Access Control and Operating System SecurityOutlineAccess controlAccess control matrix [Lampson]Two implementation conceptsCapabilitiesRoles (also called Groups)Groups for resources, rightsMulti-level Security ConceptsMilitary security policySlide 11Commercial versionBell-LaPadula Confidentiality ModelPicture: ConfidentialityBiba Integrity ModelPicture: IntegrityProblem: Models are contradictoryOther policy conceptsExample OS MechanismsMulticsMultics time periodMultics InnovationsMultics Access ModelUnix file securityQuestionEffective user id (EUID)Process Operations and IDsSetid bits on executable Unix fileExampleCompare to stack inspectionSetuid programmingUnix summaryAccess control in Windows (NTFS)Sample permission optionsPermission InheritanceTokensSecurity DescriptorExample access requestImpersonation Tokens (setuid?)Encrypted File Systems (EFS, CFS)Q: Why use crypto file system?SELinux Security Policy AbstractionsSecure Operating SystemsSample Features of Trusted OSAuditTrusted pathKernelized DesignSELinuxWhy Linux?Rainbow SeriesAssurance methodsOrange Book Criteria (TCSEC)Levels B, A (continued)Orange Book Requirements (TCSEC)Common CriteriaProtection ProfilesEvaluation Assurance Levels 1 – 4Evaluation Assurance Levels 5 – 7Example: Windows 2000, EAL 4+PowerPoint PresentationIs Windows is “Secure”?Limitations of Secure OSNoninterferenceExample: Smart CardCovert ChannelsSlide 66Access Control and Operating System SecurityJohn MitchellOutlineAccess Control•Matrix, ACL, Capabilities•Multi-level security (MLS)OS Policies•Multics–Ring structure•Unix–File system, Setuid•Windows–File system, Tokens, EFS•SE Linux–Role-based–Domain type enforcementSecure OS•Methods for resisting stronger attacksAssurance•Orange Book, TCSEC•Common Criteria•Windows 2000 certificationSome Limitations•Information flow•Covert channelsAccess controlCommon Assumption•System knows who the user is–User has entered a name and password, or other info•Access requests pass through gatekeeper–Global property; OS must be designed so that this is true?ResourceUser processDecide whether user can apply operation to resourceReferencemonitorAccess control matrix [Lampson]File 1 File 2 File 3 … File nUser 1read write - - readUser 2write write write - -User 3- - - read read…User mread write read write readTwo implementation conceptsAccess control list (ACL)•Store column of matrix with the resourceCapability•Allow user to hold a “ticket” for each resource•Roughly: store row of matrix with the userFile 1 File 2 …User 1 read write -User 2 write write -User 3 - - read…User mread write writeAccess control lists are widely used, often with groupsSome aspects of capability concept are used in Kerberos, …CapabilitiesOperating system concept•“… of the future and always will be …”Examples•Dennis and van Horn, MIT PDP-1 Timesharing•Hydra, StarOS, Intel iAPX 432, Amoeba, Eros, …Reference•Henry Levy, Capability-based Computer Systemshttp://www.cs.washington.edu/homes/levy/capabook/Roles (also called Groups)Role = set of users•Administrator, PowerUser, User, Guest•Assign permissions to roles; each user gets permissionRole hierarchy•Partial order of roles•Each role getspermissions of roles below•List only new permissions given to each roleAdministratorGuestPowerUserUserGroups for resources, rights Permission = right, resourceGroup related resourcesHierarchy for rights or resources •If user has right r, and r>s, then user has right s•If user has read access to directory, user has read access to every file in directoryBig problem in access control•Complex mechanisms require complex input•Difficult to configure and maintain•Roles, other organizing ideas try to simplify problemMulti-level Security ConceptsMilitary security policy–Classification involves sensitivity levels, compartments–Do not let classified information leak to unclassified filesGroup individuals and resources•Use some form of hierarchy to organize policyOther concepts•Separation of duty•Chinese Wall PolicyMilitary security policySensitivity levelsTop SecretSecretConfidentialRestrictedUnclassifiedCompartmentsSatellite dataAfghanistanMiddle EastIsraelMilitary security policyClassification of personnel and data•Class = rank, compartmentDominance relation •D1 D2 iff rank1 rank2 and compartment1 compartment2•Example: Restricted, Israel Secret, Middle East Applies to•Subjects – users or processes•Objects – documents or resourcesCommercial version InternalProprietaryPublicProduct specificationsIn productionOEMDiscontinuedBell-LaPadula Confidentiality ModelWhen is it OK to release information?Two Properties (with silly names)•Simple security property–A subject S may read object O only if C(O) C(S)•*-Property–A subject S with read access to O may write object P only if C(O) C(P)In words,•You may only read below your classification and only write above your classificationPicture: Confidentiality SPublicProprietaryRead below, write aboveSPublicProprietaryRead above, write belowBiba Integrity ModelRules that preserve integrity of informationTwo Properties (with silly names)•Simple integrity property–A subject S may write object O only if C(S) C(O) (Only trust S to modify O if S has higher rank …)•*-Property–A subject S with read access to O may write object P only if C(O) C(P) (Only move info from O to P if O is more trusted than P)In words,•You may only write below your classification and only read above your classificationPicture: Integrity SPublicProprietaryRead above, write belowSPublicProprietaryRead below, write aboveProblem: Models are contradictoryBell-LaPadula Confidentiality•Read down, write upBiba Integrity•Read up, write downWant both confidentiality and integrity•Only way to satisfy both models is only allow read and write at same classification In reality: Bell-LaPadula used more than Biba modelExample: Common CriteriaOther policy conceptsSeparation of duty•If amount is over $10,000, check is only valid if signed by two authorized people•Two people must be different•Policy involves role membership and Chinese Wall Policy•Lawyers L1, L2 in Firm F are experts in banking •If bank B1 sues bank B2,–L1 and L2 can each
View Full Document