190 likes | 314 Views
Chapter 4. Access Control Manage Principals operations in system. Resources. Access control Which principals have access to what resources on the system and when. Applications. Middleware. Operating system. Hardware. Access control system.
E N D
Chapter 4 Access Control Manage Principals operations in system
Resources • Access control • Which principals have access to what resources on the system and when Applications Middleware Operating system Hardware
Access control system • System authenticates principal using some method, then controls access to system resources. • Often a matrix of permissions • Triple of User Program File • See matrix page 53 • Matrices grow very large • Control this through groups or roles • Certificated based systems coming about • I have a certificate signed by some authority that I have a specific right.
Groups and roles • Do not assign rights individually • Assign to groups that represents the activities or job titles of employees • They define the rules, you implement them • ACL Access Control List • Column of the matrix who has what rights to resource
UNIX • Root can access everything. • Not a good thing, even system admin should not have access to certain files: • Audit trails • Logs • Newer versions of UNIX have worked to separate out these duties • Military versions even more so
Granularity • Security and Database • Database is 1 file so OS must give access to this one file • Within in the database security is controlled by the DBMS • This creates various issues with passwords, management and control • Many systems, many passwords • Companies striving for 1 central directory service • This is why Microsoft wants it’s Active Directory product to become a “standard”
Sandboxing • Java uses this • Applet runs in a virtual restricted environment • Does not have access to hard drive • JVM has limited local access
Object Request Brokers • Mediates communications between objects • Outgrowth of Object Oriented programming • Common Object Request Broker Architecture (CORBA) • Industry standard
Hardware protection • Protect one process from interfering with another • Memory • Metadata (data about processes) • Hardware access control • Rings of protection • Less privileged process (user program) needs to access more privileged process (device driver)
Processors • Intel processors page 63 • ARM processors page 63 • Security processors page 64 • QoS • Quality of Service issues. • One process does not hog CPU
What goes wrong • Smashing the stack • Syn flooding • Trojan horse • Root kits • Single commands • Full root kits • Active web content • And many more programming defects
NSA • NSA • Deep distrust of application security • Heavy emphasis on trusted OS security
Environmental creep • UNIX original use was in trusted environment • Todays use is in the most untrusted environment (internet) • Many tools also develop for trusted environment FTP, SMTP, DNS… • Used in most untrusted environment • Code used to be buggy, now is malicious • Script kiddies anyone can attack system
Discussion topics • Current stack smashing article • Environment Creep and OS attacks • Current state of windows root kit • Where should security lie? OS, applications, middleware? • Certificate based security.
Articles • Root Kit articles: • http://www.viruslist.com/en/analysis?pubid=168740859 • http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1086469,00.html
List of resources • Access control • http://en.wikipedia.org/wiki/Access_control • http://www.owasp.org/documentation/topten/a2.html • Groups roles • http://www.microsoft.com/windowsxp/evaluation/features/accesscntrl.mspx • http://www.tech-faq.com/role-based-access-control-rbac.shtml • http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx
List of resources • Sandboxing • http://www.kernelthread.com/publications/security/sandboxing.html • http://internetweek.cmp.com/trends/0825.htm
List of resources • Object Request Brokers • http://en.wikipedia.org/wiki/Object_request_broker • http://www.sei.cmu.edu/str/descriptions/corba_body.html • Rings • http://www.devx.com/Intel/Article/30125
List of Resources • NSA • http://www.nsa.gov/selinux/ • http://www.nsa.gov/selinux/info/faq.cfm