e gov security_tut_session_11

1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Sessions 11

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 [email protected]

http://www.egovacademy.ps/

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

4PalGov © 2011

Tutorial 5:

Information Security

Session 11: Access Control

Session 9 Outline:

• Access Control

• Overview of Database Security

5PalGov © 2011

Tutorial 5: Session 11: Access Control

This session will contribute to the following

ILOs:

• A: Knowledge and Understanding• a2: Defines security standards and policies.

• B: Intellectual Skills• b3: Design end-to-end secure and available systems.

• D: General and Transferable Skills• d2: Systems configurations.

• d3: Analysis and identification skills.

6PalGov © 2011

Access Control

• “The prevention of unauthorized use of a

resource, including the prevention of use of

a resource in an unauthorized manner“ [1]

• Central element of computer security

• Systems have users and groups

– Authenticate to system

– Assigned access rights to certain resources on

system

– Logging and auditing is very important (why?)

1. Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008.

ISBN: 0-13-600424-5.

7PalGov © 2011

Access Control Principles

8PalGov © 2011

Different Access Control Policies

• Discretionary access control (DAC):

– an entity might have access rights that permit another

entity to access some resource (done by its own volition).

• Mandatory access control (MAC):

– may not enable another entity to access that resource.

• Role-based access control (RBAC):

– based on the roles.

– ABAC: Administrative RBACK .(See [2] The ARBAC97 model for role-based administration of roles for more details)

• Attribute Based Access Control (ABAC):

– Generalisation of RBAC to use any attributes

http://dl.acm.org/citation.cfm?id=300830.300839





9PalGov © 2011

Access Control Requirements

• Separation of duty between different entities

• Reliable input with validation

• Fine specifications.

• Coarse specifications

• Least restrictive privilege

• Open /closed policies

• Admin policies

10PalGov © 2011

Access Control Elements

• A subject is an entity that can access objects

– A process representing user/application

– Ex. (Owner, group, world in unix/linux systems)

• Object - access controlled resource

– E.G. Files, directories, records, programs etc

– Number/type depend on environment

• Access rights are actions in which subjects accesses objects

– E.G. Read, write, execute, delete, create, search…etc.

11PalGov © 2011

Discretionary Access Control

• Uses access matrix

– Rows : lists subjects in one dimension.

– Columns: lists objects in anther dimension

– Content of cells specifies access rights

(actions) of the specified subject to that

object

12PalGov © 2011

Access Control Model

Access Control Model [1]


ISBN: 0-13-600424-5.

13PalGov © 2011

Different Functions of Access Control

14PalGov © 2011

Domains of Protection

• Each object can be associated with access

rights / actions

• In access matrix view

– Each row defines a protection domain

– But not necessarily just a user

– May be a limited subset of user’s rights

– Applied to a more restricted process

15PalGov © 2011

Example: UNIX File

• UNIX files are administered using inodes

– May have several names for same inode

– Control structure with key info on file

– Have inode table / list for all files on a disk

• Directories considered as a hierarchical tree

– May contain files or other directories

– Are a file of names and inode numbers

16PalGov © 2011

UNIX File Access Control (chmod command)

• Chmod 742

• r w x r_ _ _ w _

U G O

– r : read

– w : write

– x : execute

17PalGov © 2011

UNIX File Access Control (SetUID) and (SetGID)

• Unix super-user

– access control restrictions does not apply …

• Directory sticky bit

– For directories, it limits rename/move/delete to

owner

18PalGov © 2011

UNIX Access Control Lists

• Can specify any number of additional users / groups and permissions

• Modern UNIX systems support Access Control Lists

• Group perms also set max ACL perms

19PalGov © 2011

(Mandatory Access Control (MAC

• Based on comparing security labels

– Depends on resource sensitivity

• Needs security clearance

• Person with MAC level on a resource may not

enable other entities to use or even reach this

resource

– Example military reasons.

– Or for financial data.

20PalGov © 2011

Mac Features and Attributes

• Appropriate for extremely secure systems good

• For egov. Critical data applications.

• Mac attributes.

• Security label can be changed by only

administrators, not data owners.

• Objects are assigned security level that

reflects its relative sensitivity, confidentiality,

and protection value.

• Users can read from a lower classification

than the one they are granted.

21PalGov © 2011

Mac Features and Attributes (cont)

• All users can write to a higher classification.

• All users are given read/write access to objects

only of the same classification.

• Access is authorized or restricted to objects

based on different parameters like:

• time of day depending on the labeling on the

resource and the user's credentials.

• security characteristics of the HTTP client

(originating IP address or domain, etc.)

22PalGov © 2011

MS Windows Vista Example (MAC)

• It is called Mandatory Integrity Control (MIC) in

Windows Vista.

• Model, which ensures integrity by controlling

writes and deletions.

• Label on Subjects: When a user logs on,

Windows Vista assigns an integrity SID to the

users access token. (Included in the SID is an integrity label that

determines the level of access the token (and thus the user) can achieve.)

23PalGov © 2011

MS Windows Vista Example (MAC)

• Label on Objects: Objects are also assigned an

integrity SID, which is stored in the system access

control list (SACL) of the objects security descriptor.

The label in the SID specifies the integrity level of the

object. (such as files, pipes, processes, threads, registry keys, services, etc.)

• Access Control Policy: To write to or delete an object,

the integrity level of subject must be equal to or

greater than the object’s level.

• Vista checks MAC first, if passed, it then checks DAC (e.g. access control list).

• MAC provides a layer of access control in addition

to DAC; it does not replace DAC.

24PalGov © 2011

Windows VISTA Integrity Levels :

• Windows Vista defines six integrity levels (IL): Low,

Medium, High, and System.• Un-trusted.

• Low: everyone (i.e. world).

• Medium: standard users, authenticated users.

• High: local service, network service, elevated users.

• System: system services.

• Trusted Installer.

Usually, child processes inherit the integrity level of their parents, unless the

executable program running in the child process has a lower integrity level.

For example, all the downloaded executables will run with Low integrity

level because the labels of the executable programs are marked as Low

when they are downloaded from the Internet.

• Default levels: Objects that lack an integrity label are treated as medium

by the operating system. This prevents low integrity code from modifying unlabeled

objects

25PalGov © 2011

Role-Based Access Control

26PalGov © 2011


RnR3R2R1

XU1

XU2

XXXU3

XU4

XX

Un

PiD2D1F2F1RnR2R1

readOwner

controlownercontrol

R1

stopWritecontrolR2

seekRn

Objects

28PalGov © 2011

NIST RBAC Model

29PalGov © 2011

Case Study: RBACK for your ORG

30PalGov © 2011

ABAC

• More general model than RBAC, where

permissions are assigned to any attribute,

not just a user’s role, e.g

– If Age .GT. 18 then grant access to ID

WEBSITE

– If Level of Assurance .GE.2 then grant read

access to database.

– If Level of Assurance .GE. 3 then grant update

access to database

31PalGov © 2011

Tutorial 5:

Information Security

Session 9: Access Control

Session 9 Outline:

• Access Control

• Overview of Database Security

32PalGov © 2011

Overview of Database Security

33PalGov © 2011

Relational Databases

• Have multiple tables linked by identifiers/keys

• Constructed from tables of data

• Use a query language (PL/SQL) to access data

items meeting specified criteria, add, delete,

change…

34PalGov © 2011

A Relational Database Example

35PalGov © 2011

Elements of Relational Databases

• Primary key

• Foreign key

• Tuple / row / record

• Relation / table / file

• Attribute / column / field

• View / virtual table

36PalGov © 2011

Structured Query Language (SQL)

• Structure query language (SQL)

– Standardized language to define, manipulate,

and query data in a relational database

– Originally developed by IBM in the mid-1970s

37PalGov © 2011

Database Access Control

• DBMS provide access control for database

• Assume have authenticated user

• DBMS provides specific access rights to portions of the database

• Can support a range of policies:– centralized / decentralized administration

– ownership-based administration

38PalGov © 2011

SQL Access Controls

• Two commands:– GRANT { privileges | role } [ON table] TO { user |

role | PUBLIC } [IDENTIFIED BY password] [WITH GRANT OPTION]

• e.g. GRANT SELECT ON ANY TABLE TO ricflair

– REVOKE { privileges | role } [ON table] FROM { user | role | PUBLIC }

• e.g. REVOKE SELECT ON ANY TABLE FROM ricflair

• Typical access rights are:– SELECT, INSERT, UPDATE, DELETE,

REFERENCES

39PalGov © 2011


• Role-based access control works well for

DBMS

• Categories of database users:

– Administrator

– Application owner

– End user

• DB RBAC must manage roles and their

users (RBAC on Microsoft's SQL server)

41PalGov © 2011

Statistical Databases

• Provides statistical data like averages and counts.

• Two types:

– Pure statistical database

– Ordinary database with statistical access• Some users have normal access, others statistical

• We should allow statistical results without accessing individual entries.

• Inference is a security problem

42PalGov © 2011

Statistical Database Security

• A statistical query is a query that produces a

value calculated over a query set

• One can Use A logical formula over the

values of attributes

– E.G. (Sex=male) AND ((major=cs) OR (major=ee))

• Query set X(C) of characteristic formula C, is

the set of records matching C

45PalGov © 2011

Database Encryption

• Databases are valuable resources and can be

protected by multiple layers of security:

– firewalls,

– authentication,

– O/S access control systems,

– DB access control systems,

– and database encryption

• Can encrypt

– Entire database -

– Individual fields -

– Records (rows) or columns (attributes)

47PalGov © 2011

Homomorphic Encryption (1)

• With normal Database encryption transfer– Servers that power a cloud can't do any work on it that way.

• With homomorphic encryption, a company

could encrypt its entire database of e-mails

and upload it to a cloud.

– It is possible to analyze data without decrypting it.

– The key is to encrypt the data in such a way that

performing a mathematical operation on the

encrypted information and then decrypting the

result produces the same answer as performing

an analogous operation on the unencrypted data.

48PalGov © 2011

Homomorphic Encryption (2)

• The correspondence between the

operations on unencrypted data and the

operations to be performed on encrypted

data is known as a homomorphism.

– "In principle," says Gentry, an IBM researcher,

"something like this could be used to secure

operations over the Internet.“ [2]

[2] (http://www.technologyreview.com/computing/37197/)

http://www.technologyreview.com/computing/37197/



49PalGov © 2011

Bibliography

1. Computer Security: Principles and

Practice, by William Stallings and Lawrie

Brown. Published by Pearson/Prentice

Hall, © 2008. ISBN: 0-13-600424-5.

2. Homomorphic Encryption Making cloud

computing more secure (http://www.technologyreview.com/computing/37197/),

accessed 20/1/2012.




50PalGov © 2011

Summary

• In this session we discussed the following:

– Introduced access control principles• subjects, objects, access rights

– Discretionary access controls• access matrix, access control lists (ACLs),

capability tickets

• UNIX traditional and ACL mechanisms

– Role-based access control and ABACK

– Overview of Database Security/Control

e gov security_tut_session_11

Business