IS 2150 / TEL 2810 Introduction to SecurityObjectivesSome questionsSlide 4Design Principles for SecurityOverviewLeast PrivilegeFail-Safe DefaultsEconomy of MechanismComplete MediationOpen DesignSeparation of PrivilegeLeast Common MechanismPsychological AcceptabilitySlide 15ACM BackgroundProtection SystemAccess Control Matrix ModelAccess Control MatrixAccess Control MatrixSlide 21UnixUsers and passwordAccount infoUsers and GroupsSlide 26SuperuserUser idsKernel security Levels (BSD, Mac OS ..)Unix file systemDirectoryUnix file securityUnix File PermissionsUmaskIDs/OperationsSetid bitsSUID – dangerous!Careful with Setuid !Windows NTSlide 40Sample permission optionsPermission InheritanceSlide 43TokensSecurity DescriptorExample access requestImpersonation Tokens (setuid?)Encrypted File Systems (EFS)SELinux Security Policy AbstractionsSample Features of Trusted OSKernelized DesignIs Windows “Secure”?Window 2000Active DirectoryWin 20031IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssistant Professor, SISSecure Design PrinciplesOS Security OverviewLecture 1September 2, 2008ObjectivesUnderstand the basic principles of secure system designLearn about the basics of access control Understand access control in Unix and Windows environment2Some questionsShould a system be secure by design or can system be made secure after it is built?In Unix can you control permissions associated with files when they are created?Can you specify that “user A, B and C can read, write and execute, respectively,” your file - in Unix?, in Windows?34Design Principles5Design Principles for SecurityPrinciplesLeast PrivilegeFail-Safe DefaultsEconomy of MechanismComplete MediationOpen Design Separation of PrivilegeLeast Common MechanismPsychological Acceptability6OverviewBased on the idea of simplicity and restriction Why Simplicity?Why Restriction?7Least PrivilegeA subject should be given only those privileges necessary to complete its taskAssignment of privileges based Function-based OR Identity-based ?Based on “Need to know”; “Relevance to situation” …Examples?Confine processes to “minimal protection domain”How can it be enforced? In Unix? Windows?Challenge? [Complexity?]8Fail-Safe DefaultsWhat should be the default action?If action fails, how can we keep the system safe/secure?Transactions based systems?When a file is created, what privileges are assigned to it?In Unix? In Windows?9Economy of MechanismDesign and implementation of security mechanism KISS Principle (Keep It Simple, Silly!)Simpler means?Careful design of Interfaces and Interactions10Complete MediationNo caching of informationMediate all accessesWhy?How does Unix read operation work?Any disadvantage of this principle?11Open DesignSecurity should not depend on secrecy of design or implementationSource code should be public?“Security through obscurity” ?Does not apply to certain “information”Secrecy of : keys vs encryption algorithm”?What about the “Proprietary software”?12Separation of PrivilegeRestrictive access Use multiple conditions to grant privilegeEquivalent to Separation of dutyExample?Changing to root account in Berkley-based Unix … need two conditions!13Least Common MechanismMechanisms should not be sharedWhat is the problem with shared resource?Covert channels?Isolation techniquesVirtual machineSandbox14Psychological AcceptabilitySecurity mechanisms should not add to difficulty of accessing resourceHide complexity introduced by security mechanismsEase of installation, configuration, useHuman factors critical hereProper messages15Access Control - Introduction16ACM BackgroundAccess Control MatrixCaptures the current protection state of a systemButler Lampson proposed the first Access Control Matrix modelRefinementsBy Graham and DenningBy Harrison, Russo and Ulman – with some theoretical results17Protection SystemSubject (S: set of all subjects)Active entities that carry out an action/operation on other entities; Examples?Object (O: set of all objects)Examples?Right (R: set of all rights)An action/operation that a subject is allowed/disallowed on objectsAccess Matrix A: a[s, o] ⊆RSet of Protection States: (S, O, A)18Access Control Matrix ModelAccess control matrix modelDescribes the protection state of a system.Elements indicate the access rights that subjects have on objectsIs an abstract model - what does it mean?ACM implementationWhat is the disadvantage of maintaining a matrix?Two ways:Capability basedAccess control list19Access Control Matrixs3 r s1f1 f2 f3 f4 f5 f6s2s3o, r, wo, r, wo, r, wo, r, wo, r, wo, r, wr r r r w f1f2f3f4f6s2s1 o, r, w s2 r s1 o, r, w s3 r s3 o, r, wf5s2 o, r, w s3 r s1 w s3 o, r, wf5 w s1f2 o, r, w f3 o, r, wf2 r s2f1 o, r, w f5 o, r, wf3 r s3f4 o, r, wf2 r f5 r f6 o, r, wo: ownr: readw:writeAccess MatrixAccess Control ListCapabilitieso, r, w20Access Control MatrixHostnames Telegraph Nob ToadflaxTelegraph own ftp ftpNob ftp, nsf, mail, own ftp, nfs, mailToadflax ftp, mail ftp, nsf, mail, ownCounter Inc_ctr Dcr_ctr ManagerInc_ctr +Dcr_ctr -manager Call Call Call•telegraph is a PC with ftp client but no server•nob provides NFS but not to Toadfax•nob and toadfax can exchange mail21Unix SecurityOverview22UnixKernelI/O, Load/Run Programs, Filesystem; Device Drivers …Standard Utility Programs/bin/ls, /bin/cp, /bin/shSystem database filesE.g, /etc/passwd; /etc/groupMULTICS(60s)Unix(69)multilevelMulti-user Multi-taskingSecurity Policy(interacts with)Developed at AT&T Bell Labs23Users and passwordEach user has a unique account identified by a usernameEach account has a secret passwordStandard: 1-8 characters; but variesPasswords could be same – bad choice!/etc/passwd containsUsername, Identification informationReal name, Basic account informationroot:x:0:1:System Operator:/:/bin/ksh daemon:x:1:1::/tmp: uucp:x:4:4::/var/spool/uucppublic:/usr/lib/uucp/uucico rachel:x:181:100:Rachel Cohen:/u/rachel:/bin/ksh arlin:x.:182:100:Arlin Steinberg:/u/arlin:/bin/csh root:x:0:1:System Operator:/:/bin/ksh daemon:x:1:1::/tmp: uucp:x:4:4::/var/spool/uucppublic:/usr/lib/uucp/uucico rachel:x:181:100:Rachel Cohen:/u/rachel:/bin/ksh arlin:x.:182:100:Arlin
View Full Document