1 / 113

Chapter 8 Authorization

Chapter 8 Authorization. Access control matrix Multilevel Security Multilateral security Covert channel Inference control CAPTCHA Firewalls IDS. Authentication vs Authorization. Authentication  Who goes there? Restrictions on who (or what) can access system

javier
Download Presentation

Chapter 8 Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8Authorization Access control matrix Multilevel Security Multilateral security Covert channel Inference control CAPTCHA Firewalls IDS

  2. Authentication vs Authorization • Authentication  Who goes there? • Restrictions on who (or what) can access system • Authorization Are you allowed to do that? • Restrictions on actions of authenticated users • Authorization is a form of access control • Authorization enforced by • Access Control Lists • Capabilities Chapter 8 Authorization

  3. AccessControl Basic Concept • An access control system regulates the operations that can be executed on data and resources to be protected • Its goal is to control operations executed by subjects in order to prevent actions that could damage data and resources • Access control is typically provided as part of the operating system and of the database management system (DBMS) Chapter 8 Authorization

  4. Access request AccessControl Basic Concept • The very nature of access control suggests that there is an active subject requiring access to a passive object to perform some specific access operation. • A reference monitor grants or denies access This fundamental and simple notion of access control is due to Lampson Object Subject Reference monitor Chapter 8 Authorization

  5. Object Subject Access request Reference monitor Access Control Policies Access Permissions AccessControl Basic Concept Chapter 8 Authorization

  6. Access control matrix Chapter 8 Authorization

  7. Lampson’s Access Control Matrix • Subjects주체(users) index the rows • Objects객체(resources) index the columns Chapter 8 Authorization

  8. Are You Allowed to Do That? • Access control matrix has all relevant info • But how to manage a large access control (AC) matrix ? • Could be 1000’s of users, 1000’s of resources • Then AC matrix with 1,000,000’s of entries • Need to check this matrix before access to any resource is allowed: Hopelessly inefficient • To obtain acceptable performance, split AC into manageable pieces; • Two ways: by column or by row Chapter 8 Authorization

  9. Access Control Lists (ACLs) • ACL: store access control matrix by column • Example: ACL for insurance datais in blue • ACL(insurance data) = {(Bob,---), (Alice,rw), (Sam,rw), (Acc prog, rw)} Chapter 8 Authorization

  10. Capabilities (or C-Lists) • Store access control matrix by row • Example: Capability for Alice is in red • C-list(Alice)= {(OS,rw), (Acct prog,rw), (Acct data,r), (Insur data,rw), (payroll data, rw)} Chapter 8 Authorization

  11. ACLs vsCapabilities • Note that arrows point in opposite directions! • With ACLs, still need to associate users to files file1 Alice Alice file1 file2 Bob Bob file2 file3 file3 Fred Fred Capability Access Control List Chapter 8 Authorization

  12. Confused Deputy - 1/4 • Two resources • Compiler and BILL file (billing info) • Compiler can write file BILL • Alice can invoke compiler with a debug filename • Alice not allowed to write to BILL Access control matrix Compiler BILL Alice Compiler Chapter 8 Authorization

  13. Confused Deputy - 2/4 ALS’s Confused Deputy • Compiler is deputy acting on behalf of Alice • Compiler is confused • Alice is not allowed to write BILL • Compiler has confused its rights with Alice’s debug BILL filename BILL Compiler Alice BILL Chapter 8 Authorization

  14. Confused Deputy - 3/4 • Compiler acting for Alice is confused • Compiler is acting based on it’s own privileges, when it should be acting based on Alice’s privileges • There has been a separation of authorityfrom the purpose for which it is used • With ACLs, difficult to avoid this problem • ACLs are not easy delegated • ACL(insurance data) = {(Bob,---), (Alice,rw), (Sam,rw), (Acc prog, rw)} Chapter 8 Authorization

  15. Confused Deputy - 4/4 • With Capabilities, easier to prevent problem • Must maintain association between authority and intended purpose • Capabilities make it easy to delegate authority • C-list(Alice)= {(OS,rw), (Acct prog,rw), (Acct data,r), (Insurdata,rw), (payroll data, rw)} Chapter 8 Authorization

  16. ACLs vs Capabilities • ACLs • Good when users manage their own files • Protection is data-oriented • Easy to change rights to a resource • Capabilities • Easy to delegate • Easy to add/delete users • Easier to avoid the confused deputy • More difficult to implement • Capabilities loved by academics • Capability Myths Demolished Chapter 8 Authorization

  17. Multilevel Security (MLS) Models Chapter 8 Authorization

  18. Classifications and Clearances • Classifications apply to objects • Clearances apply to subjects • US Department of Defense uses 4 levels of classifications/clearances TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED Chapter 8 Authorization

  19. Clearances and Classification • To obtain a SECRET clearance requires a routine background check • A TOP SECRETclearance requires extensive background check • Practical classification problems • Proper classification not always clear • Level of granularity to apply classifications • Aggregation  flip side of granularity • Ex: each paragraph -> unclassifed, but whole doc TOP SECRECT Chapter 8 Authorization

  20. Subjects and Objects • Let O be an object, S a subject • O has a classification • S has a clearance • Security level denoted L(O) and L(S) • For DoD levels, we have TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED Chapter 8 Authorization

  21. Multilevel Security (MLS) • MLS needed when subjects/objects at different levels use same system • MLS is a form of Access Control • Military/government interest in MLS for many decades • Lots of funded research into MLS • Strengths and weaknesses of MLS relatively well understood (theoretical and practical) • Many possible uses of MLS outside military Chapter 8 Authorization

  22. MLS Applications • Mainly used for Classified gov/mil info • But Business area also used it • Senior management only – Top Secret • All management - Secret • Everyone in company - Confidential • General public - Unclassified • Network firewall is another application area • Keep intruders at low level to limit damage • Confidential medical info, databases, etc. Chapter 8 Authorization

  23. MLS Security Models • Models are descriptive설명하는, not prescriptive규정하는 • High level description, not an algorithm • MLS models explain what needs to be done • Models do not tell you how to implement • There are many MLS models • We’ll discuss simplest MLS model • Other models are more realistic • Other models also more complex, more difficult to enforce, harder to verify, etc. Chapter 8 Authorization

  24. Bell-LaPadula • BLP security model designed to express essential requirements for MLS • BLP deals with confidentiality • To prevent unauthorized reading • Recall that O is an object, S a subject • ObjectO has a classification • Subject S has a clearance • Security level denoted L(O) and L(S) Chapter 8 Authorization

  25. Bell-LaPadula • BLP consists of Simple Security Condition: S can read O if and only if L(O)  L(S) *-Property (Star Property): S can write O if and only if L(S)  L(O) • No read up, no write down Chapter 8 Authorization

  26. McLean’s Criticisms of BLP • McLean: BLP is “so trivial that it is hard to imagine a realistic security model for which it does not hold” • To poke holes in BLP, McLean defined “system Z” which is allowed administrator to reclassify object, then “write down” • Violates spirit of BLP, but not expressly forbidden in statement of BLP • Raises fundamental questions about the nature of (and limits of) modeling Chapter 8 Authorization

  27. B and LP’s Response • BLP enhanced with tranquility property안정특성 • Strong tranquility property: security labels never change • Weak tranquility property: security label can only change if it does not violate “established security policy” • Security labels can be changed • For example, DoD regularly declassifies doc, which is impossible under strong tranquility property Chapter 8 Authorization

  28. B and LP’s Response • Another example, we often want to enforce “least privilege”권한한정 • Give users lowest privilege needed for current work • Then upgrade privilege as needed (and allowed by policy) • This is known as the high water mark principle • Strong tranquility impractical in real world • Weak tranquility allows • for least privilege (high water mark), • but the property is vague Chapter 8 Authorization

  29. Least privilege from wikipedia • The least privilege, requires that in a particular abstraction layer of a computing environment every module must be able to access only such resources that are necessary to its legitimate purpose. • The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behaviour (computer security). Chapter 8 Authorization

  30. High water markfrom wikipedia • Under high-water mark, any object less than the user's security level can be opened, but the object is relabeled to reflect the highest security level currently open. • If A is writing a 3 III doc, and checks the unclassified dic, the dic becomes 3 III. Then when B is writing an 2 II report and checks the spelling of a word, the dic become 2 II. If user C is assigned to assemble the daily intelligence briefing at 1 I, reference to the dic makes the dictionary 1 I. Chapter 8 Authorization

  31. BLP: The Bottom Line • BLP is simple, but probably too simple • BLP is one of the few security models that can be used to prove things about systems • BLP has inspired other security models • Most other models try to be more realistic • Other security models are more complex • Other models difficult to analyze and/or apply in practice Chapter 8 Authorization

  32. Biba’s Model • BLP for confidentiality, Biba for integrity • Biba is to prevent unauthorized writing • Biba is (in a sense) the dual of BLP • Integrity model • Spse you trust the integrity of O but not O • If object O includes O and O then you cannot trust the integrity of O • Integrity level of O is minimum of the integrity of any object in O • Low water mark principle for integrity Chapter 8 Authorization

  33. Biba • Let I(O): the integrity of object O and I(S): the integrity of subject S • Biba can be stated as Write Access Rule:S can write O iff I(O)  I(S) (if S writes O, the integrity of O that of S) Biba’s Model:S can read O iff I(S)  I(O) (if S reads O, the integrity of S that of O) • Often, replace Biba’s Model with Low Water Mark Policy:If S reads O, then I(S) = min(I(S), I(O)) Chapter 8 Authorization

  34. BLP vs Biba Biba BLP high high l e v e l l e v e l I(O) L(O) L(O) I(O) I(O) L(O) low low Integrity Confidentiality Chapter 8 Authorization

  35. Multilateral Security (Compartments) Chapter 8 Authorization

  36. Multilateral Security • Multilevel Security (MLS) enforces access control up and down • Simple hierarchy of security labels may not be flexible enough • Multilateral security enforces access control across by creating compartments Chapter 8 Authorization

  37. Multilateral Security • Suppose TOP SECRETdivided into • TOP SECRET {CAT}and • TOP SECRET {DOG} • Both are TOP SECRETbut information flow restricted across the TOP SECRETlevel Chapter 8 Authorization

  38. Multilateral Security • Why compartments? • Why not create a new classification level? • Since may not want either of • TOP SECRET {CAT} TOP SECRET {DOG} • TOP SECRET {DOG} TOP SECRET {CAT} • Compartments allow us to enforce the need to know principle지식한정의 원칙 • Regardless of your clearance, you only have access to info that you need to know Chapter 8 Authorization

  39. Multilateral Security • Arrows indicate “” relationship TOP SECRET {CAT, DOG} TOP SECRET {CAT} TOP SECRET {DOG} TOP SECRET SECRET {CAT, DOG} SECRET {CAT} SECRET {DOG} SECRET • Not all classifications are comparable, e.g., TOP SECRET {CAT}vs SECRET {CAT, DOG} Chapter 8 Authorization

  40. MLS vs Multilateral Security • MLS can be used without multilateral security or vice-versa • But, the two usually used together Chapter 8 Authorization

  41. MLS vs Multilateral Security • Example • MLS mandated for protecting medical records of British Medical Association (BMA) • AIDS was TOP SECRET, prescriptions SECRET • What is the classification of an AIDS drug? • Everything tends toward TOP SECRET • Defeats the purpose of the system! • Multilateral security was used instead • AIDS prescription be compartmented from others Chapter 8 Authorization

  42. Covert Channel Chapter 8 Authorization

  43. Covert Channel • MLS designed to restrict legitimate channels of communication • May be other ways for information to flow • For example, resources shared at different levels may signal information • Covert channel: “communication path not intended as such by system’s designers” Chapter 8 Authorization

  44. Covert Channel Example • Alice has TOP SECRETclearance, Bob has CONFIDENTIAL clearance • Suppose the file space shared by all users • Alice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0” • Once each minute Bob lists the files • If file FileXYzW does not exist, Alice sent 0 • If file FileXYzW exists, Alice sent 1 • Alice can leakTOP SECRETinfo to Bob! Chapter 8 Authorization

  45. Covert Channel Example Alice: Create file Delete file Create file Delete file Bob: Check file Check file Check file Check file Check file Data: 1 0 1 1 0 Time: Chapter 8 Authorization

  46. Covert Channel • Other examples of covert channels • Print queue, ACK messages • Network traffic, etc., etc., etc. • When does a covert channel exist? Have to satisfy the 3 conditions • Sender and receiver have a shared resource • Sender able to vary property of resource that receiver can observe • Communication between sender and receiver can be synchronized Chapter 8 Authorization

  47. Covert Channel • Covert channels exist almost everywhere • Easy to eliminate covert channels…??? • Provided you eliminate all shared resources and all communication • Virtually impossible to eliminate all covert channels in any useful system • DoD guidelines: goal is to reduce covert channel capacity to no more than 1 bit/second • Implication is that DoD has given up trying to eliminate covert channels! Chapter 8 Authorization

  48. Covert Channel • Consider 100MB TOP SECRETfile • Plaintext version stored in TOP SECRETplace • Encrypted with AES using 256-bit key, ciphertext stored in UNCLASSIFIED location • Suppose we reduce covert channel capacity to 1 bit per second • It would take more than 25 years to leak entire document thru a covert channel • But it would take less than 5 minutes to leak 256-bit AES key thru covert channel! Chapter 8 Authorization

  49. Real-World Covert Channel • Hide data in TCP header “reserved” field • Or use covert_TCP tool to hide data in • Sequence number • ACK number Chapter 8 Authorization

  50. Real-World Covert Channel • Hide data in TCP sequence numbers • Tool: covert_TCP • Sequence number X contains covert info SYN Spoofed source: C Destination: B SEQ: X ACK (or RST) Source: B Destination: C ACK: X B. Innocent server C. Covert_TCP receiver A. Covert_TCP sender Chapter 8 Authorization

More Related