October 18, 2005. Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles. Two implementation concepts. Access control list (ACL) Store column of matrix with the resource Capability User holds a “ticket” for each resource Two variations - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IS2150/TEL2810: Introduction of Computer Security 1
October 18, 2005October 18, 2005
Introduction to Introduction to Computer SecurityComputer Security
27IS2150/TEL2810: Introduction of Computer Security
Windows XPWindows XP
Improvement over Win 2000 ProfessionalImprovement over Win 2000 Professional Personalized login
Multiple users to have secure profiles User switching
Multiple users to be logged in Internet connection firewall (ICF)
Active packet filtering Blank password restriction (null sessions) Encrypting File System (EFS) using PKI Smart card support (uses X.509 certificate for
authentication)
28IS2150/TEL2810: Introduction of Computer Security
Active DirectoryActive Directory
Core for the flexibility of Win2000Core for the flexibility of Win2000 Centralized management for clients, servers and user accounts
Information about all objectsInformation about all objects Group policy and remote OS operationsGroup policy and remote OS operations Replaces SAM databaseReplaces SAM database
AD is trusted component of the LSA StoresStores
Access control information – authorization User credentials – authentication
SupportsSupports PKI, Kerberos and LDAP
29IS2150/TEL2810: Introduction of Computer Security
Win 2003Win 2003
30IS2150/TEL2810: Introduction of Computer Security
Solaris 10Solaris 10
UNIX-based OSUNIX-based OS Access Control is
similar. Some new features Some new features
have been added in have been added in Solaris 10.Solaris 10. User Templates Authorizations Projects RBAC – Only for
administrative purposes
IS2150/TEL2810: Introduction of Computer Security 31
Design PrinciplesDesign Principles
32IS2150/TEL2810: Introduction of Computer Security
Design Principles for Security Design Principles for Security MechanismsMechanisms
PrinciplesPrinciples Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological Acceptability
Based on the idea of Based on the idea of simplicitysimplicity and and restrictionrestriction
33IS2150/TEL2810: Introduction of Computer Security
OverviewOverview
SimplicitySimplicity Less to go wrong Fewer possible inconsistencies Easy to understand
RestrictionRestriction Minimize access power (need to know) Inhibit communication
34IS2150/TEL2810: Introduction of Computer Security
Least PrivilegeLeast Privilege
A subject should be given only those A subject should be given only those privileges necessary to complete its taskprivileges necessary to complete its task Function, not identity, controls
RBAC! Rights added as needed, discarded after use
Active sessions and dynamic separation of duty Minimal protection domain
A subject should not have a right if the task does not need it
35IS2150/TEL2810: Introduction of Computer Security
Fail-Safe DefaultsFail-Safe Defaults
Default action is to deny accessDefault action is to deny access If action fails, system as secure as when If action fails, system as secure as when
action beganaction began Undo changes if actions do not complete Transactions (commit)
36IS2150/TEL2810: Introduction of Computer Security
Economy of MechanismEconomy of Mechanism
Keep the design and implementation as Keep the design and implementation as simple as possiblesimple as possible KISS Principle (Keep It Simple, Silly!)
Simpler means less can go wrongSimpler means less can go wrong And when errors occur, they are easier to
understand and fix
Interfaces and interactionsInterfaces and interactions
37IS2150/TEL2810: Introduction of Computer Security
Complete MediationComplete Mediation
Check every access to an object to ensure Check every access to an object to ensure that access is allowedthat access is allowed
Usually done once, on first actionUsually done once, on first action UNIX: Access checked on open, not checked
thereafter
If permissions change after, may get If permissions change after, may get unauthorized accessunauthorized access
38IS2150/TEL2810: Introduction of Computer Security
Open DesignOpen Design
Security should not depend on secrecy of Security should not depend on secrecy of design or implementationdesign or implementation Popularly misunderstood to mean that source
code should be public “Security through obscurity” Does not apply to information such as
passwords or cryptographic keys
39IS2150/TEL2810: Introduction of Computer Security
Separation of PrivilegeSeparation of Privilege
Require multiple conditions to grant Require multiple conditions to grant privilegeprivilege Example: Checks of $70000 must be signed by
two people Separation of duty Defense in depth
Multiple levels of protection
40IS2150/TEL2810: Introduction of Computer Security
Least Common MechanismLeast Common Mechanism
Mechanisms should not be sharedMechanisms should not be shared Information can flow along shared channels Covert channels
IsolationIsolation Virtual machines Sandboxes
41IS2150/TEL2810: Introduction of Computer Security
Security mechanisms should not add to Security mechanisms should not add to difficulty of accessing resourcedifficulty of accessing resource Hide complexity introduced by security
mechanisms Ease of installation, configuration, use Human factors critical here