CSC 382: Computer Security

CSC 382: Computer Security Slide #1

CSC 382: Computer Security

Security Policies


Topics

1. What is a security policy?

2. Types of Access Control1. Discretionary (DAC)

2. Mandatory (MAC)

3. Originator-based (ORBAC)

3. Types of Policies1. Multilevel: Bell LaPadula

2. Clark Wilson

3. Chinese Wall

4. Policy Expression Languages


Security Policy

Security policy partitions system states into:– Authorized (secure)

• These are states the system is allowed to enter.

– Unauthorized (nonsecure)• If the system enters any of these states, it’s a

security violation.

Secure system– Starts in authorized state.– Never enters unauthorized state.


Policy vs. Mechanism

Security Policy– Statement that divides system into authorized

and unauthorized states.

Mechanism– Entity or procedure that enforces some part of a

security policy.


Dirty Politics

Republican Senate staffers gained access to Democrat computer files 2002-2003.– Both parties share computer server.– 2001 misconfiguration allowed access w/o pw.– Defence: "The bottom line here is that the

technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk.” – Manuel Miranda


Types of Access Control

• Discretionary Access Control (DAC, IBAC)– Individual user sets access control mechanism to allow

or deny access to an object. UNIX and NT ACLs.

• Mandatory Access Control (MAC)– System mechanism controls access to object, and

individual cannot alter that access.

• Originator Controlled Access Control (ORCON)– Originator (creator, not current owner of file) of

information controls who can access information. DRM-controlled files.


MAC Example: SELinux

• What is SELinux?– Linux kernel modifications to provide MAC.

• What’s the problem with DAC?– TCB large: Security depends on kernel, all

privileged aplications, and their configurations.– Coarse-grained: Applications run with all user

privileges, even for root user.

• Security of MAC depends on:– kernel– SElinux security policy configuration


SELinux Advantages and Issues• Advantages

– Fine-grained control by program, not by user.– Protects system from flawed or malicious code.

• Security policy configuration is complex.– Policy language resembles DTEL.– Fine-grained: can control program accesses to

individual files, signals, etc.• Difficult to find security policies that work for

everyone.– Fedora Core 2’s strict policy caused many problems.– Fedora Core 3 applies policies to known server and

system process, lets other programs run w/o restriction.


SELinux Command Extensions> id -Zuser_u:system_r:unconfined_t

> ps -eZ |headLABEL PID TTY TIME CMDuser_u:system_r:unconfined_t 1 ? 00:00:00 inituser_u:system_r:unconfined_t 21 ? 00:00:00 kacpiduser_u:system_r:syslogd_t 3826 ? 00:00:00 syslogduser_u:system_r:unconfined_t 3841 ? 00:00:00 irqbalanceuser_u:system_r:portmap_t 3852 ? 00:00:00 portmapuser_u:system_r:ypbind_t 4024 ? 00:00:00 ypbind

> ls -lZ /boot/vmlinuz-2.6.10-1.741_FC3smp-rw-r--r-- root root system_u:object_r:boot_t

/boot/vmlinuz-2.6.10-1.741_FC3smp


ORBAC Example: CSS

• Content Scrambling System (CSS)– Used to encrypt DVDs.– DVD reader needs CSS decryption key.

• CSS limits use of DVDs even though you control the OS (MAC) and filesystem ACLs.– Region-coding.– Unskippable commercials.


Types of Security Policies

• Confidentiality– Military/government policies.

• Integrity– Commercial policies.

• Availability– Quality of service agreements.


Confidentiality• X set of entities, I information.• I has confidentiality property with respect to X if

no x in X can obtain information from I.• I can be disclosed to others.• Example:

– X is the set of students.– I is the final exam answer key.– I is confidential with respect to X if students cannot

obtain final exam answer key.


Integrity

• X set of entities, I information.• I has integrity property with respect to X if all x in

X trust information in I.• Types of integrity:

– trust I, its conveyance and protection (data integrity)

– I information about origin of something or an identity (origin integrity, authentication)

– I resource: means resource functions as it should (assurance)


Availability

• X set of entities, I resource.

• I has availability property with respect to X if all x in X can access I.

• Types of availability:– traditional: x gets access or not– quality of service: promise specific level of

access (e.g., a specific level of bandwidth)


Multilevel Security Policies

Bell-LaPadula Model

Classifications1. Top Secret

2. Secret

3. Confidential

4. Unclassified

Simple Security Property

No read up.

*-Property

No write down.


Multilateral Security Policies

Chinese Wall Model

CD: Company dataset

COI: Conflict of interest class

If you read one CD of a COI, you never can read any other CDs from that COI.

Oil COI Class

US Bank

PNC Citibank

Bank COI Class

Shell

BP

Exxon

ARCO


Policy Languages

• Express security policies in a precise way.

• High-level languages– Policy constraints expressed abstractly.

• Low-level languages– Policy constraints expressed in terms of

program options, input, or specific characteristics of entities on system.


High-Level Policy Languages

• Constraints expressed independent of enforcement mechanism.

• Constraints restrict entities, actions.

• Constraints expressed unambiguously– Requires a precise language, usually a

mathematical, logical, or programming-like language.


Example: Web Browser

• Goal: restrict actions of Java programs that are downloaded and executed under control of web browser.

• Policy language specific to Java programs.

• Expresses constraints as conditions restricting invocation of entities.


Expressing Constraints• Entities are classes, methods

– Class: set of objects that an access constraint constrains.– Method: set of ways an operation can be invoked.

• Operations– Instantiation: s creates instance of class c: s -| c– Invocation: s1 executes object s2: s1 |-> s2

• Access constraints– deny(s op x) when b– While b is true, subject s cannot perform op on (subject

or class) x; empty s means all subjects.


Sample Constraints

• Downloaded program cannot access password database file on UNIX system

• Program’s class and methods for files:class File {public file(String name);public String getfilename();public char read();

• Constraint:deny( |-> file.read) when

(file.getfilename() == /etc/passwd)


Another Sample Constraint

• At most 100 network connections open.

• Socket class defines network interface– Network.numconns method giving number of

active network connections.

• Constraintdeny( -| Socket) when

(Network.numconns >= 100)


Discussion: Buying HDs on Ebay

• 2 MIT grad students bought 158 used HDs.– 28 (17%) had fully functioning operating systems.– 57 (36%) were formatted, but recoverable.– 29 (18%) didn’t work at all.– In total, 117 (74%) had recoverable data.

• Recovered data included– Personal and corporate financial records.– Personal e-mail and credit cards.

• Is discarded data a security issue?


Low-Level Policy Languages

• Set of inputs or arguments to commands.– Check or set constraints on system.

• Low level of abstraction.– Need details of system, commands.


Example: X Window System

• UNIX X11 Windowing System.

• Access to X11 display controlled by list– List says what hosts allowed, disallowed access

xhost +groucho -chico

• Connections from host groucho allowed.

• Connections from host chico not allowed.


Example: tripwire

File scanner that reports changes to file system and file attributes– tw.config describes what may change/usr/mab/tripwire +gimnpsu012345678-a

• Check everything but time of last access (“-a”)

– database holds previous values of attributes


Example Database Record/usr/mab/tripwire/README 0 ..../. 100600 45763 1

917 10 33242 .gtPvf .gtPvY .gtPvY 0 .ZD4cc0Wr8i21ZKaI..LUOr3 .0fwo5:hf4e4.8TAqd0V4ubv ?...... ...9b3 1M4GX01xbGIX0oVuGo1h15z3 ?:Y9jfa04rdzM1q:eqt1APgHk ?.Eb9yo.2zkEh1XKovX1:d0wF0kfAvC ?1M4GX01xbGIX2947jdyrior38h15z3 0

file name, version, bitmask for attributes, mode, inode number, number of links, UID, GID, size, times of creation, last modification, last access, cryptographic checksums


Comments

• System administrators not expected to edit database to set attributes properly.

• Checking for changes with tripwire is easy.– Just run once to create the database, run again to check.

• Checking for conformance to policy is harder.– Need to either edit database file, or (better) set system

up to conform to policy, then run tripwire to construct database.


Example: PAM

• Pluggable Authentication Modules• Config: /etc/pam.conf or /etc/pam.d/prog

login auth required pam_unix.sologin account required pam_unix.sologin password required pam_unix.so login session required pam_unix.so• Format: service modtype controlflag module


Example: PAM (cont.)

• Module Types:– Auth: authenticates user

– Account: non-auth access control (time, place)

– Password: updates auth token

– Session: user setup (including logging)

• Control Flags:– required: must succeed for access, all entries checked

– requisite: required, but returns immediately on failure

– sufficient: access granted if this condition true


Key Points

• Policies describe what is allowed.

• Mechanisms control how policies are enforced.

• Types of Access Control– Discretionary (DAC)– Mandatory (MAC)– Originator Based (ORBAC)

• Trust underlies everything.


References1. Anderson, Ross, Security Engineering, Wiley, 2001.2. David E. Bell and Leonard J. LaPadula, Secure Computer

System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976) http://csrc.nist.gov/publications/history/bell76.pdf

3. Bishop, Matt, Introduction to Computer Security, Addison-Wesley, 2005.

4. Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD (“Orange Book”), National Computer Security Center, Ft. Meade, MD 20755 (Dec. 1985) http://csrc.nist.gov/publications/history/dod85.pdf

5. Peter Loscocco and Stephen Smalley, “Integrating Flexible Support for Security Policies into the Linux Operating System,” Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference, 2001.

http://csrc.nist.gov/publications/history/dod85.pdf

http://www.nsa.gov/selinux/papers/freenix01-abs.cfm

http://www.nsa.gov/selinux/papers/freenix01-abs.cfm

CSC 382: Computer Security

Documents