Summary of Lecture 4 Authentication (Review). CSE2500 System Security & Privacy Access Control Srini & Nandita 2 Authentication means to establish the

Summary of Lecture 4

Authentication (Review)

Access Control Srini & Nandita 2

CSE2500 System Security & Privacy

Authentication means

to establish the proof of identity. Authentication techniques may vary

depending on the kind of resource being accessed.

The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)



Authentication is done by

by something you are (SYA) by something you know (SYK) by something you have (SYH)

– SYA is more reliable and accurate compared to SYH.



Authentication

SYK is the most commonly used end-user authentication (user to systems).– e.g: user name and password.

Can also be applied to programs that exchange the data over the network without human intervention.

The strength of SYK authentication depends on whether what is known is a secret, and can be kept as a secret.



User-to-Host authentication

Typical methods are– static passwords– challenge and response– one-time passwords– trusted third parties



Today’s lecture will be

So far we have discussed how to authenticate user to host.

Once user is logged on the system, we need a mechanisms to control the access of objects (such as files, programs, processes,etc.) within the system.

ACCESS CONTROL & SECURITY MODELS

Center of gravity of computer security



Fundamental Model of Access Control

subject Access request Reference

Monitorsobject



Controlling Access Access control policy: what can be used to

indicate who is allowed to do what to/with whom on the system.

Who is who ? Subject is what we call active entities(processes, users, other computers) that want to

“do something” The what the subject does with the object can

be just about anything, and it may be multi-part. Typical manipulations include READ, MODIFY,

CREATE, CHANGE, DELETE



Access Control Policy Access right or privilege:

– An indication that a SUBJECT may legitimately use a specific type of ACCESS or MANIPULATION with respect to a particular OBJECT or set of OBJECTS.

The underlying system itself determines which primitive (or bottom level) access rights are available for which user/object combinations



Levels of Access Control

Application Middleware Operating system Hardware



Operating System Access Controls

Authenticate prinicipals/users– Passwords– Kerberos

Mediate access– Files– Communication ports– System resources



Models of Security

Need for a model– High assurance security system

What a model supposed to do?– Express the security policy in a formal way– Describe the entities governed by the policy– State the rules that decide who gets access to

your data

Scope and limitations of models



Security Models : Bell-LaPadula

– The Bell-LaPadula model is about information confidentiality, and this model formally represents the long tradition of attitudes to the flow of information concerning national secrets.

– Multi-level security (MLS)



Security Models: Chinese Wall

– Large consultancies can easily find there are conflicts of interest if individual consultants are given access to all information held by the consultancy. Chinese Wall models a particular way of restricting information flow.



Security Models : Biba We need models – continued Based on the Cold War experiences,

information integrity is also important, and the Biba model, complementary to Bell-LaPadula, is based on the flow of information where preserving integrity is critical.



Security Models: Clarke-Wilson

In the commercial sphere, the need is to engage in well-formed transactions which can only be undertaken by authorised personnel, and the Clarke-Wilson model is an attempt to formally model a policy based on well-formed transactions.



Possible Access Control Mechanisms are Control Matrix Control lists Groups and Roles Extension to Distributed (+file) Systems



Access Control Matrix

Object

Users

Operating system

Accounts Program

Accounting Data

Audit Trail

Sam rwx rwx rw r

Alice x x rw -

Bob rx r r r



Example Access Control Matrix for Bookkeeping

Operating system

Accounts Program

Accounting Data

Audit Trail

Sam rwx rwx r r

Alice rx x - -

Accounts program

rx r rw w

Bob rx r r r

Srini rx r r r



Access Control Matrices

2/3 dimensions used to implement protection mechanisms and model them

Do not scale well– A bank with 50,000 staff & 300 objects

15million entries– Update and performance problem– Prone to administrators’ mistakes

A more compact way is required



Groups and Roles

Group is a list of users/principals-- categories

Role is a fixed set of access permissions that one or more principals may assume

Group manager is a rank while the role of acting manager can be taken up by an assistant accountant standing in while the manager, deputy manager and accountant are all sick



Let us look at the example once againOperating

systemAccounts Program

Accounting Data

Audit Trail

Sam rwx rwx r r

Alice rx x - -

Accounts program

rx r w w

Bob rx r r r

Srini rx r r r



ACLs per subject(Capabilities list)

Sam

rwx

rwx

r

r

Alice

rx

x

-

-

Acc.pgm

rx

r

rw

w

Bob

rx

r

r

r

Srini

rx

r

r

r

User

OS

A/C Prgm

A/C Data

Audit trail



Access Control Lists

User Accounting Data

Sam rw

Alice rw

Bob r

Srini r



Access Control Lists/Capabilities

How do you modify the entries in the lists?– add a new entry– delete an existing entry– modify the access right to an object?



Access Control Triples

Subject Object Access r, w, x, ?



Capabilities While ACLs are kept by the

O/S,capabilities are kept by the subject. Capabilities give the possessor (of the

token) certain rights to an object Capabilities do not require authentication

of subjects, but do require that the token be unforgeable (encrypted or in inaccessible storage) and that the propagation of capabilities be controlled.



Access Control lists (cont.)

Users manage their own file security, Unix Data-oriented protection, for centrally set access

control policy OS checks the ACL at each file access Not efficient security checking at runtime, though

simple to implement Tedious to find all files to which a user has access

or perform system-wide checks



Let us look at an example of ACL implementations UNIX NT



Unix Operating System Security

Superuser account on Unix is root – UID (user identifier) equal to ‘0’

The superuser can effectively do anything within the system

Superuser password is the most valuable password in the system

Don’t share the superuser password outside the administrative group.



Basic file security-rw-rw-r-- 1 root sys 1344 Jul 2 22:57 /etc/vfstab

Owner

Group

-rwxrwxrwx Owner permissions

-rwxrwxrwx Group permissions

-rwxrwxrwx Other permissions

Others



Basic file security Important system files must have appropriate file

permissions e.g:

-r--r--r-- 1 root other /etc/passwd-r-------- 1 root sys /etc/shadow-rw-r--r-- 1 root sys /etc/profile drwxr-xr-x 18 root sys /usr

A finer granularity of file permissions can be achieved with access control lists (ACLs), e.g. AIX, HP-UX.



Unix Operating System Security(cont.)

A common defense against root compromise by hackers -- is system log to a printer in a locked room or to another machine/server, eg. Berkeley, FreeBSD

ACLs have only names of users, not of programs

Indirect method => suid and sgid file attributes



SUID and SGID Security

Owner of a program can mark it as suid, enabling a user, special privileges of access control attributes

sgid for groups What is the security issue here?



SUID and SGID Security(cont.)

SUID root programs are particularly vulnerable to attack.

If it is possible to subvert the program in some way, then root access can be gained.

A very well known method of such subversion is the buffer overflow.

Buffer overflow vulnerability results from bad coding practices on the part of the original programmer of the SUID root program!

Documents

Summary of Lecture 4 Authentication (Review). CSE2500 System Security & Privacy Access Control Srini & Nandita 2 Authentication means to establish the