Access Control and Operating System SecurityOutlineAccess controlAccess control matrix [Lampson]Two implementation conceptsCapabilitiesACL vs CapabilitiesSlide 8Slide 9Roles (also called Groups)Role-Based Access ControlGroups for resources, rightsMulti-Level Security (MLS) ConceptsMilitary security policySlide 15Commercial versionBell-LaPadula Confidentiality ModelPicture: ConfidentialityBiba Integrity ModelPicture: IntegrityProblem: Models appear contradictoryOther policy conceptsExample OS MechanismsMulticsMultics time periodMultics InnovationsMultics Access ModelMultics processAmoebaSlide 30Unix file securityQuestionEffective user id (EUID)Process Operations and IDsSetid bits on executable Unix fileExampleCompare to stack inspectionSetuid programmingUnix summaryAccess control in Windows (NTFS)Sample permission optionsPermission InheritanceTokensSecurity DescriptorExample access requestImpersonation Tokens (=setuid?)SELinux Security Policy AbstractionsSlide 48What makes a “secure” OS?Sample Features of “Trusted OS”Controlling information flowSample Features of Trusted OSInteresting risk: data lifetimeSlide 54Kernelized DesignAuditAssurance methodsCommon CriteriaProtection ProfilesEvaluation Assurance Levels 1 – 4Evaluation Assurance Levels 5 – 7Example: Windows 2000, EAL 4+Slide 63Is Windows is “Secure”?Secure attention sequence (SAS)SummaryAccess Control and Operating System Security John MitchellCS 155Spring 2006Outline Access Control ConceptsMatrix, ACL, CapabilitiesMulti-level security (MLS)OS MechanismsMulticsRing structureAmoebaDistributed, capabilitiesUnixFile system, SetuidWindowsFile system, Tokens, EFSSE LinuxRole-based, Domain type enforcementAssurance, LimitationsSecure OSMethods for resisting stronger attacksAssuranceOrange Book, TCSECCommon CriteriaWindows 2000 certificationSome LimitationsInformation flowCovert channelsAccess controlAssumptionsSystem knows who the user isAuthentication via name and password, other credential Access requests pass through gatekeeperSystem must not allow monitor to be bypassedResourceUser processReferencemonitoraccess requestpolicy?Access control matrix [Lampson]File 1 File 2 File 3 … File nUser 1read write - - readUser 2write write write - -User 3- - - read read…User mread write read write readSubjectsObjectsTwo implementation conceptsAccess control list (ACL)Store column of matrix with the resourceCapabilityUser holds a “ticket” for each resourceTwo variationsstore row of matrix with user, under OS controlunforgeable ticket in user spaceFile 1 File 2 …User 1 read write -User 2 write write -User 3 - - read…User mread write writeAccess control lists are widely used, often with groupsSome aspects of capability concept are used in Kerberos, …CapabilitiesOperating system concept“… of the future and always will be …”ExamplesDennis and van Horn, MIT PDP-1 TimesharingHydra, StarOS, Intel iAPX 432, Eros, …Amoeba: distributed, unforgeable ticketsReferencesHenry Levy, Capability-based Computer Systemshttp://www.cs.washington.edu/homes/levy/capabook/Tanenbaum, Amoeba papersACL vs CapabilitiesAccess control listAssociate list with each objectCheck user/group against listRelies on authentication: need to know userCapabilitiesCapability is unforgeable ticketRandom bit sequence, or managed by OSCan be passed from one process to anotherReference monitor checks ticketDoes not need to know identify of user/processACL vs CapabilitiesProcess PUser UProcess QUser UProcess RUser UProcess PCapabilty c,dProcess QProcess RCapabilty cCapabilty cACL vs CapabilitiesDelegationCap: Process can pass capability at run timeACL: Try to get owner to add permission to list?More common: let other process act under current userRevocationACL: Remove user or group from listCap: Try to get capability back from process?Possible in some systems if appropriate bookkeepingOS knows what data is capabilityIf capability is used for multiple resources, have to revoke all or none …Other details …10Roles (also called Groups)Role = set of usersAdministrator, PowerUser, User, GuestAssign permissions to roles; each user gets permissionRole hierarchyPartial order of rolesEach role getspermissions of roles belowList only new permissions given to each roleAdministratorGuestPowerUserUserRole-Based Access ControlIndividuals Roles Resourcesengineeringmarketinghuman resServer 1Server 3Server 2Advantage: user’s change more frequently than rolesGroups for resources, rights Permission = right, resourcePermission hierarchies If user has right r, and r>s, then user has right sIf user has read access to directory, user has read access to every file in directoryGeneral problem in access controlComplex mechanisms require complex inputDifficult to configure and maintainRoles, other organizing ideas try to simplify problem13Multi-Level Security (MLS) ConceptsMilitary security policyClassification involves sensitivity levels, compartmentsDo not let classified information leak to unclassified filesGroup individuals and resourcesUse some form of hierarchy to organize policyOther policy conceptsSeparation of duty“Chinese Wall” Policy14Military security policySensitivity levelsTop SecretSecretConfidentialRestrictedUnclassifiedCompartmentsSatellite dataAfghanistanMiddle EastIsraelMilitary security policyClassification of personnel and dataClass = rank, compartmentDominance relation D1 D2 iff rank1 rank2 and compartment1 compartment2Example: Restricted, Israel Secret, Middle East Applies toSubjects – users or processesObjects – documents or resources16Commercial version InternalProprietaryPublicProduct specificationsIn productionOEMDiscontinuedBell-LaPadula Confidentiality ModelWhen is it OK to release information?Two Properties (with silly names)Simple security propertyA subject S may read object O only if C(O) C(S)*-PropertyA subject S with read access to O may write object P only if C(O) C(P)In words,You may only read below your classification and only write above your classification18Picture: Confidentiality SPublicProprietaryRead below, write aboveSPublicProprietaryRead above, write below19Biba Integrity ModelRules that preserve integrity of
View Full Document