Access Control And Matrix, ACL, Capabilities Operating .
Spring 2006CS 155OutlineAccess Control ConceptsAccess Control andOperating System Security Assurance, LimitationsMatrix, ACL, CapabilitiesMulti-level security (MLS)Multics AmoebaSecure OS Assurance Methods for resistingstronger attacksOS Mechanisms Orange Book, TCSEC Ring structureJohn Mitchell Common Criteria Windows 2000 Distributed, capabilities certificationUnix File system, Setuid Some Limitations Information flowWindows Covert channels File system, Tokens, EFS SE Linux Role-based, Domain type enforcement2Access controlAccess control matrixObjectsAssumptions System knows who the user is Access requests pass through gatekeeperFile 1File 2File 3User 1 readwrite--readUser 2 writewritewrite--User 3 ---readreadwritereadwriteread Authentication via name and password, other credential System must not allow monitor to be bypassedReferencemonitorUserprocess[Lampson]access requestSubjects?Resource File n User m readpolicy34Two implementation conceptsAccess control list (ACL) Store column of matrixwith the resourceCapability User holds a “ticket” foreach resourceTwo variationsCapabilitiesFile 1File 2User 1readwrite-User 2writewrite-User 3--readwritewriteOperating system concept User m read“ of the future and always will be ”Examples Dennis and van Horn, MIT PDP-1 TimesharingHydra, StarOS, Intel iAPX 432, Eros, Amoeba: distributed, unforgeable ticketsReferences store row of matrix with user, under OS control unforgeable ticket in user space Henry Levy, Capability-based Computer Systems Tanenbaum, Amoeba book/Access control lists are widely used, often with groupsSome aspects of capability concept are used in Kerberos, 561
ACL vs CapabilitiesACL vs CapabilitiesAccess control list User UProcess PAssociate list with each objectCheck user/group against listRelies on authentication: need to know userUser UProcess QCapabilities Capabilty c,dProcess PCapability is unforgeable ticketCapabilty cProcess Q Random bit sequence, or managed by OSUser UProcess R Can be passed from one process to another Reference monitor checks ticketCapabilty cProcess R Does not need to know identify of user/process78ACL vs CapabilitiesRoles (also called Groups)Delegation Role set of usersCap: Process can pass capability at run timeACL: Try to get owner to add permission to list? More common: let other process act under current userRole hierarchyRevocation ACL: Remove user or group from listCap: Try to get capability back from process? Possible in some systems if appropriate bookkeeping OS knows what data is capabilityIf capability is used for multiple resources, have to revoke allor none Other details 9 Partial order of rolesEach role getspermissions of roles belowList only new permissionsgiven to each roleAdministratorPowerUserUserGuest10Role-Based Access ControlIndividualsRolesengineeringGroups for resources, rightsPermission 〈right, resource〉Permission hierarchiesResourcesServer 1 marketinghuman resIf user has right r, and r s, then user has right sIf user has read access to directory, user has readaccess to every file in directoryServer 2General problem in access control Server 3 11Administrator, PowerUser, User, GuestAssign permissions to roles; each user gets permissionAdvantage: user’s change more frequently than rolesComplex mechanisms require complex inputDifficult to configure and maintainRoles, other organizing ideas try to simplify problem122
Military security policyMulti-Level Security (MLS) ConceptsMilitary security policySensitivity levels Classification involves sensitivity levels, compartmentsSatellite data Do not let classified information leak to unclassified filesAfghanistanMiddle EastIsraelGroup individuals and resources Use some form of hierarchy to organize policyOther policy concepts Top SecretSeparation of duty“Chinese Wall” classified14Military security policyCommercial versionProduct specificationsDiscontinuedIn productionOEMClassification of personnel and dataClass 〈rank, compartment〉 Dominance relationD1 D2 iff rank1 rank2and compartment1 compartment2 InternalProprietaryPublicExample: 〈Restricted, Israel〉 〈Secret, Middle East〉 Applies toSubjects – users or processesObjects – documents or resources 1516Bell-LaPadula Confidentiality ModelPicture: ConfidentialityWhen is it OK to release information?Two Properties (with silly names) Read below, write aboveSimple security propertyProprietary A subject S may read object O only if C(O) C(S) Sonly if C(O) C(P)In words,17Proprietary*-Property A subject S with read access to O may write object P Read above, write belowSPublicYou may only read below your classification andonly write above your classificationPublic183
Biba Integrity ModelPicture: IntegrityRules that preserve integrity of informationTwo Properties (with silly names) Read above, write belowSimple integrity propertyRead below, write aboveProprietary A subject S may write object O only if C(S) C(O)Proprietary(Only trust S to modify O if S has higher rank ) *-PropertyS A subject S with read access to O may write object PSonly if C(O) C(P)(Only move info from O to P if O is more trusted than P)PublicIn words, PublicYou may only write below your classification andonly read above your classification1920Problem: Models appear contradictoryOther policy conceptsBell-LaPadula Confidentiality Separation of dutyRead down, write up Biba Integrity Read up, write down Want both confidentiality and integrity Chinese Wall PolicyContradiction is partly an illusionMay use Bell-LaPadula for some classification ofpersonnel and data, Biba for another No lawyer can work for opposite sides in any caseread and write at same classification In reality: Bell-LaPadula used more than Biba model, e.g., Common Criteria22Example OS MechanismsMulticsAmoebaUnixWindowsSE Linux (briefly)Lawyers L1, L2 in Firm F are experts in bankingIf bank B1 sues bank B2, L1 and L2 can each work for either B1 or B2 Otherwise, only way to satisfy both models is only allow21If amount is over 10,000, check is only valid ifsigned by two authorized peopleTwo people must be differentPolicy involves role membership and Permission depends on use of other permissionsThese policies cannot be represented using access matrixMulticsOperating System Designed 1964-1967 MIT Project MAC, Bell Labs, GE At peak, 100 Multics sitesLast system, Canadian Department of Defense,Nova Scotia, shut down October, 2000Extensive Security Mechanisms Influenced many subsequent systemshttp://www.multicians.org/security.html2324 Organick, The Multics System: An Examination of Its Structure, MIT Press, 1972E.I.4
Multics time periodMultics InnovationsTimesharing was new concept Segmented, Virtual memoryF.J. CorbatoServe Boston area with one 386-based PC Hardware translates virtual address to real addressHigh-level language implementation Written in PL/1, only small part in assembly langShared memory multiprocessor Multiple CPUs share same physical memoryRelational database Multics Relational Data Store (MRDS) in 1978Security 2526Multics Access ModelMultics processMultiple segmentsRing structure Multiple rings Processes at ring i have privileges of every ring j i Segments are dynamically linkedLinking process uses file system to find segmentA segment may be shared by several processes A ring is a domain in which a process executesNumbered 0, 1, 2, ; Kernel is ring 0Graduated privilegesProcedure, data segments each in specific ringAccess depends on two mechanisms Segments Per-Segment Access ControlEach data area or procedure is called a segmentSegment protection 〈b1, b2, b3〉 with b1 b2 b3 File author specifies the users that have access to it Concentric Rings of Protection Process/data can be accessed from rings b1 b2 A process from rings b2 b3 can only call segment at Call or read/write segments in outer ringsTo access inner ring, go through a “gatekeeper”Interprocess communication through “channels”restricted entry points2728AmoebaServer portObj #RightsCapabilitiesCheck fieldDistributed system Server portObj #RightsCheck fieldOwner capabilityMultiple processors, connected by networkProcess on A can start a new process on BLocation of processes designed to be transparent When server creates object, returns owner cap. All rights bits are set to 1 ( allow operation) Check field contains 48-bit rand number stored by serverDerived capabilityCapability-based system Each object resides on serverInvoke operation through message to server Owner can set some rights bits to 0Calculate new check field XOR rights field with random number from check field Apply one-way function to calculate new check field Send message with capability and parameters Sever uses object # to indentify object Server can verify rights and check field Without owner capability, cannot forge derived capability Sever checks rights field to see if operation is allowed Check field prevents processes from forging capabilities29Designed to be secure from the beginningFirst B2 security rating (1980s), only one for yearsProtection by user-process at server; no special OS support needed305
Unix file securityQuestionEach file has owner and groupPermissions set by owner setid Read, write, executeOwner, group, otherRepresented by vector offour octal valuesOwner can have fewer privileges than other Owner gets access?- rwx rwx rwxownr grp Owner does not?othrPrioritized resolution of differencesif user owner then owner permissionelse if user in group then group permissionelse other permissionOnly owner, root can change permissions This privilege cannot be delegated or sharedSetid bits – Discuss in a few slides3132Effective user id (EUID)Process Operations and IDsEach process has three Ids ( more under Linux)RootReal user ID(RUID) same as the user ID of parent (unless changed) used to determine which user started the process determines the permissions for process Any ID, if EUID 0(SUID) So previous EUID can be restoredDetails are actually more complicatedReal group ID, effective group ID, used similarly33seteuid(newid) can set EUID to Real ID or saved ID, regardless of current EUIDfile access and port bindingSaved user ID Inherit three IDs, except exec of file with setuid bitSetuid system calls from set user ID bit on the file being executed, or sys call ID 0 for superuser root; can access any fileFork and ExecEffective user ID (EUID) Several different calls: setuid, seteuid, setreuid34Setid bits on executable Unix fileExampleThree setid bits Owner 18SetUIDRUID 25Setuid – set EUID of process to ID of file ownerSetgid – set EGID of process to GID of fileSticky ; ;exec( ); Off: if user has write permission on directory, canrename or remove files, even if not owner On: only file owner, directory owner, and root canrename or remove file in the directory35What happens?programOwner 18-rw-r--r-- ; ;i getruid()setuid(i);Owner 25-rw-r--r-- read/write ; ;filefileread/writeRUID 25EUID 18RUID 25EUID 25366
Compare to stack inspectionCareful with Setuid ! Can do anything thatowner of file isallowed to doBe sure not to Take action foruntrusted userSetuid programmingWe talked about this before Be Careful!A 1 B 1 Setuid scriptsC 1 Return secret data to untrusted user This is a bad ideaHistorically, race conditions Begin executing setuid program; change contents ofNote: anything possible if root; no middleground between user and root37Root can do anything; don’ t get trickedPrinciple of least privilege – change EUID whenroot privileges no longer neededprogram before it loads and is executed38Unix summaryAccess control in Windows (NTFS)Many of you may be used to this Some basic functionality similar to UnixSo probably seems pretty goodWe overlook ways it might be better Read, modify, change owner, deleteSome additional conceptsGood things Some protection from most usersFlexible enough to make things possible Main bad thing TokensSecurity attributesGenerallyToo tempting to use root privilegesNo way to assume some root privileges without allroot privileges39Specify access for groups and users More flexibility than Unix Can define new permissions Can give some but not all administrator privileges40Sample permission optionsPermission InheritanceSecurity ID (SID) Static permission inheritance (Win NT)Identity (replaces UID) SID revision number 48-bit authority value variable number of Eliminates any differences in permissionsRelative Identifiers(RIDs), for uniqueness Initially, subfolders inherit permissions of folderFolder, subfolder changed independentlyReplace Permissions on Subdirectories commandDynamic permission inheritance (Win 2000)Users, groups,computers, domains,domain members allhave SIDs Child inherits parent permission, remains linkedParent changes are inherited, except explicit settingsInherited and explicitly-set permissions may conflict Resolution rules 4142Positive permissions are additiveNegative permission (deny access) takes priority7
TokensSecurity DescriptorInformation associated with an objectSecurity Reference Monitor uses tokens to identify the security context of aprocess or threadSecurity context Header Descriptor revision numberprivileges, accounts, and groups associated withthe process or thread Control flags, attributes of the descriptor Impersonation token who can perform what actions on the object Several fieldsthread uses temporarily to adopt a differentsecurity context, usually of another userE.g., memory layout of the descriptorSID of the object's ownerSID of the primary group of the objectTwo attached optional lists: Discretionary Access Control List (DACL) – users, groups, System Access Control List (SACL) – system logs, .4344Example access requestUser: MarkGroup1: AdministratorsGroup2: WritersAccesstokenSecuritydescriptor45Revision NumberControl flagsOwner SIDGroup SIDDACL PointerSACL PointerDenyWritersRead, WriteAllowMarkRead, WriteImpersonation Tokens ( setuid?)Process uses security attributes of another Access request: writeAction: denied Delegation lets server impersonate client on local, remote systemsAccess Control Concepts Matrix, ACL, CapabilitiesMulti-level security (MLS)OS Mechanisms Multics AmoebaAssurance, Limitations stronger attacks Unix File system, Setuid Windows File system, Tokens, EFS Set of domains that may be entered by each roleAssurance Orange Book, TCSEC Common Criteria Windows 2000 Distributed, capabilities Secure OS Methods for resisting Ring structure Separate system and user processes47ImpersonationOutlineRole-based access controlConfiguration files specify 46 Allowable interactions and transitions between domains Identification server identify and impersonate the client How domains are allowed to access typesEach process has an associated role but server cannot impersonate the clientEach process has an associated domainEach object has an associated typeConfiguration files specify Anonymous server obtain the SIDs of client and client's privileges,Type enforcement Token has no information about the client User Mark requests write permission Descriptor denies permission to group Reference Monitor denies requestSELinux Security Policy Abstractions Client passes impersonation token to serverClient specifies impersonation level of servercertification Some Limitations Information flow Covert channelsSE Linux Role-based, Domain type enforcement488
What makes a “secure” OS?Sample Features of “Trusted OS”Extra security features (compared to ordinary OS)Mandatory access controlStronger authentication mechanisms Example: require token passwordMore security policy options Example: only let users read file f for purpose p More secure implementation Apply secure design and coding principlesAssurance and certification Maintenance procedures Anomaly detection Attack detection Learn normal activity, Report abnormal actions Recognize patterns associated with known attacks50Controlling information flowSample Features of Trusted OSMAC policyMandatory access controlInformation from one object may only flow to anobject at the same or at a higher security level Anomaly detection Attack detection Learn normal activity, Report abnormal actionsInteresting risk: data lifetime Recognize patterns associated with known attacksSample Features of Trusted OSRecent workMandatory access controlShredding Your Garbage: Reducing Data Lifetime ThroughSecure Deallocationby Jim Chow, Ben Pfaff, Tal Garfinkel, Mendel Rosenblum User types password into web formWeb server reads passwordWhere does this go in memory?Prevent any access that circumvents monitorAudit Log security-related events and check logsIntrusion detection Many copies, on stack and heap Optimizing compilers may remove “dead” assignment/memcopy Anomaly detection Attack detection(cover in another lecture) Learn normal activity, Report abnormal actions Presents interesting security risk53Write over old data when file space is allocatedComplete mediationExample MAC not under user control, precedence over DACObject reuse protection Log security-related events and check logsIntrusion detection52 Prevent any access that circumvents monitorAuditIf a process reads a file at one security level, itcannot create or write a file at a lower levelThis is not a DAC policy, not an ACL policy51Write over old data when file space is allocatedComplete mediationInformation flow takes place when an objectchanges its state or when a new object is createdImplementation as access policy MAC not under user control, precedence over DACObject reuse protectionConservative approach Log security-related events and check logsIntrusion detection Apply patches, etc. Prevent any access that circumvents monitorAudit Code audit or formal verification49Write over old data when file space is allocatedComplete mediationLogging and other features MAC not under user control, precedence over DACObject reuse protection54 Recognize patterns associated with known attacks9
Kernelized DesignTrusted Computing Base AuditLog security-related eventsProtect audit logUser spaceHardware and software forenforcing security rulesUserprocess Reference monitor Part of TCBAll system calls go throughreference monitor forsecurity checkingMost OS not designed thisway Manage size by following policy Storage becomes more feasibleReferencemonitor Analysis more feasible since entries more meaningfulTCB Example policies Audit only first, last access by process to a fileOS kernel Do not record routine, expected eventsKernel space55 E.g., starting one process always loads 56Assurance methodsCommon CriteriaTesting Three partsCan demonstrate existence of flaw, not absence Time-consuming, painstaking process “Validation” Requirements checkingDesign and code reviews Module and system testing57Functional requirementsAssurance requirementsCC Evaluation MethodologyNational Schemes (local ways of doing evaluation)Replaces TCSEC, endorsed by 14 countries Sit around table, drink lots of coffee, CC Documents Protection profiles: requirements for category of systemsFormal verification CC adopted 1998Last TCSEC evaluation completed 2000http://www.commoncriteria.org/58Evaluation Assurance Levels 1 – 4Protection ProfilesEAL 1: Functionally TestedRequirements for categories of systems Subject to review and certified Example: Controlled Access PP (CAPP V1.d) Security assurance requirements Assumes non-hostile and well-managed usersDoes not consider malicious system developers Analysis of security functions, incl high-level designIndependent testing, review of developer testingEAL 3: Methodically Tested and Checked Security testing, Admin guidance, Life-cycle support, Review of functional and interface specificationsSome independent testingEAL 2: Structurally TestedSecurity functional requirements Authentication, User Data Protection, Prevent Audit Loss Development environment controls; config mgmtEAL 4: Methodically Designed, Tested, Reviewed 59Write to write-once non-volatile mediumAudit logs can become hugeInformal spec of security policy, Independent testing6010
Evaluation Assurance Levels 5 – 7Example: Windows 2000, EAL 4 EAL 5: Semiformally Designed and Tested Evaluation performed by SAICUsed “Controlled Access Protection Profile”Level EAL 4 Flaw RemediationFormal model, modular designVulnerability search, covert channel analysisEAL 6: Semiformally Verified Design and Tested Structured development processEAL 7: Formally Verified Design and Tested Formal presentation of functional specificationProduct or system design must be simpleIndependent confirmation of developer tests Evaluation based on specific configurations 61“EAL 4 represents the highest level at whichproducts not built specifically to meet therequirements of EAL 5-7 ought to be evaluated.”(EAL 5-7 requires more stringent design anddevelopment procedures )Flaw RemediationProduced configuration guide that may be useful62Is Windows is “Secure”?Good things Design goals include security goalsIndependent review, configuration guidelinesBut “Secure” is a complex concept Typical installation includes more than just OS What properties protected against what attacks? Many problems arise from applications, device drivers Windows driver certification program 63Security depends on installation as well as system64SummarySecure attention sequence (SAS)CTRL ALT DEL Access Control Concepts“ can be read only by Windows, ensuring that theinformation in the ensuing logon dialog box can be read onlyby Windows. This can prevent rogue programs from gainingaccess to the computer.” OS MechanismsHow does this work? Matrix, ACL, CapabilitiesMulti-level security (MLS) Multics AmoebaAssurance, Limitations Methods for resistingstronger attacks Common Criteria Windows 2000 Distributed, capabilities Unix File system, Setuid Windows File system, Tokens, EFS Assurance Orange Book, TCSEC Ring structureWinlogon service responds to SASDLL called GINA (for Graphical Identification 'n'Authentication) implemented in msgina.dll gathers andmarshals information provided by the user and sends it tothe Local Security Authority (LSA) for verificationThe SAS provides a level of protection against Trojan horselogin prompts, but not against driver level attacks.Secure OScertification Some Limitations Information flow Covert channelsSE Linux Role-based, Domain type enforcement656611
Store column of matrix with the resource Capability User holds a “ticket” for each resource Two variations store row of matrix with user, under OS control unforgeable ticket in user space User m read write write User 3 - - read User 2 write write - User 1 read write - File 1 File 2
experience of working on actual Cisco routers and switches, contains the following 13 free lab exercises, covering ACL topics in Part I: 1. ACL I 2. ACL II 3. ACL III 4. ACL IV 5. ACL V 6. ACL VI 7. ACL Analysis I 8. Named ACL I 9. Named ACL II 10. Named ACL III 11. Standard ACL Configuration Scenario 12. Extended ACL I Configuration Scenario 13.
3Com Switch 4200G Family 3 Command Reference acl Use the acl command to reference ACL and implement the ACL control to the TELNET users. User Interface view acl Use the acl command to define an ACL identified by a number, and enter the corresponding ACL View. System view active region-configuration Use the active region-configuration command to activate the settings of an MST (multiple spanning
Samples onboard ACL TOP 750, 750 CTS ACL TOP 750 LAS ACL TOP 550 CTS ACL TOP 350 CTS 120 Continuous from LAS track or 90 front-loaded 80 40 Pre-analytical sample checks All ACL TOP Family 50 Series systems Assay-specific HIL sample check and sample aspiration clog check Reagents onboard ACL TOP 750, 750 CTS,
CONTENTS CONTENTS Notation and Nomenclature A Matrix A ij Matrix indexed for some purpose A i Matrix indexed for some purpose Aij Matrix indexed for some purpose An Matrix indexed for some purpose or The n.th power of a square matrix A 1 The inverse matrix of the matrix A A The pseudo inverse matrix of the matrix A (see Sec. 3.6) A1 2 The square root of a matrix (if unique), not elementwise
CONTENTS CONTENTS Notation and Nomenclature A Matrix Aij Matrix indexed for some purpose Ai Matrix indexed for some purpose Aij Matrix indexed for some purpose An Matrix indexed for some purpose or The n.th power of a square matrix A 1 The inverse matrix of the matrix A A The pseudo inverse matrix of the matrix A (see Sec. 3.6) A1/2 The square root of a matrix (if unique), not elementwise
A Matrix A ij Matrix indexed for some purpose A i Matrix indexed for some purpose Aij Matrix indexed for some purpose An Matrix indexed for some purpose or The n.th power of a square matrix A 1 The inverse matrix of the matrix A A The pseudo inverse matrix of the matrix A (see Sec. 3.6) A1/2 The square root of a matrix (if unique), not .
CONTENTS CONTENTS Notation and Nomenclature A Matrix A ij Matrix indexed for some purpose A i Matrix indexed for some purpose Aij Matrix indexed for some purpose An Matrix indexed for some purpose or The n.th power of a square matrix A 1 The inverse matrix of the matrix A A The pseudo inverse matrix of the matrix A (see Sec. 3.6) A1 2 The sq
ACL Response to Covid 19 https://acl.gov/COVID-19 ACL launched webpage to provide information in support of older adults and people with disabilities. Coronavirus Disease 2019 (COVID-19) As guidance is updated, ACL will post or link to it on this page and share i
