Access Control and Operating System Security Outline may not finish in one lecture Access Control Concepts Secure OS Matrix ACL Capabilities Multi level security MLS Methods for resisting stronger attacks Assurance OS Mechanisms Orange Book TCSEC Common Criteria Windows 2000 certification Multics John Mitchell Ring structure Amoeba Distributed capabilities Some Limitations Unix File system Setuid Information flow Covert channels Windows File system Tokens EFS SE Linux Role based Domain type enforcement Access control Access control matrix Objects Common Assumption System knows who the user is File 1 File 2 File 3 User 1 read write read User 2 write write write User 3 read read write read write read User has entered a name and password or other info Access requests pass through gatekeeper OS must be designed monitor cannot be bypassed Reference monitor User process Lampson Subjects Resource File n User m read Decide whether user can apply operation to resource Two implementation concepts Access control list ACL Store column of matrix with the resource Capability User holds a ticket for each resource Two variations Capabilities File 1 File 2 User 1 read write User 2 write write User 3 read write write User m read store row of matrix with user unforgeable ticket in user space Access control lists are widely used often with groups Operating system concept of the future and always will be Examples Dennis and van Horn MIT PDP 1 Timesharing Hydra StarOS Intel iAPX 432 Eros Amoeba distributed unforgeable tickets References Henry Levy Capability based Computer Systems http www cs washington edu homes levy capabook Tanenbaum Amoeba papers Some aspects of capability concept are used in Kerberos 1 ACL vs Capabilities ACL vs Capabilities Access control list Associate list with each object Check user group against list Relies on authentication need to know user Capabilities Capability is unforgeable ticket Random bit sequence or managed by OS Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user process ACL vs Capabilities Delegation Cap Process can pass capability at run time ACL Revocation ACL Remove user or group from list Cap Try to get capability back from process Possible in some systems if appropriate bookkeeping OS knows what data is capability If capability is used for multiple resources have to revoke all or none Other details Groups for resources rights Permission right resource Permission hierarchies If user has right r and r s then user has right s If user has read access to directory user has read access to every file in directory User U Process P User U Process Q Capabilty c d Process P Capabilty c Process Q User U Process R Capabilty c Process R Roles also called Groups Role set of users Administrator PowerUser User Guest Assign permissions to roles each user gets permission Role hierarchy Partial order of roles Each role gets permissions of roles below List only new permissions given to each role Administrator PowerUser User Guest Multi Level Security MLS Concepts Military security policy Classification involves sensitivity levels compartments Do not let classified information leak to unclassified files Group individuals and resources Use some form of hierarchy to organize policy Other policy concepts Big problem in access control Complex mechanisms require complex input Difficult to configure and maintain Roles other organizing ideas try to simplify problem Separation of duty Chinese Wall Policy 2 Military security policy Sensitivity levels Military security policy Compartments Classification of personnel and data Class rank compartment Satellite data Afghanistan Middle East Israel Top Secret Dominance relation D1 D2 iff rank1 rank2 and compartment1 compartment2 Example Restricted Israel Secret Middle East Secret Applies to Confidential Subjects users or processes Objects documents or resources Restricted Unclassified Commercial version Bell LaPadula Confidentiality Model Product specifications Discontinued In production OEM When is it OK to release information Two Properties with silly names Simple security property A subject S may read object O only if C O C S Property Internal A subject S with read access to O may write object P only if C O C P Proprietary Public In words You may only read below your classification and only write above your classification Picture Confidentiality Read below write above Read above write below Proprietary S Biba Integrity Model Proprietary Simple integrity property A subject S may write object O only if C S C O Only trust S to modify O if S has higher rank Property S Public Rules that preserve integrity of information Two Properties with silly names A subject S with read access to O may write object P only if C O C P Only move info from O to P if O is more trusted than P Public In words You may only write below your classification and only read above your classification 3 Picture Integrity Read above write below Problem Models are contradictory Read below write above Bell LaPadula Confidentiality Read down write up Proprietary Proprietary Biba Integrity Read up write down Want both confidentiality and integrity S May use Bell LaPadula for some classification of personnel and data Biba for another S Public Public Otherwise only way to satisfy both models is only allow read and write at same classification In reality Bell LaPadula used more than Biba model Example Common Criteria Other policy concepts Separation of duty If amount is over 10 000 check is only valid if signed by two authorized people Two people must be different Policy involves role membership and Chinese Wall Policy Example OS Mechanisms Multics Amoeba Unix Windows SE Linux briefly Lawyers L1 L2 in Firm F are experts in banking If bank B1 sues bank B2 L1 and L2 can each work for either B1 or B2 No lawyer can work for opposite sides in any case Permission depends on use of other permissions These policies cannot be represented using access matrix Multics Multics time period Operating System Designed 1964 1967 Timesharing was new concept F J Corbato Serve Boston area with one 386 based PC MIT Project MAC Bell Labs GE At peak 100 Multics sites Last system Canadian Department of Defense Nova Scotia shut down October 2000 Extensive Security Mechanisms Influenced many subsequent systems http www multicians org security html E I Organick The Multics System An Examination of Its Structure MIT Press 1972 4 Multics Innovations
View Full Document
Unlocking...