certificates provide a solution to certify binding of attributes to a given subject.
Capabilities and the full matrix (4)Capability listsSome operating systems (e.g., KeyKOS, EROS, IBM AS/400, Mach) combine
the notion of an object’s name/reference that is given to a subject and the access rights that this subject obtains to this object into a single entity:
capability = (object-reference, rights)Capabilities can be implemented efficiently as an integer value that points to
an entry in a tamper-resistant capability table associated with each process (like a POSIX file descriptor).
Capabilities can include the right to be passed on to other subjects. This way, S1 can pass an access right for O to S2, without sharing any of its other rights. Problem: Revocation?
Temporal Access Control (1)• Permit access only at certain times• Model: time-locks on bank vaults• Obvious way to implement: add extra fields to ACL
Temporal Access Control (2)Problems and Attacks• Is your syntax powerful enough for concepts like holidays; on
what calendar?• What if the clock is wrong?• Can the enemy change the clock?• How is the clock set; by whom or what?
Temporal Access Control (3)Access Control at the Middleware Level (1)It is common for enterprises to have critical databases containing
highly sensitive information such as credit card numbers. As an operating system sees a database as a single large file all it
can do is identify legitimate users of the database and distinguish the database from the other applications running on the same machine.
Database products such as Oracle have their own access control mechanisms which, in general, being modelled on operating system access controls use a mixture of ACLs and capabilities.
Temporal Access Control (4)Access Control at the Middleware Level (2)Nevertheless, the architecture of database access controls is
usually more complicated than that of operating system access controls in the sense of their being more types of privileges.
This is because database access controls involve higher levels of abstraction that access controls applied to files or processes.
Temporal Access Control (5)Smashing the stackMany technical attacks on operating systems involve memory overwriting
attacks known as smashing the stack.Programmers are often careless about checking the size of arguments. A classic example was, a vulnerability in the Unix finger command. An implementation of this would accept an argument of any length but only
256 bytes had been allocated for the argument by the program. When an attacker used the command with an argument longer than 256
bytes the trailing bytes of the argument were executed by the CPU.
Temporal Access Control (6)Buffer OverflowTrying to write a segment of data over a memory location that does not have
enough space. i.e. data size > memory sizeA segmentation fault occurs when a program attempts to access a memory
location that it is not allowed to access, or attempts to access a memory location in a way that is not allowed (for example, attempting to write to a read-only location, or to overwrite part of the operating system).
If the overflow goes into the system memory area that controls the overall operation of the computer/system, it could cause more critical problems.
Temporal Access Control (7)Stack Overflow (1)Besides changing values of unrelated variables, buffer overflows
can often be used (exploited) by attackers to cause a running program to execute arbitrary supplied code.
The techniques available to an attacker to seek control over a process depend on the memory region where the buffer resides, for example the stack memory region, where data can be temporarily "pushed" onto the "top" of the stack, and later "popped" to read the value of the variable.
Temporal Access Control (8)Stack Overflow (2)Typically, when a function begins executing, temporary data
items (local variables) are pushed, which remain accessible only during the execution of that function.
The simplest and most significant method of exploiting a stack based buffer overflow is to overwrite the function return address with a pointer to attacker-controlled data (usually on the stack itself).
Temporal Access Control (9)Stack Overflow (3)
http://en.wikipedia.org/wiki/Stack_buffer_overflow
Temporal Access Control (10)Other technical attacks (1)SQL injection is a code injection technique. It commonly arises
when a web developer passes user input to a database without filtering it to see if it contains SQL code.
Temporal Access Control (11)Other technical attacks (2)Format string attacks arise from the use of unfiltered user input
as the format string parameter in certain C functions that perform formatting, such as printf().
o E.g. a programmer tries to print user supplied data and allows the print command printf() to interpret any formatting instructions, such as n%, contained in the user’s data.
o A malicious user could write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.
Temporal Access Control (12)Other technical attacks (3)Race conditions are where a transaction is carried out in two or more stages
and it is possible for an attacker to alter it after the stage that involves verifying access rights.
For example, Unix command mkdir (make directory: mkdir <name>) used to work in two steps.
Firstly, storage was allocated and then ownership was transferred to the user. A user could initiate mkdir in the background and if this completed only the
first step before being suspended, a second process could be used to replace the newly created directory with a link to the password file.
Then the original process would resume and change the ownership of the password file to the user.
Temporal Access Control (13)Other technical attacks (4)A wide variety of bugs have enabled users to assume root status (system
administrator) and take over the system. Some Unix implementations had the feature that if a user tried to execute the
command su (super user login) when the maximum number of files were open, then su was unable to open the password file, and responded by giving the user root status.
There have been a number of bugs that allowed denial of service attacks.
Temporal Access Control (14)Other technical attacks (5)Until the late 1990s most implementations of the Internet protocols allocated
a fixed amount of buffer space to process SYN packets with which TCP/IP connections are initiated.
This led to SYN flooding attacks. By sending a large number of SYN packets, an attacker could exhaust the
available buffer space and prevent the machine accepting any new connections.
This is now fixed using syncookies.
Temporal Access Control (15)User interface failures (1)One of the earliest attacks was the Trojan Horse, a program the
administrator is invited to run that will cause harm if run. Attackers wrote games that checked occasionally if the player
was the system administrator, and if so would create another administrator account with a known password.
Perhaps the most serious example of user interface failure in terms of the number of systems at risk is in Windows NT.
Temporal Access Control (16)User interface failures (2)In this operating system, a user must be the system
administrator to install anything. This is useful in preventing staff from loading up viruses. However, in many working environments staff must be able to
install software to get their work done. In practice this has resulted in millions of people having
administrator privileges who should not need them. These people are vulnerable to attacks in which malicious code
pops up in a box telling them to do something.
Temporal Access Control (17)User interface failures (4)Microsoft’s solution is User Account Control. Introduced in Windows Vista and Windows Server 2008
operating systems, User Account Control limits the use of application software to standard user privileges until an administrator authorizes higher privileges.
Only applications trusted by the user can receive administrative privileges as the user has to request these privileges.
However, this requires care to implement properly.
Temporal Access Control (18)User interface failures (4)Furthermore, it provides no protection where applications such as
web servers must run as root, are visible to the outside work, and contain software bugs that allow them to be taken over.
To reduce the possibility of lower-privilege applications communicating with higher-privilege ones User Interface Privilege Isolation is used in conjunction with User Account Control to isolate these processes from each other. One prominent use of this is Internet Explorer 7's "Protected Mode".
Temporal Access Control (19)Remedies
See http://en.wikipedia.org/wiki/Buffer_overflow http://en.wikipedia.org/wiki/Stack-
smashing_protection
The principle of least privilege (1)From: http://hissa.nist.gov/rbac/paper/node5.html
The principle of least privilege requires that a user be given no more privilege
than necessary to perform a job.Ensuring least privilege requires identifying what the user's job is,
determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more.
By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges cannot be used to circumvent the organizational security policy.
The principle of least privilege (2)From: http://hissa.nist.gov/rbac/paper/node5.html Through the use of Role Based Access Control (RBAC), enforced minimum
privileges for general system users can be easily achieved.It can also be applied to processes on the computer; each system component
or process should have the least authority necessary to perform its duties. This helps reduce the "attack surface" of the computer by eliminating
unnecessary privileges that can result in network exploits and computer compromises.
The principle of least privilege (3)From: http://hissa.nist.gov/rbac/paper/node5.html In particular, programs should only have as much privilege as necessary. Software should be designed so that the default configuration, and in general,
the easiest way of doing something, is safe. The main function of access control in computer operating systems is to limit
the damage that can be done by particular, groups, users, and programs, whether through error or malice.
home work• Unix “chmod” command• DOS/OS 2 “attrib” command with /r /a /s /h• see also http://en.wikipedia.org/wiki/Chattr• Windows – file attribute
