Presentation is loading. Please wait.

Presentation is loading. Please wait.

OS Security Access Control & Authentication. OS System vulnerabilities Operational fault Environmental fault Coding fault.

Published byPrimrose Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "OS Security Access Control & Authentication. OS System vulnerabilities Operational fault Environmental fault Coding fault."— Presentation transcript:

1 OS Security Access Control & Authentication

2 OS System vulnerabilities Operational fault Environmental fault Coding fault

3 Protection Mechanisms Concept of sharing resources – No Protection – Isolation – Share all or Share Nothing – Share via access limitation – Share via dynamic capabilities – Limit use of an object

4 Protection of Memory Protection based on an OS mode File sharing

5 Access Control Permit or deny the use of an object by a subject Services – Identification – Authentication – Authorization – Accountability Access Control Techniques

6 Security Models A model is a simplified representation used to explain a real world system Security models are used to design a system to protect secrets

7 Discretionary Access Control (DAC) No precise definition Widely used in modern operating systems In most implementations it has the notion of owner of an object The owner controls other users’ accesses to the object Allows access rights to be propagated to other subjects

8 Discretionary Access Control (DAC) Security Model The owner of an object controls who and what may access it. Access is at the owner’s discretion. – Example: shared file server where access permissions are administered by the owners (users) of its contents.

9 Access Control Matrix Abstract,formal security model used in computer systems Subjects Objects Rights

10 1) Access Control Matrix U V FG orw r subjects objects (and subjects) rights o – own r – read w – write

11 Subjects Are subjects users? user principals subjects

12 User - Principals One to many mapping between user and principals System authenticates user in the context of principal Shared principals (accounts) are not good for accountability userprincipals Alice Alice.Top-secret Alice.Secret Bob Bob.Dean Bob.Faculty Bob.Super-user

13 Principal - Subjects One to many mapping between principal and subjects A subject is a program or application run on behalf of principal Subjects are often treated the same as principal if all subjects of a principal have the same rights subjectsprincipal Alice.T op- secret Email Word Database

14 Objects An object is anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example – File – Directory (or Folder) – Memory segment But, subjects can also be objects, with operations – Kill – Suspend – Resume

15 Rights A right specifies what kind of access a subject can perform on an object – Own – Read – Write – Execute – Create – Delete – Transfer

16 Implementation of Access Control Matrix U V FG orw r subjects objects rights Capabilities ACL (Access Control Lists)

17 2) Access Control List (ACL) ACL – Each column of access control matrix is stored with corresponding object ACL requires subjects to be authenticated before access to a particular object U:o U:r U:w V:r V:o V:r V:w FG FilePointer Subj Access right F G U V V orw r

18 3) Capabilities Capabilities – Each row of access control matrix is stored with corresponding subject Capabilities do not require subjects to be authenticated but require – Capabilities are unforgeable – Propagation of capabilities are under control F/o, F/r, F/w F/r, G/o, G/r, G/w U V

19 Comparison of ACL and Capabilities ACL – Access rights stored with objects – Requires authentication of subjects – Provides access review on a per-object basis – Most operating systems such as UNIX and Windows use ACL to protect files Capabilities – Access rights stored with subjects – Requires unforgeability of capabilities and propagation control of capabilities – Provides revocation facilities on a per-subject basis – Used in authentication systems such as Kerberos

20 Problems with DAC in OS DAC cannot protect against – Trojan horse – Malware – Software bugs – Malicious local users It cannot control information flow

21 Mandatory Access Control (MAC) Security Model System controls access to resources When a subject requests access to an object – The system examines the user’s identity and access rights, and compares to access permissions of the object System then permits or denies the access – Example: shared file server where access permissions are administered by an administrator

22 Mandatory Access Control (MAC) Security Model MAC specifies the access that subjects have to objects based on subjects and objects classification – Based on security labels attached to subjects and objects Security label to subject  security clearance Security label to object  security classification – Users have no control of security labels, but information flow is restricted to certain can-flow paths This type of security has also been referred to as multilevel security

23 Multi-level Security Model Several levels of security – Such as Confidential, Secret, Top Secret People have varying levels of security clearance – Such as Confidential, Secret, Top Secret System will control access to objects according to their level and the level of the persons accessing them

24 Security levels A security level a category set The security level is an element from a totally ordered set - example {Top Secret (TS), Secret (S), Confidential (C), Unclassified (U)} where TS > S > C >U The category set is a set of elements, dependent from the application area in which data are to be used – example {Army, Navy, Air Force, Nuclear}

25 Hierarchical Structure Military security classes as security labels: Top secret Secret Confidential Unclassified High level Low level Can-flow

26 Security levels The security level,at a commercial site, you might define the following corporate hierarchy: {CORPORATE,BRANCH, DEPARTMENTS} In a commercial environment, your categories might correspond to company departments, product names, ad campaigns, or any other setup you wish to implement:– example {ACCOUNTING, PR, MARKETING, SALES, R&D}

27 Bell LaPadula Security Model (1973) A formal MAC model State machine model that addresses the confidentiality of information. Uses No Read Up & No Write Down

28 BLP Model Simple-security property ( ss – property) – Subject S can read object O only if Information can flow from label(O) to label(S) Star-property (*-property) – Subject S can write object O only if Information can flow from label(S) to label(O) Label(S ) Label(O) Can-flow Label(O) Label(S) Can-flow Read down Write up

29 Bell LaPadula Security Model (cont.) No Read Up (NRU ) – A subject can read all documents at or below his level of security, but cannot read any documents above his level of security – Prevents learning secrets at a higher security level – E.g., an unclassified user cannot read a top-secret document

30 Bell LaPadula Security Model (cont.) No Write Down (NWD) – A subject can write documents at or above his level of security, but cannot write documents below his level – Prevents leaks of secrets – E.g., cannot copy top secret file into secret file

31

32 Bell LaPadula Model Problem In Bell LaPadula – A subject at a lower security level can overwrite and potentially destroy secret information at a higher level (even though they cannot see it) – No Write Down and No Read Up don't prevent this "Write Up" operation Bell LaPadula protects confidentiality but not integrity

33 The Biba Integrity Model (1977) The first formal integrity model, by preventing modifications to data by unauthorized persons. A subject cannot read documents below his level (no read down, NRD) A subject cannot write documents above his level (no write up, NWU)

34 Biba Model To guarantee the integrity of the data, we need precisely the reverse properties. – The simple integrity principle: A process running at security level k can write only objects at its level or lower (no write up). – The integrity * property: A process running at security level k can read only objects at its level or higher (no read down).

35 Example: Military Orders Write Down is allowed – A General may write orders to a Colonel, who can issue these orders to a Major Integrity is preserved – In this fashion, the General's original orders are kept intact and the mission of the military is protected Write Up is forbidden – Conversely, a Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission

36 Comparing the Models If you need to protect secrets, use Bell- Lapadula – No Write Down – No Read Up If you need to stay on target, use Biba – No Write Up – No Read Down Both of these are designed for the military, to protect high-level secrets

37 Role-based Access Control (RBAC) Security Model An improvement over the mandatory access control (MAC) security model Access permissions are granted to “roles” instead of “persons.” – Example: "Managers" can write to the Personnel folder, but "Help Desk Workers" cannot

38 Role-based Access Control (RBAC) Security Model (cont.) Simplifies management in a complex system with many users and objects, used for commercial applications Makes changes much easier, because they involve changes to roles instead of to individuals

39 Authentication Process of establishing whether a client is who or what it claims to be User identity can be confirmed by: Something you have Something you know Something you are

40 “Something you know…” Login procedures – Usually something you know Password leaks – Commonly used password – Explicitly told Voluntarily Trojan horse – Trial and error – Intercepted communication paper, camera, wiretap, file on disk, emanations password sniffing on networks Passwords are inconvenient – In client/server environment, user doesn’t want to enter password for every service she connects to

41 “Something you have” Authentication using a physical object Several subcategories One of interest here are cryptographic smart cards: – Store user’s digital certificate and/or private key – Used to prevent private keys from being “hacked” from user’s computer – What happens if a smart card is stolen?

42 “Something you are…” Authentication using Biometrics – Enrollment – Identification Fingerprint recognition Face recognition Voice Authentication etc…

43 “Something you are…” Biometrics

44 Official levels of Computer Security United States Government Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC)- “Orange Book” Requirements: 1.Specific security requirements 2.Assurance requirements

45 TCSEC /Orange Book 4 divisions- A,B,C,D – Specifies evaluation classes (D, C1, C2, B1, B2, B3, A1) – Specifies functionality and assurance requirements for each class Each class defines 4 requirements – Policy – Accountability – Assurance – Documentation

46 TCSEC Classes D – Minimal Protection C1 – Discretionary Security Protection – Identification and authentication and DAC – users processing data at common sensitivity level, separates users from data – Minimal Assurance, may be based on features, not evaluation C2 – Control led access protection – Adds object reuse and auditing – More testing requirements – Windows NT 3.5 evaluated C2

47 TCSEC Classes B1 – Labelled Security Protection – Adds MAC for some objects Controlled objects “labeled”, access control based on these – Stronger testing requirements. Information model of security policy. Bell-La Padula model. – Trusted Unix tended to be B1 B2 – Structured protection – MAC for all objects, including devices. – Design and implementation must enable thorough testing & review “well-defined largely independent modules” – Trusted Path. Least privilege. – Covert channel analysis, configuration management, more documentation, formal model of security policy

48 TCSEC Classes B3 – Security Domains – Requirements on code modularity, layering, simplicity. – Argument (short of proof) that implementation meets design specifications – Tamper-proof implementation – More stringent testing and documentation. – XTS-200/STOP A1 – Verified protection – Same functional requirements as B3 – Five criteria Formal model of protection and proofs of consistency/adequacy Formal specification for protection system Demonstration that specification corresponds to model of protection “proof” that implementation is consistent with specification Formal analysis of covert channel – Existence proof : Honeywell’s SCOMP

49 Trusted Computing Base – Hardware and software for enforcing security rules process Reference monitor – Part of TCB Reference – All system calls go through reference monitor for security checking – Most OS not designed this way

50

51

52 Security Breaches Interception Interruption Modification Fabrication Security Hole - Software & hardware vulnerability – Holes that allow DoS – Holes that allow Local users unauthorized access – Holes that allow Remote users unauthorized access

53 Other types: – FTP – Gopher – Telnet – Sendmail – ARP – Portmap

54 Threats Covert channel – Unauthorized, hidden channel of communications that exists within a legitimate communications channel – Includes timing attacks that leak data through changes in response times – Difficult to detect – Examples: unused fields in packets, steganography

55 Threats (cont.) Side channel attack – Observation of the physical characteristics of a system in order to make inferences on its operation – Examples: timing, power consumption, emanations State attacks – Time of check to time of use (TOCTTOU), also known as a race condition – Data can be altered between the time of check and the time of use ("winning the race")

56 Threats (cont.) Emanations – RF (radio frequency) emissions from CRTs and equipment Maintenance hooks and back doors – Secret master password – Really happened in "Lock My PC" -- link Ch 9i Privileged programs – Artifacts of development, testing – Can be used to elevate privileges

57 Countermeasures Reduce the potential of a threat by reducing its probability of occurrence or its impact – Sniffers (bug detectors) – Source code reviews – Auditing tools Filesystem integrity, like Tripwire Configuration checking like Windows Defender Log analyzers – Penetration testing – Application vulnerability testing

Download ppt "OS Security Access Control & Authentication. OS System vulnerabilities Operational fault Environmental fault Coding fault."

Similar presentations

Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Access Control Methodologies

Access Control Methodologies
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
User Domain Policies.

User Domain Policies.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google