Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide #4-1Security PoliciesCS498SH - Information Assurance Fall 2006Susan HinrichsBased on slides provided by Matt Bishop for use with Computer Security: Art and ScienceSlide #4-2Readings•Chapter 4 through 4.5–English policies will be discussed laterSlide #4-3Outline•Policy overview•Policies versus mechanisms•High Level Policies–E.g., DTEL•Low Level Policies–E.g., xhost•English policies–E.g. UC Davis computer use policiesSlide #4-4Security Policy•Policy partitions system states into:–Authorized (secure)•These are states the system can enter–Unauthorized (nonsecure)•If the system enters any of these states, it’s a security violation•Secure system–Starts in authorized state–Never enters unauthorized stateSlide #4-5Authorized System StatesS1S2S3 S4Slide #4-6Components of Security Addressed in Policy•Basic Security Components–Confidentiality–Integrity–AvailabilitySlide #4-7Policy Models•Abstract description of a policy or class of policies•Types of policies –Military (governmental) security policy•Policy primarily protecting confidentiality–Commercial security policy•Policy primarily protecting integrity–Confidentiality policy•Policy protecting only confidentiality–Integrity policy•Policy protecting only integrity–Service Level Agreements•Availability agreementsSlide #4-8Question•Policy disallows cheating–Includes copying homework, with or without permission•CS class has students do homework on computer•Anne forgets to read-protect her homework file•Bill copies it•Who cheated?–Anne, Bill, or both?Slide #4-9Answer Part 1•Bill cheated–Policy forbids copying homework assignment–Bill did it–System entered unauthorized state (Bill having a copy of Anne’s assignment)•If not explicit in computer security policy, certainly implicit–Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says soSlide #4-10Answer Part #2•Anne didn’t protect her homework–Not required by security policy•She didn’t breach security•If policy said students had to read-protect homework files, then Anne did breach security–She didn’t do thisSlide #4-11Mechanisms•Entity or procedure that enforces some part of the security policy–Access controls (like bits to prevent someone from reading a homework file)–Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systemsSlide #4-12Policy Languages•Express security policies in a precise way•A continuum of policy languages–English Policies•May be legally precise. Used as basis for legal action.•May be written imprecisely just to give real users a sense of the policy•More in later lecture–High-level languages•Policy constraints expressed abstractly–Low-level languages•Policy constraints expressed in terms of program options, input, or specific characteristics of entities on systemSlide #4-13High-Level Policy Languages•Constraints expressed independent of enforcement mechanism•Constraints restrict entities, actions•Constraints expressed unambiguously–Requires a precise language, usually a mathematical, logical, or programming-like language•Examples–Java constraint language – described in CS:A&S–DTEL type enforcement language–SAML http://xml.coverpages.org/saml.html–IETF Policy models ftp://ftp.rfc-editor.org/in-notes/rfc3585.txtSlide #4-14DTEL – Domain Type Enforcement Language•Basis: access can be constrained by types•Combines elements of low-level, high-level policy languages–Implementation-level constructs express constraints in terms of language types–Constructs do not express arguments or inputs to specific system commands•Used in Sidewinder firewalls•Details of DTEL in http://citeseer.ist.psu.edu/cache/papers/cs/16179/http:zSzzSzwww.cs.ubc.cazSzspiderzSzabrodskyzSzdosezSzbadger.95.pdf/badger96domain.pdf•Type enforcement policies resurfacing in SE LinuxBoebert, Kain 85Slide #4-15Example•Goal: users cannot write to system binaries•Subjects in administrative domain can–User must authenticate to enter that domain•Subjects belong to domains:–d_user ordinary users–d_admin administrative users–d_login for login–d_daemon system daemonsSlide #4-16Types•Object types:–t_sysbin executable system files–t_readable readable files–t_writable writable files–t_dte data used by enforcement mechanisms–t_generic data generated from user processes•For example, treat these as partitions–In practice, files can be readable and writable; ignore this for the exampleSlide #4-17Domain Representation•Sequence–First component is list of programs that start in the domain–Other components describe rights subject in domain has over objects of a type(crwd->t_writable)means subject can create, read, write, and list (search) any object of type t_writableSlide #4-18d_daemon Domaindomain d_daemon = (/sbin/init),(crwd->t_writable),(rd->t_generic, t_readable, t_dte),(rxd->t_sysbin),(auto->d_login);•Compromising subject in d_ daemon domain does not enable attacker to alter system files–Subjects here have no write access•When /sbin/init invokes login program, login program transitions into d_logi n domainSlide #4-19d_admin Domaindomain d_admin =(/usr/bin/sh, /usr/bin/csh, /usr/bin/ksh),(crwxd->t_generic),(crwxd->t_readable, t_writable, t_dte, t_sysbin),(sigtstp->d_daemon);•sigtstp allows subjects to suspend processes in d_d aemon domain•Admin users use a standard command interpreterSlide #4-20d_user Domaindomain d_user =(/usr/bin/sh, /usr/bin/csh, /usr/bin/ksh),(crwxd->t_generic),(rxd->t_sysbin),(crwd->t_writable),(rd->t_readable, t_dte);•No auto component as no user commands transition out of it•Users cannot write to system binariesSlide #4-21d_login Domaindomain d_login =(/usr/bin/login),(crwd->t_writable),(rd->t_readable, t_generic, t_dte),setauth,(exec->d_user, d_admin);•Cannot execute anything except the transition–Only /usr/bin/login in this domain•setauth enables subject to change UID•exec access to d_user, d_admin domainsSlide #4-22Set Upinitial_domain = d_daemon;–System starts in d_daemon domainassign -r t_generic
View Full Document
Unlocking...