CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Slide #1

Access Control

UNIX Access Control Model• UID

– integer user ID – UID=0 is root

• GID– integer group ID– Users can belong to multiple groups

UNIX File PermissionsThree sets of permissions:

– User owner

– Group owner

– Other (everyone else)

Three permissions per group– read

– write

– execute

• UID 0 can access regardless of permissions.• Files: directories, devices (disks, printers), IPC

UNIX File PermissionsBest-match policy

– OS applies permission set that most closely matches.

– You can be denied access by best match even if you match another set.

Directories– read = listing of directory– execute = traversal of directory– write = add or remove files from directory

Octal Permission NotationEach set (u,g,o) is represented by an octal digit.

Each permission (r,w,x) is one bit within a digit.

ex: chmod 0644 fileu: rw, g: r, o: r

ex: chmod 0711 binu: rwx, g: x, o: x

4 read setuid

2 write setgid

1 execute sticky

Changing Ownershipnewgrp

– Group owner of files is your default group.– Changes default group to another group to

which you belong.chgrp

– Changes group owner of existing file.chmod

– Changes owner of existing file.– Only root can use this command.

Default Permissions: umask• Determines access permissions given to

newly created files

• Three-digit octal number– Programs default to 0666– Umask modifies to: 0666 & ~umask– ex: umask=022 => file has mode 0644– ex: umask=066 => file has mode 0600

Access Control• What is Access Control?• Access Control Matrix Model

– Protection State Transitions– Special Rights– Principle of Attenuation of Privilege

• Groups and Roles• Implementation of the Access Control Matrix

– Access Control Lists: by column (object).– Capabilities: by row (subject).– UNIX

• Hardware Protection

Why study Access Control?• Center of gravity of computer security

– Why do we authorize users?– What security features do OSes provide?– What’s the purpose of cryptography?– Access Control is pervasive.

• Access Control is where Computer Science meets Security Engineering.– We’ll start with theory (computer science)– Then examine implementations (engineering)

Access Control is Pervasive

Application

Middleware

Operating System

Hardware

Access Control is Pervasive1. Application

• Complex, custom security policy.• Ex: Amazon account: wish list, reviews, purchases

2. Middleware• Database, system libraries, 3rd party software• Ex: Credit card authorization center

3. Operating System• File ACLs, account permissions

4. Hardware• Memory management, hardware device access.

Access Control Matrix• Precisely describes protection state of system.

• Sets of system states:– P: Set of all possible states.

– Q: Set of allowed states, according to security policy.

– P-Q: Set of disallowed states.

• ACM describes the set of states Q.

Access Control Matrix• As system changes, state changes.

– State transitions.– Only concerned with protection state.

• ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another.

Access Control Matrix

objects (entities)

o1 … om s1 … sn

• Objects O = { o1,…,om }– All protected entities.

• Subjects S = { s1,…,sn }– Active entities, S

• Rights R = { r1,…,rk }

• Entries A[si, oj] R

• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj

Access Control Matrix• Subjects

– Users– Processes (Programs)

• Objects– Processes (Programs)– Files

Access Control Matrix• Rights

– Read (r)– Write (w)– Execute (x)– Append (a)– Owner (o)– Copy Rights (c)

Example: File/Process• Processes p, q

• Files f, g

• Rights r, w, x, a, o

f g p q

p rwo r rwxo w

q a ro r rwxo

Copy Right• Allows possessor to give rights to another

• Often attached to a right, so only applies to that right– r is read right that cannot be copied– rc is read right that can be copied

• Is copy flag copied when giving r rights?– Depends on model, instantiation of model

Ownership Right Usually allows possessor to change entries

in ACM column– So owner of object can add, delete rights for

others– May depend on what system allows

• Can’t give rights to specific (set of) users

• Can’t pass copy flag to specific (set of) users

Attenuation of Privilege Principle: Subject may not give rights it

does not possess to another.– Restricts addition of rights within a system– Usually ignored for owner

• Why? Owner gives herself rights, gives them to others, deletes her rights.

How can we implement the ACM?

Problem: scale– Thousands of subjects.– Millions of objects.– Yet most entries are blank or default.

Solutions– Group subjects together as a single entities

• Groups and Roles

– Implement by row: Capabilities– Implement by column: Access Control Lists

Groups and Roles• Collect subjects together to express:

– Need to share objects.– Security categories (e.g., admin, faculty,

student, guest)

• role: group that ties membership to function

• Problem: loss of granularity.

Capabilities• Implement ACM by row.• Access Control associated with subject.• Example: UNIX file descriptors

– System checks ACL on file open, returns fd.– Process subsequently uses fd to read and write file. – If ACL changes, process still has access via fd.

User ls homedir rootdir

james rx rw r

Capability QuestionsHow to revoke rights to an object?

• Direct solution– Check capabilities of every process.– Remove those that grant access to object.– Computationally expensive.

Access Control Lists (ACLs)• Implement ACM by column.• Access control by object.• Example: UNIX ACLs

– Short “rwx” user/group/other.

– Long POSIX ACLs.

User audit data

root rw

james r

ACL Questions1. Which subjects can modify an object’s

2. Do ACLs apply to privileged users?

3. Do ACLs support groups and wildcards?

4. How are ACL conflicts resolved?

5. What are default permissions?

6. How can a subject’s rights be revoked?

Which subjects can modify an ACL?

• Create an own right for an ACL.– Only subjects with own right can modify ACL.

• Creating an object also creates object’s ACL.– Usually creator given own right at this time.– Other default rights may be set at creation too.

Which subjects can modify an ACL?

• Some systems allow anyone with access to object to modify ACL.– What are the security implications of sharing

access to a file on such a system?

Do ACLs apply to privileged users?

• Many systems have privileged users.– UNIX: root.– Windows NT: administrator.

• Should ACLs apply to privileged users?– Need read access to all objects for backups.– What security problems are produced by

ignoring ACLs for privileged users?

What are the default permissions?

• Interaction of ACLs with base permissions.– POSIX ACLs modify UNIX base permissions.

What are the default permissions?

• How are default ACLs determined?– Subject

• Subject sets default permissions, like UNIX umask.

– Inheritance• Objects in hierarchical system inherit ACLs of

parent object.

• Subjects inherit sets of default permissions from their parent subjects.

How are rights revoked?Removal of subject’s rights to object.

– Delete entries for subject from ACL.– If ownership doesn’t control granting rights,

matters can be complex:• If A has granted rights to B, what should happen to

B’s rights if you remove A’s rights?

Removal of subject’s rights to all objects.– Very expensive (millions of objects.)– Most systems don’t support.– Why isn’t disabling subject’s account sufficient?

ACLs vs CapabilitiesACLs

• Slow: OS has to read ACL for each object accessed.

• Easy to find/change rights on a particular object.

• Difficult to revoke privileges for a specific subject.

Capabilities

• Fast: OS always knows subject identity.

• Easy to find/change rights on a particular subject.

• Difficult to revoke privileges to a subject object.

Limitations of Classic ACLsACL control list only contains 3 entries

– Limited to one user.– Limited to one group.

Root (UID 0) can do anything.

POSIX Extended ACLsSupported by most UNIX/Linux systems.

– Slight syntax differences may exist.

getfaclsetfacl

– chmod 600 file– setfacl -m user:gdoor:r-- file– File unreadable by other, but ACL allows gdoor

Host-based Access Control• /etc/hosts.allow and /etc/hosts.deny

• used by tcpd, sshd, other servers

• Identify subjects by– hostname– IP address– network address/mask

• Allow before Deny– use last rule in /etc/hosts.deny to deny all

Hardware ProtectionConfidentiality

– Processes cannot read memory space of kernel or of other processes without permission.

Integrity– Processes cannot write to memory space of

kernel or of other processes without permission.

Hardware ProtectionAvailability

– One process cannot deny access to CPU or other resources to kernel or other processes.

Hardware Mechanisms: VM• Each process has its own address space.

– Prevents processes from accessing memory of kernel or other processes.

• Attempted violations produce page fault exceptions.

Hardware Mechanisms: VM• Each process has its own address space.

– Implemented using a page table.– Page table entries contain access control info.

• Read

• Write

• Execute (not separate on Intel CPUs)

• Supervisor (only accessible in supervisor mode)

VM Address Translation

Hardware Mechanisms: RingsProtection Rings.

– Lower number rings have more rights.– Intel CPUs have 4 rings

• Ring 0 is supervisor mode.

• Ring 3 is user mode.

• Most OSes do not use other rings.

– Multics used 64 protection rings.• Different parts of OS ran in different rings.

• Procedures of same program could have different access rights.

Hardware Mechanisms: System Timer

• Timer interrupt– Programmable Interval Timer chip.– Happens every 1-100 OS, depending on OS.– Transfers control from process to OS.– Ensures no process can deny availability of

machine to kernel or other processes.

Why is Access Control hard?• Complex Objects

– Identifying objects of interest.• Is your choice of objects too coarse or fine-grained?

– Hierarchical structure like filesystem or XML

• Subjects are Complex– Identifying subjects of interest.– What are the relationships between subjects?

Why is Access Control hard?• Access Control states change.

• Security objectives often unclear.

References1. Anderson, Ross, Security Engineering, Wiley,

2001.2. Bishop, Matt, Introduction to Computer Security,

Addison-Wesley, 2005.3. Bovet, Daniel and Cesati, Marco, Understanding

the Linux Kernel, 2nd edition, O’Reilly, 2003.4. Silberschatz, et. al., Database System Concepts,

4th edition, McGraw-Hill, 2002.5. Silberschatz, et. al., Operating System Concepts,

7th edition, Wiley, 2005.6. Viega, John, and McGraw, Gary, Building Secure

Software, Addison-Wesley, 2002.

CIT 380: Securing Computer Systems

Documents

CIT 480: Securing Computer Systemswaldenj/classes/2014/fall/... · 2019. 8. 25. · CIT 480: Securing Computer Systems Biometrics are not infallible What are False Accept and Reject

· Samar Calba o Cit Catbalo an Cit Maasin Cit Ormoc Cit Tacloban Cit Ba ba Cit Boron an Cit Others Bukidnon Cami uin Lanao del Norte Misamis Oriental Misamis Occidental Ca a an

CIT 480: Securing Computer Systemswaldenj/classes/2016/spring/cit480/... · wireless network packets destined for other hosts. ... – If network location unsatisfactory, ARP spoofing

drinkltg.jpn.org/kanbee/wp-content/uploads/2019/01/drink.pdfSOFT DRINK 380 380 380 380 380 380 380 380 380 烏龍茶緑茶コーラジンジャエールオレンジジュース

NEW JURISDICTION OF THE PR. CIT/CIT CHARGE; …office.incometaxindia.gov.in/kanpur/Documents/...NEW JURISDICTION OF THE PR. CIT/CIT CHARGE; ADDL. CIT/ JT. CIT RANGES & ASSESSING OFFICERS

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction

CIT 480: Securing Computer Systemswaldenj/classes/2015/fall/cit480/... · Initialization vector (IV) ... •Small space of initialization vectors guarantees reuse of the same key

Certificate in Translation (CIT) CIT-02

6025 380 380 380 380 - filest.edunet.net · 6025 380 380 380 380 . Created Date: 10/28/2019 8:14:04 PM

CIT 480: Securing Computer Systems

Policies CIT 380: Securing Computer SystemsSlide #1

ED 380 381 SO 024 739 AUTHOR Ruth, Amy, Ed. …ED 380 381 AUTHOR TITLE INSTITUTION REPORT NO PUB DATE NOTE AVAILABLE FROM PUB TYPE JOURNAL CIT EDRS PRICE DESCRIPTORS IDENTIFIERS ABSTRACT

Certificate in Translation (CIT) CIT-03

CIT 380: Securing Computer Systems Security Solutions

CIT 380: Securing Computer Systemswaldenj/classes/2014/fall/... · 2019. 8. 25. · – Based on MD5, SHA-1, or SHA-2, key based on master secret. 4. Pseudorandom Function – Used

CIT 380: Securing Computer Systemswaldenj/classes/2015/spring/cit480/...CIT 480: Securing Computer Systems Slide #22 nmap OS fingerprint examples > sudo nmap -O scanme.nmap.org Device

CIT 380: Securing Computer Systemswaldenj/classes/2013/...– Use username/password on first request. – Use session IDs on subsequent queries. Slide #32. CIT 380: Securing Computer

010 - Cit Traim - Cit Putem Trai

CIT - Cork Institute of Technology - CIT

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control