500 likes | 687 Views
Subject not in ACL has no rights over the file If many subjects have similar rights, may use groups or wildcards in ACL to ‘ merge ’ identical columns Example: UNICOS entries are ( user , group , rights ) If user is in group , has rights over file (holly, bant, r)
E N D
Subject not in ACL has no rights over the file If many subjects have similar rights, may use groups or wildcards in ACL to ‘merge’ identical columns Example: UNICOS entries are (user, group, rights) If user is in group, has rights over file (holly, bant, r) ‘*’ is wildcard for user, group (holly, *, r): holly can read file regardless of her group (*, fleep, w): anyone in group fleep can write file ACL: Default Permission and Abbreviations 1
Example: UNIX Three classes of users: owner, group, all others ACL:Default Permission and Abbreviation 2
Augment abbreviated lists with ACLs Intent is to shorten ACL without losing the granularity Example IBM AIX ACL overrides base permission Denial takes precedence ACL Abbreviations 3
attributes: base (traditional UNIX) permissions owner(bishop): rw- group(sys): r-- others: --- extended permissions enabled specify rw- u:holly [override] permit -w- u:heidi, g=sys [Add] permit rw- u:matt deny -w- u:holly, g=faculty [Remove right] Permissions in IBM AIX 4
Who can modify ACL? Creator is given ownerrights that allows this System R provides a grant modifier (like a copy flag) allowing a right to be transferred, so ownership not needed Do ACLs apply to privileged users (root)? In Solaris abbreviations at root are ignored, but full-blown ACL entries still apply ACL Modification and Privileged Users 5
How do you remove subject’s rights to a file? Owner deletes rights from subject’s entry in ACL, or removes subject’s entry if there are no rights left What if owner was not the provider? Depends on system System R restores protection state to what it was before right was given More complicated than it seems to be Suppose Alice gives Bob a right and Bob then gives it to Mallory, and now Alice revokes Bob’s right? Or Suppose Charlie has also given Mallory his right? Revocation Problems 6
Sets of rights Basic: read, write, execute, delete, change permission, take ownership Generic: no access, read (read/execute), change (read/write/execute/delete), full control (all), special access (assign any basic rights) Directory: no access, read (read/execute files in directory), list, add, add and read, change (create, add, read, execute, write files; delete subdirectories), full control, special access Windows NT ACLs 7
User not in file’s ACL nor in any group named in file’s ACL: deny access ACL entry denies user access: deny access Take union of rights of all ACL entries giving user access: user has this set of rights over file Windows NT ACLs (cont.) 8
Like a bus ticket Mere possession indicates rights that subject has over object Object identified by capability (as part of the token) Name may be a reference, location, or something else The key challenge is to prevent process/user from altering capabilities Otherwise a subject can augment its capabilities at will Semantics of Capability 9
Tagged architecture Bits protect individual words Paging/segmentation protections Like tags, but put capabilities in a read-only segment or page Cryptography Associate with each capability a cryptographic checksum enciphered using a key known to OS When process presents capability, OS validates checksum Implementation of Capability
Scan all C-lists, remove relevant capabilities Far too expensive! (return your tickets?) Use indirection Each object has entry in a global object table Names in capabilities name the entry, not the object To revoke, zap the entry in the table Can have multiple entries for a single object to allow control of different sets of rights and/or groups of users for each object Example: Amoeba: owner requests server change random number in server table All capabilities for that object now invalid Re-issue tickets and invalidate old tickets Revocation of Rights 11
They are equivalent: Given a subject, what objects can it access, and how? Given an object, what subjects can access it, and how? ACLs answer second easily; C-Lists, answer the first easily. The second question in the past was most used; thus ACL-based systems are more common But today some operations need to answer the first question (e.g., in incident response) ACLs vs. Capabilities 12
Locks and Keys Associate lockwith object and keywith subject Key controls what the subject can access and how Subject presents key; if it corresponds to any of the locks on the object, access is granted This is flexible Can change either locks or keys ACL C-List Locks/Keys 13
Cryptographic Implementation Enciphering key is lock; deciphering key is key Encipher object o; store Ek (o) Use subject’s key k to compute Dk (Ek (o)) Any of n can access o: store o = (E1 (o), …, En (o)) Requires consent of all n to access o: store o = (E1(E2(…(En(o))…)) 14
Requirements & Concepts • Some basic requirements of access control: • Avoid disclosing sensitive data to unauthorized users (Confidential) • Provide sensitive information to authorized users (Available) • Reliable and dependable (Integrity preserving) • Scalable and expandable (long life) • Some key concepts in Access control systems: • Separation of duties • Least privilege • Need-to-know • Need-to-share (a contemporary buzz-phrase) • Handle with care 15
What to protect?: Information classification • Based on risk of content released to mal-actors • Example the US government classification • Unclassified • Confidential • Secret • Top secret 16
Kinds of Access Control • Preventive Access controls • Avoid having unwanted actions/events by blocking ability to do them. • Detective • Identify unwanted actions or events after they occur. • Corrective • Remedy circumstances that enabled the unwanted activity. • Return to state prior to it. • Directive • Dictated by higher authority: laws, regulations, or organization policy • Deterrent • Prescribe punishment for noncompliance • Recovery • Restore lost computing resources or capabilities. • Compensating • Reinforce or replace controls that are unavailable 17
3 Types of Access Control • Administrative • separation of duties, dual control, etc • Physical • fences, alarms, badges, CCTV, etc • Technical • antivirus, antis-spam, logs, etc • Further examples in ISC2 book show how controls map to access control types. 18
Steps in Accessing Systems • Authentication • Use a unique identifier– • user ID, Account number, PIN • 3 main datum used for authentication • Something requester know • Passwords • Pass-phrases • Something the requester is • Biometrics • Physical characteristics • Something the requester has • Tokens (one-time passwords, time synchronized token) • Smart Cards • USB Tokens • Authorization • Accounting 19
Using Tokens & Smartcards for Authentication • Asynchronous Token – challenge/response • Synchronous • Time / event based • One-time password or hashed values • Authentication server knows value from the token • Smart Cards • Contact or Contact-less 20
Using Biometrics for Authentication • Have false (rejection, acceptance) rates. • Crossover = they are equal, both tunable to need. • Some static biometrics • Fingerprint or palm print • Hand Geometry • Retina • Some Dynamic biometrics • Face /gesture Recognition • Keystrokes • Voice pattern 21
Identity Management • What is Identity management? • Set of technologies to manage user identity information. • When is it needed? • For manual service provisioning • Manage sophisticated and complex environments • To comply with regulations • What are the major challenges? • Reliability of user profiles • Consistency of user profiles across different systems/devices • Scalability by supporting data volumes and peaks • More details in IC3 book 22
Identity Management: benefits and technologies • Benefits • Increase productivity • Reduce head-counting • Technologies • In systems that support identity management and manage data consistently and efficiently across systems within an organization • Directories • Web Access Management • Password Management • Legacy single sign-on’s 23
Single Sign-on • How they work • One user ID and password for multiple application servers through an authentication server. • Benefits • Efficient log-on process • Users may create stronger passwords • No need for many passwords • Major Drawback • A compromised password allows intruder into all resources of owner of that account 24
Single Sign-on: Kerberos 1. Authenticate me Give me a ticket 3. Authorize me Use the ticket for s 25
Single Sign-on – Kerberos and SESAME Kerberos Key Distribution Center serves two functions • Authentication Server (AS) • Ticket Granting Server (TGS) • Kerberos Issues • Security depends on careful implementation and maintenance • Lifetime for authentication credentials should be as short as feasible using time stamps to minimize the threat of replayed credentials • The KDC must be physically secured, it could be a point of single failure • Redundancy is recommended • The KDC should be hardened and not allow any non-Kerberos activity SESAME • Stands for Secure European System for applications in a multi-vendor environment • Developed to address some of the Kerberos weaknesses • Supports SSO • Improves key management by using both Symmetric and Asymmetric keys 26
Directory Service and Security Domains • Directory Services • Applications that provide hierarchical means to organize and manage information about network users and resources and to retrieve the information by name association • Security Domains • Set of Objects that a Subject in an information system is allowed to access • Hierarchical domain relationship • Equivalence classes of subjects 27
Access Control & Assurance • Mechanisms to assure that access control mechanisms are in place and in good standing: • Audit Trail analysis and monitoring • a record of system activities • Assessment tools • Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the goals of the audit 28
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A [si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Access control matrix Describes protection state preciselyMatrix describing rights of subjectsState transitions change elements of matrix
ACM at 3AM and 10AM At 3AM, time condition met; ACM is: At 10AM, time condition not met; ACM is: … picture … … picture … paint … Alice … … Alice …
Database: name position age salary Alice teacher 45 $40,000 Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Queries: sum(salary, “position = teacher”) = 140,000 sum(salary, “age < 40 & position = teacher”) should not be answered (can deduce Eve’s salary) AC by History and Inference
Oi = { objects referenced in query i } f(oi) = permission set of query i f(oi) = {read} for ojOi, if |j = 1,…,iOj| < 2 f(oi) = for ojOi, otherwise O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read } and the query can be answered ACM of Database Queries
f(oi) = { read } for oj in Oi, if | j = 1,…,iOj| <2 f(oi) = for oj in Oi, otherwise O2 = { Alice, Dilbert } but | O2O1 | = 2 so A[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered But Query 2
Change the protection state of system Xi is a state of the ACM at time i |– represents transition Xi|– Xi+1: command moves system from state Xi to Xi+1 Xi|– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures, because the transform the state of the access control matrix State Transitions
create subjects, create object o Creates new row, column in ACM; creates new column in ACM destroy subjects, destroy object o Deletes row, column from ACM; deletes column from ACM enterrinto A[s, o] Adds r rights for subject s over object o deleterfrom A[s, o] Removes r rights from subject s over object o Primitive Operations
Transforms state of the ACM Access control request can be precisely defined using Pre-conditions Post-conditions Use notation (from Z) Pre-state without primes Post-state with primes Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state Access control requests
Pre-condition: s S Primitive command: create subjects Post-conditions: S = S { s }, O = O { s } (y O)[a[s, y] = ] (x S)[a[x, s] = ] (x S)(y O)[a[x, y] = a[x, y]] Create Subject – pre and post conditions
Precondition: oO Primitive command: create objecto Post-conditions: S = S, O = O { o } (xS)[a[x, o] = ] (xS)(yO)[a[x, y] = a[x, y]] Create Object
Precondition: sS, oO Primitive command: enterrintoa[s, o] Post-conditions: S = S, O = O a[s, o] = a[s, o] { r } (xS)(yO – { o }) [a[x, y] = a[x, y]] (xS – { s })(yO) [a[x, y] = a[x, y]] Add Right
Precondition: sS, oO Primitive command: deleterfroma[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o] – { r } (xS)(yO – { o }) [a[x, y] = a[x, y]] (xS – { s })(yO) [a[x, y] = a[x, y]] Delete Right
Precondition: sS Primitive command: destroysubjects Postconditions: S = S – { s }, O = O – { s } (yO)[a[s, y] = ], (xS)[a´[x, s] = ] (xS)(yO) [a[x, y] = a[x, y]] Destroy Subject
Precondition: oO Primitive command: destroyobjecto Postconditions: S = S, O = O – { o } (xS)[a[x, o] = ] (xS)(yO) [a[x, y] = a[x, y]] Destroy Object
Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end Creating File
Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command Mono-Operational Commands
Let p give qr rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command Conditional Commands
Let p give qr and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end Multiple Conditions
Allows possessor to give rights to another Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on the model and its instantiation Copy Right
Usually allows possessor to change entries in ACM column Owner of an object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users Own Right
You cannot give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives him/herself rights, gives them to others, deletes rights. Attenuation of Privilege
ACM simple mechanism for representing protection states Transitions alter protection state Six primitive operations can alter the matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions Main Points