Professional Documents
Culture Documents
Carlo U. Nicola, FHNW With extracts from publications of : John Mitchell Stanford; Luca Vigan U. Freiburg i.B.; Samson Garfinkel, Gene Spafford, Chris Clifton, Purdue University.
AS HS 10 2
Topics
! Access Control Matrix ! Access Control List ! Administration of ACM/ACL ! ACL in Java (class exercise) ! Security and ACL ! Bell-LaPadula security policy ! Biba security policy ! Role based security ! Practical example: Android security ! A refined definition of secure
AS HS 10 3
AS HS 10 4
Access Control Goal: Specify the limits within which a legitimate user can work with the system.
AS HS 10 5
Glossary of terms Authentication establishes/verifies the identity of the requester. ! Requester presents credentials: something he knows (password); he possesses (smartcard) or he is (biometric). Authorization: Has the legitimate (authenticated) requester the right to perform the action? ! AC/authorization decision made by agent(s) in charge. Auditing process gathers data to discover violations or diagnose their cause. ! Offline after the fact, or online in real time (intrusion detection).
AS HS 10 6
Access Control Matrices Goal: How to describe the protection state of a system A solution: Access control matrix (ACM)
Describes protection state precisely between subjects and objects. Matrix elements describe the rights of subjects over the objects. State transitions change the elements of a matrix. Example: Linux from kernel 2.4 (getfactl, setfactl) and in Windows XP professional, Windows 7.
Linux: setfacl -m user:ulisse:r-- myfile.txt ! adds one entry to ACM for the file myfile.txt which gives ulisse read only permission.
AS HS 10 7
ACM construction An ACM is a static structure to regulate access to resources Objects (entities) o1 Subjects s1 s2 sn rj om
,sn } Objects: O = { o1, ,om } Rights: R = { r1,,rk } Entries: M[si, oj] R M[si, oj] = { rx, , ry } means subject si has rights rx, , ry over object oj
AS HS 10 8
Subjects: S = { s1,
ACM example 1 Processes p, q Files f,g Rights r,w,x,a (all),o (owner) f g p p rwo r rwxo q a ro r
q w rwxo
AS HS 10 9
ACM example 2
Procedures: inc_ctr, dec_ctr, manage Variable: counter Rights: +, , call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr manage call call call
AS HS 10 10
AS HS 10 11
AS HS 10 13
Assumption for the next slide: all subjects are objects, i.e. S O .
AS HS 10 14
AS HS 10 15
command create-file(p,f) create object f; enter own into M[p,f]; enter r into M[p,f]; enter w into M[p,f]; end
AS HS 10 16
Mono-Operational commands
Mono-operational command: A single primitive operation is used in this command. Example: Make process p the owner of file g:
AS HS 10 17
Conditional commands Mono-conditional command: A single condition is used in this command. Example: Let p give q right r over f, if p owns f:
command grant-read-file-1(p,f,q) if own in M[p,f] then enter r into M[q,f]; end
AS HS 10 18
Multiple conditions Let p give q r and w rights over f, if p owns f and p has c rights over q:
command grant-read-file-2(p,f,q) if own in M[p,f] and c in M[p,q] then enter r into M[q,f]; enter w into M[q,f]; end
Right to copy Allows possessor to give rights away. Often it is attached to a right, so it only applies to that right: ! r is read right that cannot be copied ! rc is read right that can be copied Important question: Is the copy flag copied when giving the r(rc) right? ! It depends on model and how the model is implemented
AS HS 10 20
Owner's rights Usually the system allows the possessor to change the entries in the ACM column: ! So the owner of an object can add, delete rights for others on its object. ! But it may depend on what the system allows: Cant give rights to specific (set of) users Cant pass copy flag to specific (set of) users
AS HS 10 21
Attenuation of privilege This principle says you cant give away rights you do not possess. See point 1 of Saltzman/Schrder. Pro: ! Restricts addition of rights within a system However this principle is usually ignored for the owner of an object. The reason for doing so, is that the owner gives herself rights, she gives them to others, and she, of course, can delete them.
AS HS 10 22
Summary ! Access control matrix is the simplest abstraction mechanism for representing a protection state within a system. ! Transitions alter the protection state. ! Six primitive operations alter the AC matrix: Transitions can be expressed as commands composed of these operations and, possibly, conditions.
AS HS 10 23
AC structures In large systems the matrix will be big and sparse. Therefore in practice, the matrix is implemented as a list. AC matrix AC list (ACL) A Capability List
AS HS 10 24
Access control lists are widely used, often with groups Some aspects of capability concept are used in Kerberos,
read
read
write
write
AS HS 10 25
Capabilities
Operating system concept: of the future and always will be Examples: Dennis and van Horn: MIT PDP-1 Timesharing Hydra, StarOS, Intel iAPX 432, Eros, Amoeba: distributed, unforgeable tickets References: Henry Levy, Capability-based Computer Systems
http://www.cs.washington.edu/homes/levy/capabo ok/
Tanenbaum, Amoeba papers
AS HS 10 26
AS HS 10 27
! Capability: Process can pass capability at run time ! ACL: Try to get owner to add permission to list?
More common: let other process act under current user Revocation:
! ACL: Remove user or group from list ! Capability: Try to get capability back from process?
Possible in some systems if appropriate bookkeeping OS knows which data is capability If capability is used for multiple resources, have to revoke all or none Indirection: capability points to pointer to resource If C P R, then revoke capability C by setting P=0
AS HS 10 29
Capability list
Composability of Authorities: Resources are Subject.
r and w rights in a capability list and in a resource are distinguishable and different operations
AS HS 10 30
Authorization relation
Sorted by objects: ACL. Sorted by subjects: Capability list. Relational database management systems use such a representation.
AS HS 10 31
AC policies As already stated the ACM model permits to define three types of access control security policies: Discretionary AC (Dt.: Nach Ermessen) Mandatory AC (Dt.: Verbindliche Zugriffskontrolle) Role-based AC. (Dt.: Rollenbasierte Zugriffskontrolle) It means that subjects (i.e. users, agents) detain privileges (i.e. rcwx) on objects (i.e. data, programs, devices) according to these AC security policies.
AS HS 10 32
Discretionary AC (DAC) This policy restricts access to system objects based on the identity of the users and/or the groups to which they belong. One simple DAC is represented by the Unix scheme owner/group/other. Permissions as tags: -rw-r--r-x 1 ulisse ibneco 56789 Dec
15:19 foo.bar
Temporary permissions: setuid programs allow users to accomplish tasks for which they normally would not have proper authorization (i.e. password change).
AS HS 10 33
Discretionary AC (2)
Two types of DAC policies are used in practice: Closed DAC: authorization must be explicitly specified, since the default decision is always denial. (Apache security policy). Open DAC: denials must be explicitly specified since the default decision is always access. ( Web portal through a HTML form).
General problems with DAC policies: Danger of users' mistakes or negligence; The dissemination of information is not controlled: for example a user who is able to read data can pass it to other users not authorized to read it without the actual owner knowing it.
AS HS 10 34
Mandatory AC (MAC)
As we will see in the Bell-LaPadula model one can assign centrally, sensitivity labels to all system objects and subjects and enforce that these rules are obeyed.
The clear advantage of such a policy is the reduction of possible damage, but you pay this with the loss of flexibility.
AS HS 10 35
AS HS 10 36
Military security policy Sensitivity levels ! compartments Satellite data Afghanistan Middle East Israel Top Secret Secret Confidential Restricted Unclassified
AS HS 10 37
A more civilian version Product specifications Discontinued In production OEM Internal Proprietary Public
AS HS 10 38
top secret secret confidential Set of actions: read, write, append, execute
AS HS 10 39
Basic Security Theorem: Let be a system with a secure initial state 0 and let T be a set of transformations. If every set of T preserve (i) and (ii) then every state i, i 0 is secure.
AS HS 10 40
Example
t s o4 o5 o6 o7 o8 o9 c u o10 o11 o12
o1 o2 o3
append
read
t o4 o5 o6
s o7 o8 o9
AS HS 10 41
AS HS 10 42
Biba Integrity Model Rules that preserve integrity of information Two properties: Simple integrity property: A subject s may write object o only if L(s) L(o) (Only trust s to modify o if s has higher rank ) *-Property: A subject s with read access to o may write object p only if L(o) L(p) You may only write p if o more (Only move info from o tobelowisyour trusted classification and only read above your than p) classification
AS HS 10 43
Chinese Wall Policy: Lawyers L1, L2 work in the same firm If company C1 sues C2: ! L1 , L2 can each work for either C1 or C2 ! No Li can work for opposite sides in any case Permission depends on use of other permissions These policies cannot be represented using access matrix
AS HS 10 44
RBAC example
RBAC are hierarchies with delegation of powers and rights.
In the example on the left side a user of role doctor has access to all transactions defined between intern and healer. The user with role healer on the contrary is restricted to his resources. A doctor can delegate a task to an intern or to a healer.
RBAC allows for least privilege (Saltzmann, Schrder) since a user with higher privileges doesn't need to activate them until he really needs them. RBAC does require (i) some rules for role assignments and authorization and for transaction authorization and (ii) rules for delegation of credentials. A RBAC security policy is fully implemented in JAAS.
AS HS 10 46
AS HS 10 47
Android (1)
Open-source platform (Open Handset Alliance) Native development, Java development Platform outline:
! ! ! !
Linux kernel 2.6 Webkit-based browser engine SQLite as DB Open SSL, Bouncy Castle crypto API and Java library ! Bionic C library (small code, good performance, no GPL) ! Apache Harmony libraries (open source Java implementation) ! Many others: video stuff, Bluetooth, vibrate AS HS 10 48 phone, etc.
Android (2)
AS HS 10 49
Android challenges Battery life: ! Developers must conserve power ! Applications store state so they can be stopped (to save power) and restarted (helps with DoS attacks) ! The most foreground activity is never killed Android market: ! Not reviewed by Google (not like Apple!) ! No way of stopping bad applications from showing up on market ! Malware writers may be able to get code onto platform: shifts focus from remote exploit to AS HS 10 50 privilege escalation
Basic components: Activity: defines the user interface: Example: scroll through your inbox Email client comprises many activities Service: Java daemon that runs in background Example: application that streams an mp3 in background Content provider Store and share data using a relational database interface Broadcast receiver mailboxes for messages from other applications
AS HS 10 51
AS HS 10 52
AS HS 10 53
Security step 2: Application sandbox Application sandbox Each application runs with its UID (Linux process) with its own Dalvik virtual machine: ! Provides CPU protection, memory protection ! Authenticated communication protection using Unix domain sockets ! Only zygote (spawns another process) and ping run as root Applications announces permission requirement (security policy): ! Create a white list model: user grants AS HS 10 54 access
Two forms of security enforcement 1. Each application executes with its own user identity as Linux process 2. Android middleware has a reference monitor that mediates the establishment of inter-component communication (ICC) First is straightforward to implement, second requires careful consideration of mechanisms and security policy
AS HS 10 55
The manifest file spells out the security policy of the whole application
AS HS 10 57
This is defensible when for instance some components provide global access: e.g., the main Activity for an Application. Implication: Unprivileged applications have access Components without access permissions should be exceptional cases, and possible inputs must be carefully analysed (consider splitting components).
Permission categories
Permissions can be: (1) normal : always granted; (2) dangerous : requires user approval; (3) signature : matching signature key; (4) signatureOrSystem: same as signature, but also system apps (legacy compatibility) Defence against malicious applications that may request sensitive informations. Implication: Users may not understand implications when explicitly granting
permissions.
Use signature permissions for application suites and dangerous permissions otherwise and always include informative descriptions
<permission android:name="ch.fhnw.apsi.permission.FRIEND_NEAR android:label="@string/permlab_friendNear" Defined in string.xml android:description="@string/permdesc_friendNear android:protectionLevel="dangerous"> </permission>
AS HS 10 65
Summary
Android expansion of the ACM model: Delegation (Be aware: Mechanisms that delegate rights are poorly understood!) Public and Private components Permission Granting using user's confirmation
AS HS 10 66
AS HS 10 67
! We start with an access control matrix A ! We define leak (Dt. das Leck): A command can add right r to an element of A not containing r Safe: A system is safe with respect to r if r cannot be leaked
AS HS 10 68
AS HS 10 69
Unix example
General ACM for Unix:
! root has access to all files ! Owners have access to all their own files
Is it safe with respect to file access right?
! NO: chmod/chown command changes owners/rights! ! Only root can get root privileges ! Only users can authenticate themselves
Is this definition of safe useful? Safe does not differentiate between unauthorized and authorized leaks of rights. If we introduce the notion of transfer of rights to trusted subjects and eliminate those subjects from the AC matrix then the definition is quite useful, even in this case.
AS HS 10 70
Security frameworks
minimize
AS HS 10 71