Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 14 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/01/15
CSE 543 Computer Security Lecture 11 OS Security October 2 2007 URL httpwwwcsepsuedutiaegercse543f07 OS Security PENNSTATE An secure 08 should provide the following mechanisms Memory protection File protection General object protection Access authentication How do we go about designing a trusted 08 Trust in this context means something different from Secure PENNSTATE Trust vs Security When you get your medication at a pharmacy you are trusting that it is appropriate for the condition you are addressing In effect you are arguing internally The doctor was correct in prescribing this drug The FDA vetted the drug through scientific analysis and clinical trials No maniac has tampered with the bottle The first two are are matters trust and the last is a matter of security An 08 needs to perform similar due diligence to achieve trust and security I J 57 Access Control Lists mg ACL a list of the principals that are authorized to have access to some object 39 Egi Ii Or more correctly O 8 51 Y 1 1 D 02 S1 82 S3 Y D 03 S3 Y We are going to see a lot of examples of these throughout the semester I J ACL in systems PM ACLs are typically used to implement discretionary access control For example you define the UNIX file system ACLs using the chmod utility Discretionary Access Control in UNIX FS PENNSTATE The UNIX filesystem implements discretionary access control through file permissions set by user The set of objects is the files in the filesystem eg letcpasswd Each file an owner and group subjects The owner is typically the creator of the file and the entity in control of the access control policy Note this can be overridden by the root user There is a additional subject called world which represents everyone else PENNSTATE UNIX filesystem rights There are three rights in the UNIX filesystem READ allows the subject process to read the contents of the file WRITE allows the subject process to alter the contents of the file EXECUTE allows the subject process to execute the contents of the file eg shell program executable quot we use on m UN IX Q why is execute a right 7 3 quotquot V Q does the right to read a program implicitly give you the right to execute it The UNIX FS access policy PENNTE Really this is a bit string encoding an access matrix Eg rwx rwx rwx gt World Group Owner And a policy is encoded as x if enabled and if not eg rWXl WX Says user can read write and execute group can read and write and world can execute only I J Caveats UNIX Filesystem PENNTE Access is often not really this easy you need to have certain rights to parent directories to access a file execute for example The reasons for this are quite esoteric The preceding policy may appear to be contradictory A member of the group does not have execute rights but members of the world do so A user appears to be both allowed and prohibited from executing access Not really these policies are monotonic the absence of a right does not mean they should not get access at all just that that particular identity eg group member world should not be given that right I J Windows 2000 Security Model Windows uses an ACL model too But its model is more general Subjects Tokens Can describe users groups arbitrary privileges and retract privileges restricted contexts Objects Types An extensible set of object types can be defined Operations General operations Fixed set supported by all types Per type operations Operations with semantics specific to the type may be defined Negative rights Result Any combination of rights can be described PENNSfATE Tokens Like the UlDGID in a UNIX process User Group Aliases Privileges predefined sets of rights May be specific to a domain Composed into global SID Subsequent processes inherit access tokens Different processes may have different rights CSE497b Introduction to Computer and Network Security Spring 2007 Professor Jaeger Page 11 Access Control Entries mg DACL in the security descriptor of an object List of access control entries ACES ACE structure proposed by Swift et al Type grant or deny Flags Object Type global UlD for type limit ACEs checked lnheritedObjectType complex inheritance Access rights access mask Principal SID principal the ACE applies to Checking algorithm ACE matches SID user group alias etc ACE denies access for specified right deny ACE grants access for some rights need full coverage Access Checking with ACEs PENNSTATE Example Access 139s denied PENNSTATE Window Vista Integrity Integrity protection for writing Defines a series of protection level of increasing protection untrusted lowest low Internet medium user high admin system installer highest Semantics If the subject s process s integrity level dominates the object s integrity level then the write is allowed I l PENNSTATE Vista Integrity Does Vista Integrity protect the integrity of J s public key file 02 PENNSTATE UID Transition Setuid A special bit in the mode bits Execute file Resulting process has the effective and fs UIDGID of file owner Enables a user to escalate privilege For executing a trusted service Downside User defines execution environment eg Environment variables input arguments open descriptors etc Service must protect itself or user can gain root access All UNIX services involves root processes many via setuid tmp Vulnerability creatpathname mode OEXCL flag if file already exists this is an error Potential attack Attacker creates file in shared space ltmp Give it a filename used by a higher authority service Make sure that service has permission to the file If creat is used without OEXCL then can share the file with the higher authority process PENNSTATE Other Vulnerabilities Objects wo sufficient control Windows registry network Libraries Load order permits malware defined libraries Executables are everywhere Web content Email Documents Word Labeling is wrong Mount a new file system device Malware can modify your permissions Inherent to discretionary model PENNSTATE Sandboxing a An execution environment for programs that contains a limited set of rights Asubset of your permissions meet secrecy and integrity goals Cannot be changed by the running program mandatory UNIX Chroot PENNSTATE Create a domain in which a process is confined Process can only readwrite within file system subtree Applies to all descendant processes Can carry file descriptors in chroot jail Chroot Vulnerability Unfortunately chroot can trick its own system define a passwd file at ltnewrootgtletclpasswd run su su thinks that this is the real passwd file gives root access Use mknod to create device file to access physical memory Setup requires great care Never run chroot process as root Must not be able to get root privileges No control by chrooted process user of contents in jail Be careful about descriptors open sockets IPC that may be available I J PENNSTATE One of several sandboxing systems developed in the midtolate 90s Operating system access control is too coarse Run everything as user or root too many perms Can modify permissions add more UNIX is not very expressive cannot specify minimal rights CSE543 Computer and Network Security Fall 2007 Professor Jaeger Page Janus Threat Model PENNTE Web browser and mail helper applications Plugins Problem Helpers are untrustworthy many vulnerabilities May execute input data postscript Word Solution Choices Application reference monitor Use existing 08 protection Extend OS protection Network firewall None of these is sufficient PENNSTATE Janus Approach Components Framework Multiple modules Combine modules authorizations last wins Modules Enforce security policy Configuration file Specifies modules to load and their policy Policies Constrain to one directory Clean environment variables Limit network access to X proxy I J PENNSTATE Janus Implementation Initialize application Limit available VM Disable core dumps Close nonstd file descriptors Set umask Etc Trace and authorize system calls Uses proc filesystem to register callbacks Per system call control Get arguments from system call I J PENNSTATE Janus Limitations Limited policies Very restricted Specialized for single 08 Need to port Performance Callback and argument parsing Complexity Argument parsing Security Argument parsing TimeofChecktoTimeofUse TOCTTOU aeger CSE543 Computer and Network Security Fall 2007 Professor J Linux AppArmor Linux Security Module Enforces mandatory access control Confine network facing daemons Sandbox them to protect system from remote compromise Approach Nonnetwork processes Not threatened Run unconfined Network daemons Threatened Run with limited permissions to protect rest of system If only threat is via network this is plausible Sener systems I J Windows Restricted Context PENNTE Confine code run by a particular user Goals Code should have no more rights than user Should be able to restrict code to speci c files or objects Should be part of Windows AC model Restricted context 2 Access token Semantics both RC and other token must be granted access Intersection of rights RC may not be modified by process mandatory RC may include positive and negative rights Might work if overall model was not so complex I J CSE 543 Computer Security Lecture 11 Access Control October 10 2006 URL httowwwcselosuedutiaegercse543f06 CSE543 Computer and Network Security Fall 2006 Professor Jaeger Access Control System PENNSTATE Protection Domain What can be accessed by a process Default access memory Mediated access Eg files HNING 935 quota 39 PROOERTV PROTECTED av GQABD DOG Access Control Enforcement Mediates Access Reference Monitor Processes a Query Can Subject 8 perform Operation OP on Object OBJ What should the answer to the query be PENNSTATE Access Control Policy Reference Monitor Queries the policy Policy Describes Security Goals Goal Only let me have access Goal Only let people in the job have access Goal Only let me and others I trust have access O Other goals Choose your goals and express in policy In class exercise Find a partner pick an interviewer and a responder do 5 minute interview asking them what with whom and what they do with personal information they share with third parities Example what do you share with phone telemarketers departmental secretaries the university your advisor your significant other Don t be exhaustive about all the information but definitely identify the broad classes of information you share sensitive highly sensitive etc do the same for the entities you share with What are you allowing them to do with this information eg share alter record unknown Discuss and formulate a subject object matrix for each right defined by this process The interviewer should lead the process le the resoonder answers questions onlv I J PENNSTATE Access Policy Goals Rights assignment is the process of describing a security goal Principle of least privilege You should provide the minimal set or rights necessary to perform the needed function Implication 1 you want to reduce the protection domain to the smallest possible set of objects Implication 2 you want to assign the minimal set of rights to each subject Caveat of course you need to provide enough rights and a large enough protection domain to get the job done What other kinds of policy goals are there Policy Goals Secrecy Don t allow reading by unauthorized subjects Control where data can be written by authorized subjects Why is this important Integrity Don t permit dependence on lower integrity datacode Why is this important What is dependence Availability The necessary function must run Doesn t this conflict with above I J 5 Access Control Model mg What language should I use to express policy Access Control Model Oodles of these Some specialize in secrecy BellLaPadula Some specialize in integrity ClarkWilson Some focus on jobs RBAC Some specialize in least privilege SELinux Type Enforcement Q Why are there so many different models I J PENNSTATE Groups Groups are collections of identities who are assigned rights as a collective Important in that it allows permissions to be assigned in aggregates of users This is really about membership Standard DAC Permissions are transient Job Functions In an enterprise we don t really do anything as ourselves we do things as some job function Eg student professor doctor ll 39 RH One could manage this as groups right We are assigned to groups all the time and given similar rights as them ie mailing lists PENNSTATE CSE543 Computer and Network Security Fall 2006 Professor Jaeger Page PENNS E Role A 1 is a collection of privilegespermissions associated with some function or affiliation NIST studied the way permissions are assigned and used in the real world and this is it Important the permissions are static the userrole membership is transient This is not standard DAC I J PENNSTATE Role based access control is a class of access control not direct MAC and DAC but may one or either of these A lot of literature deals with RBAC models Most formulations are of the type U users these are the subjects in the system R roles these are the different roles users may assume P permissions these are the rights which can be assumed There is a manytomany relation between Users and roles Roles and permissions Relations define the rolebased access control policy I J PENNSTATE RBAC Sessions During a session a user assumes a subset of the roles it may take on Known as activating a set of roles The set of rights given to a user is the union of the rights of the activated roles Q why not just activate all the roles Note the session terminates at the user s discretion PENNSTATE Multilevel Security A multiIevel security system tags all object and subject with security tags classifying them in terms of sensitivityaccess level We formulate an access control policy based on these levels We can also add other dimensions called categories which horizontally partition the rights space in a way similar to that as was done by roles security levels categories gt Lattice Model PM Used by the US military and many others the Lattice model uses MLS to define policy Levels unclassified lt confidential lt secret lt top secret Categories actually unbounded set NUClear lNTELigence CRYPTOgraphy Note that these levels are used for physical documents in the US government as well I J Assigning Security Levels All subjects are assigned clearance levels and compartments Alice SECRET CRYTPQ NUC Bob CONFIDENTIAL INTEL Charlie TOP SECRET CRYPTO NUC INTEL All objects are assigned an access class DocA CONFIDENTIAL INTEL DocB SECRET CRYPTO DocC UNCLASSIFIED NUC PENNSTATE Evaluating Policy Access is allowed if subject clearance level gt object sensitivity level and object categories 2 subject categories read down Q What would writeup be Hence Charlie Ts CRYPTQ NUC INTEL Bob CONF INTEL Alice SECCRYTPO NUC DocB SECRET CRYPTO DocA CONFIDENTIAL INTEL DocC UNCLASSIFIED NUCD I J How about integrity Biba defined a dual of secrecy for integrity Lattice policy with No read down No write up Q Why would this work The lattice model for secrecy matched the paper world does this integrity model Consider an Oracle What is a realistic view of integrity ClarkWilson Integrity Wigs Map Integrity in Business eg accounting to Computing High Integrity Data Constrained Data Items CDIs High Integrity Processes Transformation Procedures TPs Check Integrity of Data Initiay Integrity Verification Procedures IVPs Premise If the IVPs verify initial integrity and high integrity data is only modified by TPs Then the integrity of computation is preserved I J ClarkWilson Integrity Model PM Associate Code with Objects For each TP a list of CDIs that it can access Associate Users with TPs and Objects For each user she can access some CDIs using some TPs What are the subjects and objects What happened to operations Result The rights of a user are constrained by the rights of the TP Further we are restricted by separation of duty more later I J PENNSTATE ClarkWilson Issues Correct Function Certify lVPs TPs to be valid ie correct C1C2 Such certification is impossible in general Halting Problem Is there a general way of defining correctness Handle Low Integrity Data ATP must upgrade or discard any UDI low integrity data it receives C5 What modern problems are instances of this I J safety P roblem PENNTE For a protection system protection state and administrative operations Prove that any future state will not result in the leakage of an access right to an unauthorized user Q Why is this important For most discretionary access control models Safety is undecideable Means that we need another way to prove safety Restrict the model no one uses Test incrementally constraints How does the safety problem affect MAC models I J PENNSTATE Constraints In reality you want to constrain the choices of protection states Constraints are explicit ways of doing just this 7 Constrain available in RBAC o role assumption o permrole assignment userrole assignment Examples in RBAC Required inclusion You must be acting as an employee of Pennsylvania State University to be a professor o You must assume a parent role to assume another child role Mutual exclusion can not be both CFO and auditor for the same company unless you work for Enron Cardinality constraint only one or n of a particular role CSE543 Computer and Network Security Fall 2006 Professor Jaeger Page Constraint Example PENNSTATE No entity can activate student and faculty roles at the same time Give yourself credits etc Or in this case buy faculty tickets at student prices euswr Separation of duties an example One person should not be responsible for recording a transaction from inception to its posting in the ledger This may permit unintentional errors from being detected and corrected Examples of bad separation of duties include Atransaction inputter or approver who is also responsible for processing journal vouchers adjusting the operating ledger Atransaction inputter or approver who is also responsible for making adjustments to related subsidiary ledger records such as accounts receivable accounts payable deposits and travel advances Atransaction inputter or approver who is also responsible for reviewing the operating ledger for discrepancies and budget variances A cash deposit preparerreviewer who is also responsible for investigating debit and credit advices received from the bank or for investigating overshort situations reported by the Major Cashiering Station Source UNIVERSITY OF CALIFORNIA SANTA CRUZ CAMPUS CONTROLLER39S OFFICE TIP SHEET Comment well duh I J
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'