Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Theory => Practice Nicolas T. Courtois - University College London.

Published byBerenice Cathleen Cain Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control Theory => Practice Nicolas T. Courtois - University College London."— Presentation transcript:

1 Access Control Theory => Practice Nicolas T. Courtois - University College London

2 CompSec COMPGA01 Nicolas T. Courtois, January 2009 2 Roadmap Policies and Mechanisms Set models, Maths: Relations, Bounds, Lattices Reference Monitor model DAC, Matrix model DAC in practical OS (slides part 04)

3 Reading Nicolas T. Courtois, January 2009 3 Home reading Security Policies: Section 2.2.1 discussed in the context of management! Partial orderings, Lattices: Section 5.8 Reference Monitor: Section 5.2. + page 88 –Deeper study outside of scope of this course: pages 89-90. DAC, ownership, matrices, basic rights; Sections 5.3. – 5.5.

4 CompSec COMPGA01 Nicolas T. Courtois, January 2009 4 Preface

5 CompSec COMPGA01 Nicolas T. Courtois, January 2009 5 Can We Help? insecure rubbish! Science vs.

6 CompSec COMPGA01 Nicolas T. Courtois, January 2009 6 History There is a substantial amount of theory about access control. –When UNIX systems were developed, more or less at the same time, researchers have tried to formalize what access control should be doing… –Influence of pure mathematicians on the topic… Designers of OS, HTTP servers, database systems etc. have developed highly complex systems, learning from this research, and/or from hacker attacks, Trojans etc. Windows NT and now commercial security/firewall packages (with lots of detailed controls), and Vista etc. were developed much later. –and with additional complexity that does not exist in Unix.

7 CompSec COMPGA01 Nicolas T. Courtois, January 2009 7 Is There a Need For Access Control ? The problem of access control remains largely unsolved. And seems almost unsolvable, –OS+add-on security all-in-one security packages will either decide everything for you, or leave the customer with choices that nobody understands

8 CompSec COMPGA01 Nicolas T. Courtois, January 2009 8 Policies

9 CompSec COMPGA01 Nicolas T. Courtois, January 2009 9 Security Policy: Meaning we want to use: Policy, is what we want. How things should be.

10 CompSec COMPGA01 Nicolas T. Courtois, January 2009 10 A Security Policy: Short, succinct statement. High-level. Describes what is and what is not allowed. Security and protection requirements, rules, and goals. It defines what it means to be “secure” for a system or organisation/entity. Here, it usually means a set of requirements. Here, it means usually a set of behaviour rules to obey.

11 CompSec COMPGA01 Nicolas T. Courtois, January 2009 11 W7 has a “Local Security Policy” Can be edited

12 CompSec COMPGA01 Nicolas T. Courtois, January 2009 12 Mechanisms

13 CompSec COMPGA01 Nicolas T. Courtois, January 2009 13 Policies and Mechanisms Mechanisms are there to enforce policies. various sorts of mechanisms, HW, SW, crypto, and combinations… A policy can be implemented in several different ways, relying on different mechanisms.

14 CompSec COMPGA01 Nicolas T. Courtois, January 2009 14 Formalization: Sets

15 CompSec COMPGA01 Nicolas T. Courtois, January 2009 15 A Security Policy – Abstract view Describes what is and what is not allowed. Can be mathematically formalized as follows: All possible “states of the world” P in a system are partitioned into allowed states Q  P and non-allowed states P-Q  P. Beware: in this formulation, these are not merely states of a PC. They need to encompass the user and all the entities in involved. Example: user A is reading the file f at 10h should define a distinct subset of the universe of possible outcomes. A S ecurity Mechanism => May restrict the system to a subset of states R  P.

16 CompSec COMPGA01 Nicolas T. Courtois, January 2009 16 Secure vs. Precise vs. Broad States allowed by the policy Q  P. States allowed by the mechanism R  P. Def. [Bishop] A mechanism is secure iff R  Q. All that ever happens is acceptable, but certain things could be forbidden for no reason. A mechanism is precise iff R = Q. All that can ever happen is exactly what is allowed. A mechanism is broad iff R  Q – (could be called insecure) Allowing of unwanted or “insecure” states.

17 CompSec COMPGA01 Nicolas T. Courtois, January 2009 17 More Maths

18 CompSec COMPGA01 Nicolas T. Courtois, January 2009 18 Relations Let A be a set. We call relation any subset R  AxA. We write things such as: a R b which reads a is “in relation R” to b set of all ordered pairs a_1,a2

19 CompSec COMPGA01 Nicolas T. Courtois, January 2009 19 Example of a Relation Let a,b  NI Definition: a | b iff  x  NI such that ax=b.

20 CompSec COMPGA01 Nicolas T. Courtois, January 2009 20 Relations Sub-categories: equivalence relations, order relations (orderings), etc.

21 CompSec COMPGA01 Nicolas T. Courtois, January 2009 21 Order Relations Order: 1.Reflexive: a  a 2.Antisymmetric: if a  b and b  a then a = b. 3.Transitive a  b and b  c implies a  c. Partial ordering: For any couple a,b we have either a  b or b  a or neither – when we say that “ a and b are unrelated ”. Total ordering (= linear order = simple order = chain): 4. For any couple a,b we have either a  b or b  a. all pairs are related = mutually comparable

22 CompSec COMPGA01 Nicolas T. Courtois, January 2009 22 POSET = Partially Ordered Set A set A and an order relation . Poset is the couple (A,  ). Maths view: we write formulas on the board and we use axioms 123 on the last slide to prove theorems. Pragmatic computational functional view of a relation: we have objects a  A data type A 2-ary function called  : AxA  {True, False}.

23 CompSec COMPGA01 Nicolas T. Courtois, January 2009 23 Example of a POSET Let a,b  NI Definition: a | b means  x such that ax=b. (NI, |) is a poset Reflexive: a | a Antisymmetric: if a | b and b | a then a = b. Transitive a | b and b | c implies a | c. Proof: But not a total order: Prove it:

24 CompSec COMPGA01 Nicolas T. Courtois, January 2009 24 Example 2 of a POSET Let  be an alphabet Let  * be the set of all strings over . Define Prefix(a,b) formally

25 CompSec COMPGA01 Nicolas T. Courtois, January 2009 25 Example 2 of a POSET Let  be an alphabet Let  * be the set of all strings over . Def: Prefix(a,b) iff  c s.t. a||c=b Theorem: (  *, Prefix) is a poset. Proof?

26 CompSec COMPGA01 Nicolas T. Courtois, January 2009 26 Example 2 of a POSET Let  be an alphabet Let  * be the set of all strings over . Def: Prefix(a,b) iff  c in  * s.t. a||c=b Theorem: (  *, Prefix) is a poset. Relation Prefix is a partial ordering.

27 CompSec COMPGA01 Nicolas T. Courtois, January 2009 27 Example 2 of a POSET Let  be an alphabet Let  * be the set of all strings over . Def: Prefix(a,b) iff  c in  *s.t. a||c=b Theorem: (  *, Prefix) is a poset. Relation Prefix is a partial ordering. R A T

28 CompSec COMPGA01 Nicolas T. Courtois, January 2009 28 Example 2 of a POSET Let  be an alphabet Let  * be the set of all strings over . Def: Prefix(a,b) iff  c in  * s.t. a||c=b Theorem: (  *, Prefix) is a poset. Relation Prefix is a partial ordering. Reflexive: a is a prefix of a Anti-symmetric: if a is a prefix of b and b is a prefix of a then a = b. Transitive a is a prefix of b and b is a prefix of c, it implies a is a prefix of c. But not a total order if there are at least 2 symbols: Prove it.

29 CompSec COMPGA01 Nicolas T. Courtois, January 2009 29 Applications Order relations are useful in formalising and analysing security …

30 CompSec COMPGA01 Nicolas T. Courtois, January 2009 30 Bounds Exist for both total and partial orders. Total orders are simple in sense they are “ one- dimensional ”. Like a straight line … Partial orders describe much more complex situations …

31 CompSec COMPGA01 Nicolas T. Courtois, January 2009 31 Bounds Definition: u is an upper bound for a and b iff a  u and b  u. Definition: v is an lower bound for a and b iff v  a and v  b. a b u v

32 CompSec COMPGA01 Nicolas T. Courtois, January 2009 32 LUB = Least Upper Bound = Supremum = Sup = Join a b x y u

33 CompSec COMPGA01 Nicolas T. Courtois, January 2009 33 LUB = Least Upper Bound = Supremum = Sup = Join a  b and we have the dual concept: GLB = Greatest Lower Bound = Infimum = Inf = Meet a  b

34 CompSec COMPGA01 Nicolas T. Courtois, January 2009 34 LUB = Least Upper Bound = Supremum = Sup = Join a  b and we have the dual concept: GLB = Greatest Lower Bound = Infimum = Inf = Meet a  b defined in the same way … BTW. we say “ greatest lower bound for a and b ” or “ a Wedge b ” In LaTeX \wedge

35 CompSec COMPGA01 Nicolas T. Courtois, January 2009 35 Funny Example Claim 1: NI,  is a total ordering. Proof: check 123+total Claim 2: 1 is the biggest element of NI. Proof: Let u be the biggest integer. #: Assume u>1 (which definition means u  1 AND u  1). It follows that u 2 >u. It follows that u 2 is even bigger, so u is not the biggest integer. So our Assumption # was wrong. So u  1. So u=1 (0 is smaller and must be excluded).

36 CompSec COMPGA01 Nicolas T. Courtois, January 2009 36 Important Bounds do NOT have to exist. Least upper bounds don ’ t have to exist either.

37 CompSec COMPGA01 Nicolas T. Courtois, January 2009 37

38 CompSec COMPGA01 Nicolas T. Courtois, January 2009 38 Lattices Definition: An ordered set S,  Is called a lattice if:  a, b the LUB a  b exists.  a, b the GLB a  b exists. More about lattices later in part 02c!!!!!!!

39 CompSec COMPGA01 Nicolas T. Courtois, January 2009 39 Example: “ Hasse Diagram ” Top Secret, {army, nuclear} Top Secret, {army} Top Secret, {nuclear} Secret, {army, nuclear} Top Secret, {} Secret, {army} Secret, {nuclear} Secret, {}

40 CompSec COMPGA01 Nicolas T. Courtois, January 2009 40 File Access Control

41 CompSec COMPGA01 Nicolas T. Courtois, January 2009 41 Example of a Security Policy No user should be able to access other user’s files. Benefits: Accountability Trace-ability Confidentiality, Privacy Two methods to implement this, can be combined: 1.Follow the people: authentication, authorization. 2.Follow the data: information flow control.

42 CompSec COMPGA01 Nicolas T. Courtois, January 2009 42 Users, Subjects, Principals Me process running as me create through authentication and authorization ownership User, Principal Subject our book says principals == uniquely and reliably identified human users HOWEVER… can make a distinction:

43 CompSec COMPGA01 Nicolas T. Courtois, January 2009 43 Distinction Users vs. Principals One to Many. Me process running as login2 create through authentication and authorization ownership User login2 login1 Principal = def: Unit of Access Control and Authorization Subject similar in Java Principal == human readable name

44 CompSec COMPGA01 Nicolas T. Courtois, January 2009 44 Subjects and Objects Me process running as me/login2 access through authorization access control occurs at 2 moments! User, Principal, Subject Object resource ? policy reference monitor In Unix processes are both subjects and objects, we can execute operations on processes: kill, suspend, resume.. process2

45 CompSec COMPGA01 Nicolas T. Courtois, January 2009 45 Reference Monitor resource user process reference monitor access request policy ?

46 CompSec COMPGA01 Nicolas T. Courtois, January 2009 46 Reference Monitor Must be: 1.tamperproof, 2.always-invoked = non-bypassable = a.k.a. complete mediation 3.economical, simple –small enough to be build in a rigorous way, and fully tested and analysed Windows: exists since Windows NT.

47 CompSec COMPGA01 Nicolas T. Courtois, January 2009 47 **Optional Reading: At which level/place to implement the Reference Monitor? – Section 6.1.1. More than reference monitor: TCB = Trusted Computing Base or Security Kernel (very closely related concepts): –like all the protections inside the computer combined together… –combination of hardware and software –fundamental “low layers” of a secure OS…

48 CompSec COMPGA01 Nicolas T. Courtois, January 2009 48 Technical Difficulties Residue Channels –Inadvertent or built-in duplication/storage of information. need to actively clean disk sectors, memory, CPU cache etc. Covert Channels –information is leaking intentional or not (side channels).

49 CompSec COMPGA01 Nicolas T. Courtois, January 2009 49 Access Control Models Formally and mathematically define the access control method. It should be: Complete –Encompass all our security desiderata. Consistent. –Free of contradictions.

50 CompSec COMPGA01 Nicolas T. Courtois, January 2009 50 Access Control Models Benefits: We can formally prove security properties of a system. Derived from basic premises. Nice split between conceptual and practical security: Prove that model is “secure”. And that the implementation is correct. Allows to claim that security is achieved. And if it isn’t, we should be able to blame EITHER the model OR the implementation, without any ambiguity.

51 CompSec COMPGA01 Nicolas T. Courtois, January 2009 51 3 Main Paradigms of Access Control Discretionary Access Control (DAC) Owners decide about rules, at their discretion, can pass rights on others Mandatory Access Control (MAC) System-wide policy, possibly denying users full control over the access to resources they created Role-Based Access Control (RBAC) frequently combined

52 CompSec COMPGA01 Nicolas T. Courtois, January 2009 52 Two levels In most policies, except in pure Mandatory AC policies. Two main levels: Access Control Policy. –who can access the resources? Administrative Policy. –who can specify rules and authorizations? And big problem: things change. Ownership can be changed. Permissions can be changed.

53 CompSec COMPGA01 Nicolas T. Courtois, January 2009 53 Discretionary Access Control

54 CompSec COMPGA01 Nicolas T. Courtois, January 2009 54 What is DAC? DAC policies are a family of access control policies. 1.They enforce the access to files on the basis of identity of the requestors explicit access rules: 2.In addition, files have owners “Discretionary” means: the owner can grant/revoke rights for others

55 CompSec COMPGA01 Nicolas T. Courtois, January 2009 55 Matrix Paradigm [Lampson,Graham-Denning, Harrison-Ruzzo-Ullmann] A way to describe mathematically access conditions A set S of Subjects (Principals). A set O of Objects (e.g. files). A set A of Operations. Example: A={read,append,write}. An access control matrix. M=(M so ) s  S o  O Where each entry M so  A.

56 CompSec COMPGA01 Nicolas T. Courtois, January 2009 56 Matrix - Example Example: S={System,Admin,Bob}. O={exe,doc}. A={read,write,exec,delete}. M= m.exea.doc System{x,r,w,d} {r,w,d} Admin{x,w,d}{w,r,d} Bob{x}{r,w} rights Objects SubjectsSubjects

57 CompSec COMPGA01 Nicolas T. Courtois, January 2009 57 Examples: Standard File Systems

58 CompSec COMPGA01 Nicolas T. Courtois, January 2009 58 Simple Example - Unix S={Process1;User1}. O={file2; directory3; process5; device6}. A={r, w, exe}. ls -l=>-rwx-r-x—- the famous “9 bits”: user group other

59 CompSec COMPGA01 Nicolas T. Courtois, January 2009 59 Windows NT In comparison - excessively complex, more recent. Required: NTFS, the Microsoft file system designed to work in multi-user environments. Win NT/XP and later.

60 CompSec COMPGA01 Nicolas T. Courtois, January 2009 60 DAC in Practice

61 CompSec COMPGA01 Nicolas T. Courtois, January 2009 61 Matrices - Implementation Matrix storage: waste of space, not very practical. Authorization table – sparse matrix kind Capabilities - rows Access Control Lists (ACL) - columns

62 CompSec COMPGA01 Nicolas T. Courtois, January 2009 62 Matrices - Authorization Tables Authorization tables, –Commonly used in relational DBMS –Store table of non-null triples (s,o,a).

63 CompSec COMPGA01 Nicolas T. Courtois, January 2009 63 Matrices – ACLs and Capabilities Access Control Lists (ACL) –store M by columns, –together with each object, Capabilities –store M by rows. –for each user store his capabilities, most popular, Unix, Win

64 CompSec COMPGA01 Nicolas T. Courtois, January 2009 64 In theory… ACLs are widely used (Linux, Windows, etc.) In theory, Access Control Lists (ACLs) and capabilities represent the same thing. So if we implement ACLs, no need for capabilities. In practice however, they lead to very different systems.

65 CompSec COMPGA01 Nicolas T. Courtois, January 2009 65 Managing Permissions With ACLs, the power to edit the authorities (permissions) is aggregated by resource. naturally compatible with Discretionary Access Control, owners With capabilities it will be rather aggregated by Subjects.

66 CompSec COMPGA01 Nicolas T. Courtois, January 2009 66 Authentication ACL's: –store rights together with each object, –requires a form of authentication of subjects at the moment of access Capabilities: –for each user store his capabilities, –does not require authentication of subjects: capabilities are explicit rights in a form of a token, that represents the user’s capabilities. –but require some form of unforgeability + maybe some form control of propagation of capabilities… token: –now the hacker may try to copy this token from one user to another. So it should be cryptographically signed, and depend on the user’s ID! (some people encrypt capabilities too).

67 CompSec COMPGA01 Nicolas T. Courtois, January 2009 67 Fast Access, Review, revocation ACL's provide faster access, review and revocation on a per-object basis but if we want to revoke permissions for a particular user, we have to search a whole hard drive… capabilities provide faster access and review and revocation on a per-subject basis

68 CompSec COMPGA01 Nicolas T. Courtois, January 2009 68 Least Privilege capabilities are better in this respect, especially for dynamic short-lived subjects created for specific tasks

69 CompSec COMPGA01 Nicolas T. Courtois, January 2009 69 Ambient Authority = def = Making a request that only specifies the names of the object(s) involved and the operation to be performed on them, is enough for a permitted action to succeed.  dominant method today (POSIX ACLs, Windows as well). With capability-based security programs receive also permissions as they might receive data. –this allows programs to determine where the permissions came from.

70 CompSec COMPGA01 Nicolas T. Courtois, January 2009 70 The Confused Deputy Problem Definition: The confused deputy problem occurs when one process tricks another process to do an action he doesn’t have permissions to do. Example 1: A compiler is given a permission to write in a directory. The user compiles a program and specifies some very special filename for the output log. So he can overwrite some files he should not have access to.

71 CompSec COMPGA01 Nicolas T. Courtois, January 2009 71 Composition of Policies

72 CompSec COMPGA01 Nicolas T. Courtois, January 2009 72 Composition of Policies Combine all the benefits of DAC and MAC? Windows and Unix do it. The simplest method: (works like a logical AND) –allow an operation only if all policies implemented allow it.

73 CompSec COMPGA01 Nicolas T. Courtois, January 2009 73 Quiz

74 CompSec COMPGA01 Nicolas T. Courtois, January 2009 74 Quiz What is a A security policy for an organisation? For a system? A “broad” security mechanism? opposite of it? An order relation (RAT) Give an example of a totally ordered set. Give an example of an order that is NOT a total order. GLB? The dual notion? Lattice?

Download ppt "Access Control Theory => Practice Nicolas T. Courtois - University College London."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
SE571 Security in Computing

SE571 Security in Computing
User Domain Policies.

User Domain Policies.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control

Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Present by Napasakorn Sukjay Poom Samaharn

Present by Napasakorn Sukjay Poom Samaharn
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.

CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.
Protection.

Protection.

Similar presentations

Ads by Google