CSE509 System Security Access Control Nick Nikiforakis [email protected]

Access Control: introduction • How do we protect our confidential data from unauthorized usage? • Two important cases: – An attacker has access to the raw bits representing the information • need for cryptographic techniques (not covered in this class)

– There is a software layer between the attacker and the information => access control techniques 2

Access Control (Authorization) • Limiting access to sensitive resources – Informally “Who can access what and in what way?”

Application Middleware

Operating System Hardware

3

Access Control is Pervasive 1. Application • •

Complex, custom security policy. Ex: Amazon account: wish list, reviews, CC

2. Middleware • •

Database, system libraries, 3rd party software Ex: Credit card authorization center

3. Operating System •

File ACLs, IPC

4. Hardware •

Memory management, hardware device access. 4

Access Control Matrix Precisely describes protection state of system. P Q

Sets of system states: – P: Set of all possible states. – Q: Set of allowed states, according to security policy. – P-Q: Set of disallowed states.

ACM describes the set of states Q. 5

Access Control Matrix As system changes, state changes. – State transitions. – Only concerned with protection state.

ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another.

6

ACM Description objects (entities) o1 … om s1 … sn

subjects

s1 s2

• Objects O = { o1,…,om } – All protected entities.

• Subjects S = { s1,…,sn } – Active entities, S  O

…

• Rights R = { r1,…,rk }

sn

• Entries A[si, oj]  R • A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj

7

Example: File/Process Processes p, q Files f, g Rights r, w, x, a, o

p q

f rwo a

g r ro

p rwxo r

q w rwxo 8

Free text to ACM • Alice, who owns file1, trusts Bob to read and write that particular file. Bob, on the other hand, is afraid that Alice will edit his files so he only allows her to read file2, but nothing more. Steve, who no one trusts, has made a program called prog1 who he wants others to execute, but not modify. Lastly, everyone but Bob, can read Joe’s diary. 9

Ownership Right Usually allows possessor to change entries in ACM column – So owner of object can add, delete rights for others – May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users

10

Attenuation of Privilege Principle: Subject may not give rights it does not possess to another. – Restricts addition of rights within a system – Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights.

11

How can we implement the ACM? Problem: scale – Thousands of subjects. – Millions of objects. – Yet most entries are blank or default.

Solutions – Implement by column: Access Control Lists – Implement by row: Capabilities – Group users together in a “flat” or hierarchical model 12

Access Control Lists (ACLs) • Implement ACM by column. – Access control by object.

• Example: UNIX ACLs – Short “rwx” user/group/other. – Long POSIX ACLs.

• ACL is stored “close” to the object

User

audit data

root

rw

alice

r

bob

13

Some ACL Questions 1. 2. 3. 4.

Which subjects can modify an object’s ACL? Do ACLs apply to privileged users? How can a subject’s rights be revoked? What are the default permissions?

14

Which subjects can modify an ACL? Create an own right for an ACL. – Only subjects with own right can modify ACL.

Creating an object also creates object’s ACL. – Usually creator given own right at this time. – Other default rights may be set at creation too.

15

Do ACLs apply to privileged users? Many systems have privileged users. – UNIX: root. – Windows NT: administrator.

Should ACLs apply to privileged users? – Need read access to all objects for backups. – What security problems are produced by ignoring ACLs for privileged users?

16

How are rights revoked? Removal of subject’s rights to object. – Delete entries for subject from ACL. – If ownership doesn’t control granting rights, matters can be complex: • If A has granted rights to B, what should happen to B’s rights if you remove A’s rights?

Removal of subject’s rights to all objects. – Very expensive (millions of objects.) – Why isn’t disabling subject’s account sufficient? 17

What are the default permissions? Interaction of ACLs with base permissions. – POSIX ACLs modify UNIX base permissions.

How are default ACLs determined? – Subject • Subject sets default permissions, like UNIX umask.

– Inheritance • Objects in hierarchical system inherit ACLs of parent object. • Subjects inherit sets of default permissions from their parent subjects. 18

Capabilities • Implement ACM by row, instead of by column • Access Control associated with subject. Example: UNIX file descriptors – System checks ACL on file open, returns fd. – Process subsequently uses fd to read and write file. – If ACL changes, process still has access via fd.

User

ls

homedir

rootdir

alice

rx

rw

r 19

Some Capability Questions 1. How to prevent user from modifying capabilities? 2. How to prevent user from copying capabilities? 3. How to revoke rights to an object?

20

How to prevent user from modifying? Memory protection – Capabilities are readable, but not writable.

Indirection – Capability is pointer to per-process table whose access control prevents user from touching.

Cryptography – Cryptographically secure checksum associated with capability and checked before usage. 21

How to prevent user from copying? Copying capabilities allows users to grant rights to others. Solution: – Use indirection or cryptographic techniques from previous slide to prevent direct access. – Add copy flag to capability, as a specific right given to copy capabilities in order to give rights to other users.

22

How to revoke rights to an object? Direct solution – Check capabilities of every process. – Remove those that grant access to object. – Computationally expensive.

Alternative solution – Create a global object table. – Capabilities reference objects indirectly via their entries in the global object table. – Invalidate entry in global object table to revoke. 23

ACLs vs Capabilities ACLs

Capabilities

• Slow: OS has to read • Fast: OS always knows ACL for each object subject identity. accessed. • Easy to find/change • Easy to find/change rights on a particular rights on a particular subject. object. • Difficult to revoke • Difficult to revoke privileges to a subject privileges for a specific object. subject. 24

Discretionary Access Control • Discretionary Access Control, or DAC, refers to a scheme where users are given the ability to determine the permissions governing access to their own files. – DAC typically features the concept of both users and groups, and allows users to set accesscontrol measures in terms of these categories. – In addition, DAC schemes allow users to grant privileges on resources to other users on the same system. 25

Concept: Reference monitor • Which ever system we use to represent the Access Control Matrix, we still need a piece of code that will read that representation and enforce it • Reference monitor: the part of systems that enforces access control decisions • 3 properties: – Complete mediation: must always be called – Tamper proof: adversary cannot influence it – Small: Easy to verify its correctness 26

Mandatory Access Control • Mandatory access control is a more restrictive scheme that does not allow users to define permissions on files, regardless of ownership. Instead, security decisions are made by a central policy administrator. – Each security rule consists of a subject, which represents the party attempting to gain access, an object, referring to the resource being accessed, and a series of permissions that define the extent to which that resource can be accessed. 27

3 Formal MAC Examples • Bell La Padula model for the confidentiality of data • Biba model for the integrity of data • Chinese wall model for protecting the confidentiality (and integrity) of data from conflict of interest

28

Bell-LaPadula Model: A MAC Model for Achieving Multi-level Security • Introduced in 1973 • Air Force was concerned with security in timesharing systems – Many OS bugs – Accidental misuse

• Main Objective: – Prevent read access to objects at a security classification higher than the subject’s clearance – Enable one to formally show that a computer system can securely process classified information 29

Security Goal of BLP • There are security classifications or security levels – Users/principals/subjects have security clearances – Objects have security classifications

• Example – – – –

Top Secret Secret Confidential Unclassified

• In this case Top Secret > Secret > Confidential > Unclassified • Security goal (confidentiality): ensures that information do not flow to those not cleared for that level

30

Bell-LaPadula

31

Approach of BLP • Use state-transition systems to describe computer systems • Define a system as secure iff. every reachable state satisfies 3 properties – simple-security property, *-property, discretionarysecurity property

• Prove a Basic Security Theorem (BST) – so that one can prove a system is secure by proving things about the system description 32

Preliminary rules • L(S): Security clearance of Subject S • L(O):Security classification of object O • Eg. – L(“Thomas”) = Top Secret – L(“Document1”) = Secret

33

Preliminary rules • Simple Security Property, preliminary version: S can read O, iff L(O)