Upload
edith
View
22
Download
0
Embed Size (px)
DESCRIPTION
September 7, 2006 Lecture 2. IS 2150 / TEL 2810 Introduction to Security. Mathematics Review. Propositional logic/calculus. Atomic, declarative statements (propositions) that can be shown to be either TRUE or FALSE but not both; E.g., “Sky is blue”; “3 is less than 4” - PowerPoint PPT Presentation
Citation preview
1
September 7, 2006Lecture 2
IS 2150 / TEL 2810Introduction to Security
2
Mathematics Review
3
Propositional logic/calculus Atomic, declarative statements (propositions)
that can be shown to be either TRUE or FALSE but not both; E.g., “Sky is blue”; “3 is less than 4”
Propositions can be composed into compound sentences using connectives
Negation p (NOT) highest precedence Disjunction p q (OR) second precedence Conjunction p q (AND) second precedence Implication p q q logical consequence of p
Exercise: Truth tables?
4
Propositional logic/calculus Contradiction:
Formula that is always false : p p What about: (p p)?
Tautology: Formula that is always True : p p
What about: (p p)? Others
Exclusive OR: p q; p or q but not both Bi-condition: p q [p if and only if q (p iff q)] Logical equivalence: p q [p is logically equivalent
to q] Some exercises…
5
Some Laws of Logic Double negation DeMorgan’s law
(p q) (p q) (p q) (p q)
Commutative (p q) (q p)
Associative law p (q r) (p q) r
Distributive law p (q r) (p q) (p r) p (q r) (p q) (p r)
6
Predicate/first order logic Propositional logic Variable, quantifiers, constants and
functions Consider sentence: Every directory
contains some files Need to capture “every” “some”
F(x): x is a file D(y): y is a directory C(x, y): x is a file in directory y
7
Predicate/first order logic Existential quantifiers (There exists)
E.g., x is read as There exists x Universal quantifiers (For all) y D(y) (x (F(x) C(x, y))) read as
for every y, if y is a directory, then there exists a x such that x is a file and x is in directory y
What about x F(x) (y (D(y) C(x, y)))?
8
Mathematical Induction Proof technique - to prove some
mathematical property E.g. want to prove that M(n) holds for all natural
numbers Base case OR Basis:
Prove that M(1) holds Induction Hypothesis:
Assert that M(n) holds for n = 1, …, k Induction Step:
Prove that if M(k) holds then M(k+1) holds
9
Mathematical Induction
Exercise: prove that sum of first n natural numbers is
S(n): 1 + … + n = n (n + 1)/2 S(n): 1^2+ .. +n^2 = n (n +1)(2n +
1)/6
10
Lattice Sets
Collection of unique elements Let S, T be sets
Cartesian product: S x T = {(a, b) | a A, b B} A set of order pairs
Binary relation R from S to T is a subset of S x T Binary relation R on S is a subset of S x S If (a, b) R we write aRb
Example: R is “less than equal to” () For S = {1, 2, 3}
Example of R on S is {(1, 1), (1, 2), (1, 3), ????) (1, 2) R is another way of writing 1 2
11
Lattice Properties of relations
Reflexive: if aRa for all a S
Anti-symmetric: if aRb and bRa implies a = b for all a, b S
Transitive: if aRb and bRc imply that aRc for all a, b, c S
Which properties hold for “less than equal to” ()? Draw the Hasse diagram Captures
all the relations
12
Lattice Total ordering:
when the relation orders all elements E.g., “less than equal to” () on natural
numbers Partial ordering (poset):
the relation orders only some elements not all
E.g. “less than equal to” () on complex numbers; Consider (2 + 4i) and (3 + 2i)
13
Lattice Upper bound (u, a, b S)
u is an upper bound of a and b means aRu and bRu
Least upper bound : lub(a, b) closest upper bound
Lower bound (u, a, b S) l is a lower bound of a and b means lRa and
lRb Greatest lower bound : glb(a, b) closest
lower bound
14
Lattice A lattice is the combination of a set of
elements S and a relation R meeting the following criteria
R is reflexive, antisymmetric, and transitive on the elements of S
For every s, t S, there exists a greatest lower bound For every s, t S, there exists a lowest upper bound
Some examples S = {1, 2, 3} and R = ? S = {2+4i; 1+2i; 3+2i, 3+4i} and R = ?
15
Overview of Lattice Based Models Confidentiality
Bell LaPadula Model First rigorously developed model for high
assurance - for military Objects are classified Objects may belong to Compartments Subjects are given clearance Classification/clearance levels form a lattice Two rules
No read-up No write-down
16
Access Control Matrix
17
ACM Background Access Control Matrix
Captures the current protection state of a system
Butler Lampson proposed the first Access Control Matrix model
Graham and Denning refined it Harrison, Russo and Ulman modified
it and presented some theoretical results
18
Protection System State of a system
Current values of memory locations, registers, secondary storage, etc. other system components
Protection state (P) A system state that is considered secure
A protection system Captures the conditions for state transition Consists of two parts:
A set of generic rights A set of commands
19
Protection System Subject (S: set of all subjects)
Active entities that carry out an action/operation on other entities; Eg.: users, processes, agents, etc.
Object (O: set of all objects) Eg.:Processes, files, devices
Right (R: set of all rights) An action/operation that a subject is
allowed/disallowed on objects Access Matrix A: a[s, o] ⊆R
Set of Protection States: (S, O, A)
20
Access Control Matrix Model Access control matrix
Describes the protection state of a system. Elements indicate the access rights that
subjects have on objects ACM is an abstract model
Rights may vary depending on the objects involved
ACM is implemented primarily in two ways Capabilities (rows) Access control lists (columns)
21
Access Control Matrix
s3 r
s1
f1 f2 f3 f4 f5 f6
s2
s3
o, r, w
o, r, w
o, r, w o, r, w
o, r, w
o, r, w
r
r
r r
w
f1
f2
f3
f4
f6
s2
s1 o, r, w s2 r
s1 o, r, w s3 r
s3 o, r, w
f5 s2 o, r, w s3 r s1 w
s3 o, r, w
f5 w s1 f2 o, r, w f3 o, r, w
f2 r s2 f1 o, r, w f5 o, r, w
f3 r s3 f4 o, r, wf2 r
f5 r f6 o, r, w
o: ownr: readw:write
Access Matrix
Access Control ListCapabilities
o, r, w
22
Access Control Matrix
Hostnames Telegraph Nob Toadflax
Telegraph own ftp ftp
Nob ftp, nsf, mail, own ftp, nfs, mail
Toadflax ftp, mail ftp, nsf, mail, own
Counter Inc_ctr Dcr_ctr Manager
Inc_ctr +
Dcr_ctr -
manager Call Call Call
•telegraph is a PC with ftp client but no server
•nob provides NFS but not to Toadfax
•nob and toadfax can exchange mail
23
State Transitions Let initial state X0 = (S0, O0, A0) Notation
Xi ├i+1 Xi+1 : upon transition i+1, the system moves from state Xi to Xi+1
X ├* Y : the system moves from state X to Y after a set of transitions
Xi ├ ci+1 (pi+1,1, pi+1,2, …, pi+1,m) Xi+1 : state transition upon a command
For every command there is a sequence of state transition operations
24
Primitive commands(Graham-Denning)
Create subject s Creates new row, column in ACM;
Create object o Creates new column in ACM
Destroy subject s Deletes row, column from ACM;
Destroy object o Deletes column from ACM
Read access right of s on o Copy a[s, o] to x
Delete access right r of s on o Removes r right from subject s over object o
Grant access right r of s on oAdds r right for subject s over object o
Transfer access right r or r* to s on o
Adds r right for subject s over object o
25
Primitive commands (HRU)
Create subject s Creates new row, column in ACM;
Create object o Creates new column in ACM
Enter r into a[s, o] Adds r right for subject s over object o
Delete r from a[s, o]
Removes r right from subject s over object o
Destroy subject s Deletes row, column from ACM;
Destroy object o Deletes column from ACM
26
System commands [Unix] process p creates file f with
owner read and write (r, w) will be represented by the following:
Command create_file(p, f)Create object fEnter own into a[p,f]Enter r into a[p,f]Enter w into a[p,f]
End
27
Process p creates a new process qCommand spawn_process(p, q)
Create object q;Enter own into a[p,q]Enter r into a[p,q]Enter w into a[p,q]Enter r into a[q,r]Enter w into a[q,r]
End
28
System commands Defined commands can be used to
update ACMCommand make_owner(p, f)
Enter own into a[p,f]
End
Mono-operational: the command invokes only one primitive
29
Conditional Commands
Mono-operational + mono-conditional
Command grant_read_file(p, f, q)
If own in a[p,f]Then Enter r into a[q,f]
End
30
Conditional Commands
Mono-operational + biconditionalCommand grant_read_file(p, f, q)
If r in a[p,f] and c in a[p,f]Then Enter r into a[q,f]
End
Why not “OR”??
31
Attenuation of privilege Principle of attenuation
A subject may not give rights that it does not posses to others
Copy Augments existing rights
Often attached to a right, so only applies to that right
r is read right that cannot be copied rc is read right that can be copied
Also called the grant right
32
Attenuation of privilege Own
Allows adding or deleting rights, and granting rights to others
Creator has the own right Subjects may be granted own right Owner may give rights that he does not have
to others on the objects he owns (chown command)
Example: John owns file f but does not have read permission over it. John can grant read right on f to Matt.
33
Fundamental questions How can we determine that a system is
secure? Need to define what we mean by a system
being “secure” Is there a generic algorithm that allows
us to determine whether a computer system is secure?
We will wait till next time …..
34
Unix File SystemOverview
35
Unix file security Each file has owner and group Permissions set by owner
Read, write, execute Owner, group, other Represented by vector of four octal values
Only owner, root can change permissions This privilege cannot be delegated or
shared
36
Unix File Permissions File type, owner, group, othersdrwx------ 2 jjoshi isfac 512 Aug 20 2003 risk
managementlrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk
management-rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps-r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs-r-sr-sr-x 1 root sys 2196 Apr 6 2002
/usr/bin/passwd
File type: regular -, directory d, symlink l, device b/c, socket s, fifo f/p
Permission: r, w, x, s or S (set.id), t (sticky)
37
User ids Each process has three Ids
Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the
process Effective user ID (EUID)
from set user ID bit on the file being executed, or sys call
determines the permissions for process Saved user ID (SUID)
Allows restoring previous EUID
38
User ids
Similarly we have Real group ID, Effective group ID,
While accessing files Process EUID compared against the
file UID GIDs are compared
39
IDs/Operations Root can access any file Fork and Exec
Inherit three IDs, except exec of file with setuid bit
Setuid system calls seteuid(newid) can set EUID to
Real ID or saved ID, regardless of current EUID Any ID, if EUID=0
Related calls: setuid, seteuid, setgid, setegid
40
Setid bits on executable Unix file Three setid bits
setuid set EUID of process to ID of file owner
setgid set EGID of process to GID of file
setuid/setgid used when a process executes a file If setuid (setgid) bit is on – the EUID of the process
changed to UID (GUID) of the file Sticky
Off: if user has write permission on directory, can rename or remove files, even if not owner
On: only file owner, directory owner, and root can rename or remove file in the directory
41
Example
…;
…;
exec( );
…;
…;
exec( );
RUID 25RUID 25 SetUIDSetUID
programprogram
…;
…;
i=getruid()
setuid(i);
…;
…;
…;
…;
i=getruid()
setuid(i);
…;
…;
RUID 25EUID 18
RUID 25EUID 25
-rw-r--r---rw-r--r--
filefile
-rw-r--r---rw-r--r--
filefile
Owner 18Owner 18
Owner 25Owner 25
read/write
read/write
Owner 18Owner 18
42
Careful with Setuid ! Can do what owner of file is allowed to
do Be sure not to
Take action for untrusted user Return secret data to untrusted user
Principle of least privilege change EUID when root privileges no
longer needed Setuid scripts (bad idea)
Race conditions: begin executing setuid program; change contents of program before it loads and is executed