Authorization and Policy

Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization

Who is permitted to perform which actions on what objects? Access Control Matrix (ACM) – Columns indexed by principal – Rows indexed by objects – Elements are arrays of permissions indexed by action In practice, ACMs are abstract objects – Huge and sparse – Possibly distributed Access Control

Example ACM File/UserTomDickHarry Readme.txtread read, write passwordswrite Term.exeread, write, execute

Access Control Lists (ACLs) – For each object, list principals and actions permitted on that object – Corresponds to rows of ACM Instantiations of ACMs File Readme.txtTom: read, Dick: read, Harry: read, write passwordsHarry: write Term.exeTom: read, write, execute

Capabilities – For each principal, list objects and actions permitted for that principal – Corresponds to columns of ACM The Unix file system is an example of…? Instantiations of ACMs User TomReadme.txt: read, Term.exe: read, write, execute DickReadme.txt: read HarryReadme.txt: read, write; passwords: write

Discretionary Mandatory Rule-based Role-based Originator-controlled Types of Access Control

Owners control access to objects Access permissions based on identity of subject/object E.g., access to health information Discretionary Access Control

Rules set by the system, cannot be overriden by owners Each object has a classification and each subject has a clearance (unclassified, classified, secret, top-secret) Rules speak about how to match categories and classifications – Access is granted on a match Mandatory Access Control

Ability to access objects depends on one’s role in the organization Roles of a user can change – Restrictions may limit holding multiple roles simultaneously or within a session, or over longer periods. – Supports separation of roles Maps to organization structure Role-Based Access Control

Final goal of security – Determine whether to allow an operation Depends upon – Policy – Authentication Authorization

Policy defines what is allowed and how the system and security mechanisms should act Policy is enforced by mechanism which interprets it, e.g. – Firewalls – IDS – Access control lists Implemented as – Software (which must be implemented correctly and without vulnerabilities) Policy

Focuses on controlled access to classified information and on confidentiality – No concern about integrity The model is a formal state transition model of computer security policy – Describes a set of access control rules which use security classification on objects and clearances for subjects To determine if a subject can access an object – Combine mandatory and discretionary AC (ACM) – Compare object’s classification with subject’s clearance (Top Secret, Secret, Confid., Unclass.) – Allow access if ACM and level check say it’s OK Policy models: Bell-LaPadula

Mandatory access control rules: – a subject at a given clearance may not read an object at a higher classification (no read-up) – a subject at a given clearance must not write to any object at a lower classification (no write-down). Trusted subjects – the “no write-down” rule does not apply to them – Transfer info from high clearance to low clearance Policy models: Bell-LaPadula

Intrusions

Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and clog the network – Dangerous for you – downloading the attack code you provide attacker with info about your machine Don’t use any such tools in real networks – Especially not on USC network – You can only use them in a controlled environment, e.g. DeterLab testbed Dangerous

Intrusions Why do people break into computers? – Fame, profit, politics What type of people usually breaks into computers? – Used to be young hackers – Today mostly organized criminal I thought that this was a security course. Why are we learning about attacks?

Intrusion Scenario Reconnaissance Scanning Gaining access at OS, application or network level Maintaining access Covering tracks

Phase 1: Reconnaissance Get a lot of information about intended target: – Learn how its network is organized – Learn any specifics about OS and applications running

Low Tech Reconnaissance Social engineering – Instruct the employees not to divulge sensitive information on the phone Physical break-in – Insist on using badges for access, everyone must have a badge, lock sensitive equipment – How about wireless access? Dumpster diving – Shred important documents

Web Reconnaissance Search organization’s web site – Make sure not to post anything sensitive Search information on various mailing list archives and interest groups – Instruct your employees what info should not be posted – Find out what is posted about you Search the Web to find all documents mentioning this company – Find out what is posted about you

Whois and ARIN Databases When an organization acquires domain name it provides information to a registrar Public registrar files contain: – Registered domain names – Domain name servers – Contact people names, phone numbers, addresses – ARIN database – Range of IP addresses –

Domain Name System What does DNS do? How does DNS work? Types of information an attacker can gather: – Range of addresses used – Address of a mail server – Address of a web server – OS information – Comments

Domain Name System What does DNS do? How does DNS work? Types of information an attacker can gather: – Range of addresses used – Address of a mail server – Address of a web server – OS information – Comments

Interrogating DNS – Zone Transfer $ nslookup Default server:evil.attacker.com Address: server Default server:dns.victimsite.com Address: set type=any ls –d victimsite.com system1 1DINA DINHINFO “Solaris 2.6 Mailserver” 1DINMX 10 mail1 web1DINA DINHINFO “NT4www” Dangerous

Protecting DNS Provide only necessary information – No OS info and no comments Restrict zone transfers – Allow only a few necessary hosts Use split-horizon DNS

Split-horizon DNS Show a different DNS view to external and internal users Internal DNS Employees External DNS External users Web server Mail server Internal DB