CSC 382: Computer Security Slide #1
CSC 382: Computer Security
Security Policies
CSC 382: Computer Security Slide #2
Topics
1. What is a security policy?
2. Types of Access Control1. Discretionary (DAC)
2. Mandatory (MAC)
3. Originator-based (ORBAC)
3. Types of Policies1. Multilevel: Bell LaPadula
2. Clark Wilson
3. Chinese Wall
4. Policy Expression Languages
CSC 382: Computer Security Slide #3
Security Policy
Security policy partitions system states into:– Authorized (secure)
• These are states the system is allowed to enter.
– Unauthorized (nonsecure)• If the system enters any of these states, it’s a
security violation.
Secure system– Starts in authorized state.– Never enters unauthorized state.
CSC 382: Computer Security Slide #4
Policy vs. Mechanism
Security Policy– Statement that divides system into authorized
and unauthorized states.
Mechanism– Entity or procedure that enforces some part of a
security policy.
CSC 382: Computer Security Slide #5
Dirty Politics
Republican Senate staffers gained access to Democrat computer files 2002-2003.– Both parties share computer server.– 2001 misconfiguration allowed access w/o pw.– Defence: "The bottom line here is that the
technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk.” – Manuel Miranda
CSC 382: Computer Security Slide #6
Types of Access Control
• Discretionary Access Control (DAC, IBAC)– Individual user sets access control mechanism to allow
or deny access to an object. UNIX and NT ACLs.
• Mandatory Access Control (MAC)– System mechanism controls access to object, and
individual cannot alter that access.
• Originator Controlled Access Control (ORCON)– Originator (creator, not current owner of file) of
information controls who can access information. DRM-controlled files.
CSC 382: Computer Security Slide #7
MAC Example: SELinux
• What is SELinux?– Linux kernel modifications to provide MAC.
• What’s the problem with DAC?– TCB large: Security depends on kernel, all
privileged aplications, and their configurations.– Coarse-grained: Applications run with all user
privileges, even for root user.
• Security of MAC depends on:– kernel– SElinux security policy configuration
CSC 382: Computer Security Slide #8
SELinux Advantages and Issues• Advantages
– Fine-grained control by program, not by user.– Protects system from flawed or malicious code.
• Security policy configuration is complex.– Policy language resembles DTEL.– Fine-grained: can control program accesses to
individual files, signals, etc.• Difficult to find security policies that work for
everyone.– Fedora Core 2’s strict policy caused many problems.– Fedora Core 3 applies policies to known server and
system process, lets other programs run w/o restriction.
CSC 382: Computer Security Slide #9
SELinux Command Extensions> id -Zuser_u:system_r:unconfined_t
> ps -eZ |headLABEL PID TTY TIME CMDuser_u:system_r:unconfined_t 1 ? 00:00:00 inituser_u:system_r:unconfined_t 21 ? 00:00:00 kacpiduser_u:system_r:syslogd_t 3826 ? 00:00:00 syslogduser_u:system_r:unconfined_t 3841 ? 00:00:00 irqbalanceuser_u:system_r:portmap_t 3852 ? 00:00:00 portmapuser_u:system_r:ypbind_t 4024 ? 00:00:00 ypbind
> ls -lZ /boot/vmlinuz-2.6.10-1.741_FC3smp-rw-r--r-- root root system_u:object_r:boot_t
/boot/vmlinuz-2.6.10-1.741_FC3smp
CSC 382: Computer Security Slide #10
ORBAC Example: CSS
• Content Scrambling System (CSS)– Used to encrypt DVDs.– DVD reader needs CSS decryption key.
• CSS limits use of DVDs even though you control the OS (MAC) and filesystem ACLs.– Region-coding.– Unskippable commercials.
CSC 382: Computer Security Slide #11
Types of Security Policies
• Confidentiality– Military/government policies.
• Integrity– Commercial policies.
• Availability– Quality of service agreements.
CSC 382: Computer Security Slide #12
Confidentiality• X set of entities, I information.• I has confidentiality property with respect to X if
no x in X can obtain information from I.• I can be disclosed to others.• Example:
– X is the set of students.– I is the final exam answer key.– I is confidential with respect to X if students cannot
obtain final exam answer key.
CSC 382: Computer Security Slide #13
Integrity
• X set of entities, I information.• I has integrity property with respect to X if all x in
X trust information in I.• Types of integrity:
– trust I, its conveyance and protection (data integrity)
– I information about origin of something or an identity (origin integrity, authentication)
– I resource: means resource functions as it should (assurance)
CSC 382: Computer Security Slide #14
Availability
• X set of entities, I resource.
• I has availability property with respect to X if all x in X can access I.
• Types of availability:– traditional: x gets access or not– quality of service: promise specific level of
access (e.g., a specific level of bandwidth)
CSC 382: Computer Security Slide #15
Multilevel Security Policies
Bell-LaPadula Model
Classifications1. Top Secret
2. Secret
3. Confidential
4. Unclassified
Simple Security Property
No read up.
*-Property
No write down.
CSC 382: Computer Security Slide #16
Multilateral Security Policies
Chinese Wall Model
CD: Company dataset
COI: Conflict of interest class
If you read one CD of a COI, you never can read any other CDs from that COI.
Oil COI Class
US Bank
PNC Citibank
Bank COI Class
Shell
BP
Exxon
ARCO
CSC 382: Computer Security Slide #17
Policy Languages
• Express security policies in a precise way.
• High-level languages– Policy constraints expressed abstractly.
• Low-level languages– Policy constraints expressed in terms of
program options, input, or specific characteristics of entities on system.
CSC 382: Computer Security Slide #18
High-Level Policy Languages
• Constraints expressed independent of enforcement mechanism.
• Constraints restrict entities, actions.
• Constraints expressed unambiguously– Requires a precise language, usually a
mathematical, logical, or programming-like language.
CSC 382: Computer Security Slide #19
Example: Web Browser
• Goal: restrict actions of Java programs that are downloaded and executed under control of web browser.
• Policy language specific to Java programs.
• Expresses constraints as conditions restricting invocation of entities.
CSC 382: Computer Security Slide #20
Expressing Constraints• Entities are classes, methods
– Class: set of objects that an access constraint constrains.– Method: set of ways an operation can be invoked.
• Operations– Instantiation: s creates instance of class c: s -| c– Invocation: s1 executes object s2: s1 |-> s2
• Access constraints– deny(s op x) when b– While b is true, subject s cannot perform op on (subject
or class) x; empty s means all subjects.
CSC 382: Computer Security Slide #21
Sample Constraints
• Downloaded program cannot access password database file on UNIX system
• Program’s class and methods for files:class File {public file(String name);public String getfilename();public char read();
• Constraint:deny( |-> file.read) when
(file.getfilename() == /etc/passwd)
CSC 382: Computer Security Slide #22
Another Sample Constraint
• At most 100 network connections open.
• Socket class defines network interface– Network.numconns method giving number of
active network connections.
• Constraintdeny( -| Socket) when
(Network.numconns >= 100)
CSC 382: Computer Security Slide #23
Discussion: Buying HDs on Ebay
• 2 MIT grad students bought 158 used HDs.– 28 (17%) had fully functioning operating systems.– 57 (36%) were formatted, but recoverable.– 29 (18%) didn’t work at all.– In total, 117 (74%) had recoverable data.
• Recovered data included– Personal and corporate financial records.– Personal e-mail and credit cards.
• Is discarded data a security issue?
CSC 382: Computer Security Slide #24
Low-Level Policy Languages
• Set of inputs or arguments to commands.– Check or set constraints on system.
• Low level of abstraction.– Need details of system, commands.
CSC 382: Computer Security Slide #25
Example: X Window System
• UNIX X11 Windowing System.
• Access to X11 display controlled by list– List says what hosts allowed, disallowed access
xhost +groucho -chico
• Connections from host groucho allowed.
• Connections from host chico not allowed.
CSC 382: Computer Security Slide #26
Example: tripwire
File scanner that reports changes to file system and file attributes– tw.config describes what may change/usr/mab/tripwire +gimnpsu012345678-a
• Check everything but time of last access (“-a”)
– database holds previous values of attributes
CSC 382: Computer Security Slide #27
Example Database Record/usr/mab/tripwire/README 0 ..../. 100600 45763 1
917 10 33242 .gtPvf .gtPvY .gtPvY 0 .ZD4cc0Wr8i21ZKaI..LUOr3 .0fwo5:hf4e4.8TAqd0V4ubv ?...... ...9b3 1M4GX01xbGIX0oVuGo1h15z3 ?:Y9jfa04rdzM1q:eqt1APgHk ?.Eb9yo.2zkEh1XKovX1:d0wF0kfAvC ?1M4GX01xbGIX2947jdyrior38h15z3 0
file name, version, bitmask for attributes, mode, inode number, number of links, UID, GID, size, times of creation, last modification, last access, cryptographic checksums
CSC 382: Computer Security Slide #28
Comments
• System administrators not expected to edit database to set attributes properly.
• Checking for changes with tripwire is easy.– Just run once to create the database, run again to check.
• Checking for conformance to policy is harder.– Need to either edit database file, or (better) set system
up to conform to policy, then run tripwire to construct database.
CSC 382: Computer Security Slide #29
Example: PAM
• Pluggable Authentication Modules• Config: /etc/pam.conf or /etc/pam.d/prog
login auth required pam_unix.sologin account required pam_unix.sologin password required pam_unix.so login session required pam_unix.so• Format: service modtype controlflag module
CSC 382: Computer Security Slide #30
Example: PAM (cont.)
• Module Types:– Auth: authenticates user
– Account: non-auth access control (time, place)
– Password: updates auth token
– Session: user setup (including logging)
• Control Flags:– required: must succeed for access, all entries checked
– requisite: required, but returns immediately on failure
– sufficient: access granted if this condition true
CSC 382: Computer Security Slide #31
Key Points
• Policies describe what is allowed.
• Mechanisms control how policies are enforced.
• Types of Access Control– Discretionary (DAC)– Mandatory (MAC)– Originator Based (ORBAC)
• Trust underlies everything.
CSC 382: Computer Security Slide #32
References1. Anderson, Ross, Security Engineering, Wiley, 2001.2. David E. Bell and Leonard J. LaPadula, Secure Computer
System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976) http://csrc.nist.gov/publications/history/bell76.pdf
3. Bishop, Matt, Introduction to Computer Security, Addison-Wesley, 2005.
4. Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD (“Orange Book”), National Computer Security Center, Ft. Meade, MD 20755 (Dec. 1985) http://csrc.nist.gov/publications/history/dod85.pdf
5. Peter Loscocco and Stephen Smalley, “Integrating Flexible Support for Security Policies into the Linux Operating System,” Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference, 2001.