OS Security Access Control & Authentication
Dec 29, 2015
Protection Mechanisms
• Concept of sharing resources– No Protection– Isolation– Share all or Share Nothing– Share via access limitation– Share via dynamic capabilities– Limit use of an object
Access Control• Permit or deny the use of an object by a
subject• Services– Identification– Authentication– Authorization– Accountability
• Access Control Techniques
Security Models
• A model is a simplified representation used to explain a real world system
• Security models are used to design a system to protect secrets
Discretionary Access Control(DAC)
• No precise definition• Widely used in modern operating systems• In most implementations it has the notion of
owner of an object• The owner controls other users’ accesses to
the object• Allows access rights to be propagated to other
subjects
Discretionary Access Control (DAC) Security Model
• The owner of an object controls who and what may access it. Access is at the owner’s discretion.– Example: shared file server where access
permissions are administered by the owners (users) of its contents.
Access Control Matrix
• Abstract ,formal security model used in computer systems
• Subjects• Objects• Rights
1) Access Control Matrix
U
V
F G
orw
orwr
subjects
objects (and subjects)
rights
o – own r – read w – write
User - Principals
• One to many mapping between user and principals
• System authenticates user in the context of principal
• Shared principals (accounts) are not good for accountability
user principals
Alice
Alice.Top-secret
Alice.Secret
Bob
Bob.Dean
Bob.Faculty
Bob.Super-user
Principal - Subjects• One to many mapping
between principal and subjects
• A subject is a program or application run on behalf of principal
• Subjects are often treated the same as principal if all subjects of a principal have the same rights
subjectsprincipal
Alice.Top-secret
Word
Database
Objects• An object is anything on which a subject can perform
operations (mediated by rights)
• Usually objects are passive, for example– File – Directory (or Folder)– Memory segment
• But, subjects can also be objects, with operations– Kill– Suspend – Resume
Rights
• A right specifies what kind of access a subject can perform on an object– Own– Read– Write– Execute– Create– Delete– Transfer
Implementation of Access Control Matrix
U
V
F G
orw
orwr
subjects
objects
rightsCapabilities
ACL (Access Control Lists)
2) Access Control List (ACL)• ACL – Each column of access control matrix is stored
with corresponding object
• ACL requires subjects to be authenticated before access to a particular object
U:o
U:r
U:w
V:r
V:o
V:r
V:w
F G File PointerSubj
Access right
F
G U
V
V
orw
r
orw
3) Capabilities
• Capabilities – Each row of access control matrix is stored with corresponding subject
• Capabilities do not require subjects to be authenticated but require– Capabilities are unforgeable – Propagation of capabilities are under control
F/o, F/r, F/w
F/r, G/o, G/r, G/w
U
V
Comparison of ACL and Capabilities• ACL– Access rights stored with
objects– Requires authentication
of subjects
– Provides access review on a per-object basis
– Most operating systems such as UNIX and Windows use ACL to protect files
• Capabilities– Access rights stored with
subjects– Requires unforgeability of
capabilities and propagation control of capabilities
– Provides revocation facilities on a per-subject basis
– Used in authentication systems such as Kerberos
Problems with DAC in OS• DAC cannot protect against
– Trojan horse– Malware– Software bugs– Malicious local users
• It cannot control information flow
Mandatory Access Control (MAC) Security Model
• System controls access to resources• When a subject requests access to
an object– The system examines the user’s identity and
access rights, and compares to access permissions of the object
• System then permits or denies the access– Example: shared file server where access
permissions are administered by an administrator
Mandatory Access Control (MAC) Security Model
• MAC specifies the access that subjects have to objects based on subjects and objects classification– Based on security labels attached to subjects and
objects• Security label to subject security clearance• Security label to object security classification
– Users have no control of security labels, but information flow is restricted to certain can-flow paths
• This type of security has also been referred to as multilevel security
Multi-level Security Model
• Several levels of security– Such as Confidential, Secret, Top Secret
• People have varying levels of security clearance– Such as Confidential, Secret, Top Secret
• System will control access to objects according to their level and the level of the persons accessing them
Security levels• A security level a category set• The security level is an element from a totally
ordered set - example{Top Secret (TS), Secret (S), Confidential (C),
Unclassified (U)} where TS > S > C >U
• The category set is a set of elements, dependent from the application area in which data are to be used – example
{Army, Navy, Air Force, Nuclear}
Hierarchical Structure
• Military security classes as security labels:Top secret
Secret
Confidential
Unclassified
High level
Low level
Can-flow
Security levels• The security level ,at a commercial site, you
might define the following corporate hierarchy: {CORPORATE ,BRANCH, DEPARTMENTS}• In a commercial environment, your categories
might correspond to company departments, product names, ad campaigns, or any other setup you wish to implement:– example
{ACCOUNTING, PR, MARKETING, SALES, R&D}
Bell LaPadula Security Model(1973)
• A formal MAC model
• State machine model that addresses the
confidentiality of information.
• Uses No Read Up & No Write Down
BLP Model • Simple-security
property( ss – property)
– Subject S can read object O only if • Information can flow
from label(O) to label(S)
• Star-property(*-property)
– Subject S can write object O only if • Information can flow
from label(S) to label(O)
Label(S)
Label(O)
Can-flow
Label(O)
Label(S)
Can-flow
Read down
Write up
Bell LaPadula Security Model (cont.)
• No Read Up (NRU)– A subject can read all documents at or below his
level of security, but cannot read any documents above his level of security
– Prevents learning secrets at a higher security level– E.g., an unclassified user cannot read a top-secret
document
Bell LaPadula Security Model (cont.)
• No Write Down (NWD)– A subject can write documents at or above his level
of security, but cannot write documents below his level
– Prevents leaks of secrets– E.g., cannot copy top secret file into secret file
Bell LaPadula Model Problem
• In Bell LaPadula– A subject at a lower security level
can overwrite and potentially destroy secret information at a higher level (even though they cannot see it)
– No Write Down and No Read Up don't prevent this "Write Up" operation
• Bell LaPadula protects confidentiality but not integrity
The Biba Integrity Model(1977)
• The first formal integrity model, by preventing modifications to data by unauthorized persons.
• A subject cannot read documents below his level (no read down, NRD)
• A subject cannot write documents above his level (no write up, NWU)
Biba Model
• To guarantee the integrity of the data, we need precisely the reverse properties. – The simple integrity principle: A process
running at security level k can write only objects at its level or lower (no write up). – The integrity * property: A process running
at security level k can read only objects at its level or higher (no read down).
Example: Military Orders• Write Down is allowed– A General may write orders to a Colonel, who
can issue these orders to a Major• Integrity is preserved– In this fashion, the General's original orders are
kept intact and the mission of the military is protected
• Write Up is forbidden– Conversely, a Private can never issue orders to
his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission
Comparing the Models
• If you need to protect secrets, use Bell-Lapadula– No Write Down– No Read Up
• If you need to stay on target, use Biba– No Write Up– No Read Down
• Both of these are designed for the military, to protect high-level secrets
Role-based Access Control (RBAC) Security Model
• An improvement over the mandatory access control (MAC) security model
• Access permissions are granted to “roles” instead of “persons.”– Example: "Managers" can write to the Personnel
folder, but "Help Desk Workers" cannot
Role-based Access Control (RBAC) Security Model (cont.)
• Simplifies management in a complex system with many users and objects, used for commercial applications
• Makes changes much easier, because they involve changes to roles instead of to individuals
Authentication
• Process of establishing whether a client is who or what it claims to be
• User identity can be confirmed by:• Something you have• Something you know• Something you are
“Something you know…”• Login procedures– Usually something you know
• Password leaks– Commonly used password– Explicitly told
• Voluntarily• Trojan horse
– Trial and error– Intercepted communication
• paper, camera, wiretap, file on disk, emanations• password sniffing on networks
• Passwords are inconvenient– In client/server environment, user doesn’t want to enter
password for every service she connects to
“Something you have”• Authentication using a physical object• Several subcategories• One of interest here are cryptographic smart
cards:– Store user’s digital certificate and/or private key– Used to prevent private keys from being “hacked”
from user’s computer– What happens if a smart card is stolen?
“Something you are…”
• Authentication using Biometrics– Enrollment– Identification
• Fingerprint recognition• Face recognition• Voice Authentication etc…
Official levels of Computer Security•United States Government Department of Defense (DoD)•Trusted Computer System Evaluation Criteria (TCSEC)- “Orange Book”•Requirements:
1. Specific security requirements2. Assurance requirements
TCSEC /Orange Book
• 4 divisions- A,B,C,D– Specifies evaluation classes (D, C1, C2, B1, B2, B3, A1)– Specifies functionality and assurance requirements
for each class
• Each class defines 4 requirements– Policy– Accountability– Assurance– Documentation
TCSEC Classes
• D – Minimal Protection• C1 – Discretionary Security Protection– Identification and authentication and DAC– users processing data at common sensitivity level, separates
users from data– Minimal Assurance, may be based on features, not
evaluation• C2 – Control led access protection– Adds object reuse and auditing– More testing requirements– Windows NT 3.5 evaluated C2
TCSEC Classes• B1 – Labelled Security Protection
– Adds MAC for some objects• Controlled objects “labeled”, access control based on these
– Stronger testing requirements. Information model of security policy. Bell-La Padula model.
– Trusted Unix tended to be B1
• B2 – Structured protection– MAC for all objects, including devices. – Design and implementation must enable thorough testing & review
• “well-defined largely independent modules”– Trusted Path. Least privilege.– Covert channel analysis, configuration management, more
documentation, formal model of security policy
TCSEC Classes• B3 – Security Domains
– Requirements on code modularity, layering, simplicity.– Argument (short of proof) that implementation meets design
specifications– Tamper-proof implementation– More stringent testing and documentation.– XTS-200/STOP
• A1 – Verified protection– Same functional requirements as B3– Five criteria
• Formal model of protection and proofs of consistency/adequacy• Formal specification for protection system• Demonstration that specification corresponds to model of
protection• “proof” that implementation is consistent with specification• Formal analysis of covert channel
– Existence proof : Honeywell’s SCOMP
Trusted Computing Base• Trusted Computing Base
– Hardware and software for enforcing security rules process• Reference monitor
– Part of TCB Reference– All system calls go throughreference monitor for security checking– Most OS not designed thisway
Security Breaches
• Interception• Interruption• Modification• FabricationSecurity Hole - Software & hardware vulnerability– Holes that allow DoS– Holes that allow Local users unauthorized access– Holes that allow Remote users unauthorized access
Threats
• Covert channel– Unauthorized, hidden channel of communications
that exists within a legitimate communications channel
– Includes timing attacks that leak data through changes in response times
– Difficult to detect– Examples: unused fields in packets, steganography
Threats (cont.)
• Side channel attack– Observation of the physical characteristics of
a system in order to make inferences on its operation – Examples: timing, power consumption, emanations
• State attacks– Time of check to time of use (TOCTTOU), also known
as a race condition– Data can be altered between the time of check and
the time of use ("winning the race")
Threats (cont.)
• Emanations– RF (radio frequency) emissions from CRTs
and equipment
• Maintenance hooks and back doors– Secret master password– Really happened in "Lock My PC" -- link Ch 9i
• Privileged programs– Artifacts of development, testing– Can be used to elevate privileges
Countermeasures
• Reduce the potential of a threat by reducing its probability of occurrence or its impact – Sniffers (bug detectors)– Source code reviews– Auditing tools
• Filesystem integrity, like Tripwire• Configuration checking like Windows Defender• Log analyzers
– Penetration testing– Application vulnerability testing