11 acl: default permission and abbreviations subject not in acl has no rights over the file if many...
Post on 27-Dec-2015
224 Views
Preview:
TRANSCRIPT
11
ACL: Default Permission and Abbreviations
Subject not in ACL has no rights over the file If many subjects have similar rights, may
use groups or wildcards in ACL to ‘merge’ identical columns
Example: UNICOS entries are (user, group, rights) If user is in group, has rights over file
(holly, bant, r) ‘*’ is wildcard for user, group
(holly, *, r): holly can read file regardless of her group (*, fleep, w): anyone in group fleep can write file
22
ACL:Default Permission and Abbreviation
Example: UNIX Three classes of users: owner, group, all
others
33
ACL Abbreviations Augment abbreviated lists with ACLs
Intent is to shorten ACL without losing the granularity
Example IBM AIX ACL overrides base permission Denial takes precedence
44
Permissions in IBM AIXattributes:
base (traditional UNIX) permissions
owner(bishop): rw-
group(sys): r--
others: ---
extended permissions enabled
specify rw- u:holly [override]
permit -w- u:heidi, g=sys [Add]
permit rw- u:matt
deny -w- u:holly, g=faculty [Remove right]
55
ACL Modification and Privileged Users
Who can modify ACL? Creator is given owner rights that allows this System R provides a grant modifier (like a
copy flag) allowing a right to be transferred, so ownership not needed
Do ACLs apply to privileged users (root)? In Solaris abbreviations at root are ignored,
but full-blown ACL entries still apply
66
Revocation Problems How do you remove subject’s rights to a file?
Owner deletes rights from subject’s entry in ACL, or removes subject’s entry if there are no rights left
What if owner was not the provider?Depends on system System R restores protection state to what it was
before right was given More complicated than it seems to be Suppose Alice gives Bob a right and Bob then gives it to
Mallory, and now Alice revokes Bob’s right? Or Suppose Charlie has also given Mallory his right?
77
Windows NT ACLsSets of rights Basic:
read, write, execute, delete, change permission, take ownership
Generic: no access, read (read/execute), change
(read/write/execute/delete), full control (all), special access (assign any basic
rights) Directory:
no access, read (read/execute files in
directory), list, add, add and read, change (create, add, read, execute,
write files; delete subdirectories), full control, special access
88
Windows NT ACLs (cont.) User not in file’s ACL nor in any group
named in file’s ACL: deny access ACL entry denies user access: deny access Take union of rights of all ACL entries
giving user access: user has this set of rights over file
99
Semantics of Capability
Like a bus ticket Mere possession indicates rights that subject has
over object Object identified by capability (as part of the
token) Name may be a reference, location, or something else
The key challenge is to prevent process/user from altering capabilities
Otherwise a subject can augment its capabilities at will
10
Implementation of Capability Tagged architecture
Bits protect individual words Paging/segmentation protections
Like tags, but put capabilities in a read-only segment or page
Cryptography Associate with each capability a cryptographic
checksum enciphered using a key known to OS
When process presents capability, OS validates checksum
1111
Revocation of Rights Scan all C-lists, remove relevant capabilities
Far too expensive! (return your tickets?) Use indirection
Each object has entry in a global object table Names in capabilities name the entry, not the
object To revoke, zap the entry in the table Can have multiple entries for a single object to allow
control of different sets of rights and/or groups of users for each object
Example: Amoeba: owner requests server change random number in server table
All capabilities for that object now invalid Re-issue tickets and invalidate old tickets
1212
ACLs vs. Capabilities They are equivalent:
1. Given a subject, what objects can it access, and how?2. Given an object, what subjects can access it, and how? ACLs answer second easily; C-Lists, answer the first
easily. The second question in the past was most used;
thus ACL-based systems are more common But today some operations need to answer the
first question (e.g., in incident response)
1313
Locks and KeysAssociate lock with object and key with subject
Key controls what the subject can access and how Subject presents key; if it corresponds to any of the
locks on the object, access is granted This is flexible
Can change either locks or keys
ACL C-List
Locks/Keys
1414
Cryptographic Implementation Enciphering key is lock; deciphering key is
key Encipher object o; store Ek (o) Use subject’s key k to compute Dk (Ek (o)) Any of n can access o: store
o = (E1 (o), …, En (o)) Requires consent of all n to access o: store
o = (E1(E2(…(En(o))…))
15
Requirements & Concepts Some basic requirements of access control:
Avoid disclosing sensitive data to unauthorized users (Confidential)
Provide sensitive information to authorized users (Available)
Reliable and dependable (Integrity preserving) Scalable and expandable (long life)
Some key concepts in Access control systems: Separation of duties Least privilege Need-to-know Need-to-share (a contemporary buzz-phrase) Handle with care
15
16
What to protect?: Information classification
Based on risk of content released to mal-actors
Example the US government classification Unclassified Confidential Secret Top secret
16
17
Kinds of Access Control
Preventive Access controls Avoid having unwanted actions/events by blocking ability to do them.
Detective Identify unwanted actions or events after they occur.
Corrective Remedy circumstances that enabled the unwanted activity. Return to state prior to it.
Directive Dictated by higher authority: laws, regulations, or organization policy
Deterrent Prescribe punishment for noncompliance
Recovery Restore lost computing resources or capabilities.
Compensating Reinforce or replace controls that are unavailable
17
18
3 Types of Access Control
Administrative separation of duties, dual control, etc
Physical fences, alarms, badges, CCTV, etc
Technical antivirus, antis-spam, logs, etc
Further examples in ISC2 book show how controls map to access control types.
18
19
Steps in Accessing Systems Authentication
Use a unique identifier– user ID, Account number, PIN
3 main datum used for authentication Something requester know
Passwords Pass-phrases
Something the requester is Biometrics Physical characteristics
Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens
Authorization Accounting
19
20
Using Tokens & Smartcards for Authentication Asynchronous Token – challenge/response
Synchronous Time / event based One-time password or hashed values Authentication server knows value from the token
Smart Cards Contact or Contact-less
20
21
Using Biometrics for Authentication
Have false (rejection, acceptance) rates. Crossover = they are equal, both tunable to
need. Some static biometrics
Fingerprint or palm print Hand Geometry Retina
Some Dynamic biometrics Face /gesture Recognition Keystrokes Voice pattern
21
22
Identity Management
What is Identity management? Set of technologies to manage user identity information.
When is it needed? For manual service provisioning Manage sophisticated and complex environments To comply with regulations
What are the major challenges? Reliability of user profiles Consistency of user profiles across different systems/devices Scalability by supporting data volumes and peaks
More details in IC3 book
22
23
Identity Management: benefits and technologies
Benefits Increase productivity Reduce head-counting
Technologies In systems that support identity management and
manage data consistently and efficiently across systems within an organization
Directories Web Access Management Password Management Legacy single sign-on’s
23
24
Single Sign-on
How they work One user ID and password for multiple
application servers through an authentication server.
Benefits Efficient log-on process Users may create stronger passwords No need for many passwords
Major Drawback A compromised password allows intruder into
all resources of owner of that account
24
25
Single Sign-on: Kerberos
25
1. Authenticate me Give me a ticket
3. Authorize me Use the ticket for s
26
Single Sign-on – Kerberos and SESAME
Kerberos Key Distribution Center serves two functions Authentication Server (AS) Ticket Granting Server (TGS)
Kerberos Issues Security depends on careful implementation and maintenance Lifetime for authentication credentials should be as short as feasible
using time stamps to minimize the threat of replayed credentials The KDC must be physically secured, it could be a point of single
failure Redundancy is recommended The KDC should be hardened and not allow any non-Kerberos activity
SESAME Stands for Secure European System for applications in a multi-vendor
environment Developed to address some of the Kerberos weaknesses Supports SSO Improves key management by using both Symmetric and Asymmetric
keys
26
27
Directory Service and Security Domains
Directory Services Applications that provide hierarchical means to
organize and manage information about network users and resources and to retrieve the information by name association
Security Domains Set of Objects that a Subject in an information
system is allowed to access Hierarchical domain relationship Equivalence classes of subjects
27
28
Access Control & Assurance
Mechanisms to assure that access control mechanisms are in place and in good standing: Audit Trail analysis and monitoring
a record of system activities Assessment tools
Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the goals of the audit
28
29
Access control matrix
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Subjects S = { s1,…,sn }
Objects O = { o1,…,om }
Rights R = { r1,…,rk }
Entries A [si, oj] R
A [si, oj] = { rx, …, ry } means subject si has rights
rx, …, ry over object oj
Describes protection state preciselyMatrix describing rights of subjectsState transitions change elements of matrix
30
ACM at 3AM and 10AM
… picture …
… A
lice
…
paint
At 3AM, time conditionmet; ACM is:
… picture …
… A
lice
…
At 10AM, time conditionnot met; ACM is:
31
AC by History and Inference
Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000
Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age < 40 & position = teacher”) should not be answered (can deduce Eve’s salary)
32
ACM of Database Queries
Oi = { objects referenced in query i }
f(oi) = permission set of query i
f(oi) = {read} for oj Oi, if |j = 1,…,iOj| < 2
f(oi) = for oj Oi, otherwise
O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read }
and the query can be answered
33
But Query 2
f(oi) = { read } for oj in Oi, if | j = 1,…,iOj| <2
f(oi) = for oj in Oi, otherwise
2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 so
A[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered
34
State Transitions
Change the protection state of system Xi is a state of the ACM at time i |– represents transition
Xi |– Xi+1: command moves system from state Xi to Xi+1
Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands often called transformation procedures, because the transform the state of the access control matrix
35
Primitive Operations
create subject s, create object o Creates new row, column in ACM; creates new
column in ACM destroy subject s, destroy object o
Deletes row, column from ACM; deletes column from ACM
enter r into A[s, o] Adds r rights for subject s over object o
delete r from A[s, o] Removes r rights from subject s over object o
36
Access control requests
Transforms state of the ACM Access control request can be precisely
defined using Pre-conditions Post-conditions
Use notation (from Z) Pre-state without primes Post-state with primes
Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state
37
Create Subject – pre and post conditions
Pre-condition: s S Primitive command: create subject s Post-conditions:
S = S { s }, O = O { s } (y O)[a[s, y] = ] (x S)[a[x, s] = ] (x S)(y O)[a[x, y] = a[x, y]]
38
Create Object
Precondition: o O Primitive command: create object o Post-conditions:
S = S, O = O { o } (x S)[a[x, o] = ] (x S)(y O)[a[x, y] = a[x, y]]
39
Add Right
Precondition: s S, o O Primitive command: enter r into a[s, o] Post-conditions:
S = S, O = O a[s, o] = a[s, o] { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]
40
Delete Right
Precondition: s S, o O Primitive command: delete r from a[s, o] Postconditions:
S = S, O = O a[s, o] = a[s, o] – { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]
41
Destroy Subject
Precondition: s S Primitive command: destroy subject s Postconditions:
S = S – { s }, O = O – { s } (y O)[a[s, y] = ], (x S)[a´[x, s] = ] (x S)(y O) [a[x, y] = a[x, y]]
42
DestroyDestroy Object
Precondition: o O Primitive command: destroy object o Postconditions:
S = S, O = O – { o } (x S)[a[x, o] = ] (x S)(y O) [a[x, y] = a[x, y]]
43
Creating File
Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
44
Mono-Operational Commands
Make process p the owner of file gcommand make•owner(p, g)
enter own into A[p, g];end
Mono-operational command Single primitive operation in this command
45
Conditional Commands
Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
Mono-conditional command Single condition in this command
46
Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
47
Copy Right
Allows possessor to give rights to another Often attached to a right, so only applies
to that right r is read right that cannot be copied rc is read right that can be copied
Is copy flag copied when giving r rights? Depends on the model and its instantiation
48
Own Right
Usually allows possessor to change entries in ACM column Owner of an object can add, delete rights for
others May depend on what system allows
Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users
49
Attenuation of Privilege
You cannot give rights you do not possess Restricts addition of rights within a system Usually ignored for owner
Why? Owner gives him/herself rights, gives them to others, deletes rights.
50
Main Points
ACM simple mechanism for representing protection states
Transitions alter protection state Six primitive operations can alter the matrix
Transitions can be expressed as commands composed of these operations and, possibly, conditions
top related