Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

CSC 474/574 Information Systems Security Outline

advertisement 
Computer Science
CSC 474/574 Information Systems
Security
Topic 4.1: Basic Concepts of Access
Control
CSC 474/574
Dr. Peng Ning
1
Outline
•
•
•
•
•
•
Access matrix model
Access control lists versus Capabilities
Content and context-based controls
Discretionary versus mandatory controls
Trojan Horses
Bell-LaPadula model
Computer Science
CSC 474/574
Dr. Peng Ning
2
ACCESS MATRIX MODEL
S
u
b
j
e
c
t
s
Objects (and Subjects)
G
F
rw
own
U
r
rw
own
V
rights
Computer Science
CSC 474/574
Dr. Peng Ning
3
ACCESS MATRIX MODEL
• Basic Abstractions
– Subjects
– Objects
– Rights
• The rights in a cell specify the access of the
subject (row) to the object (column)
Computer Science
CSC 474/574
Dr. Peng Ning
4
Users and Principals
• The system authenticates the user in context
of a particular principal
Users
Principals
Real World User
Unit of Access Control
Computer Science
CSC 474/574
Dr. Peng Ning
5
Users and Principals
JOE.TOP-SECRET
JOE.SECRET
JOE
JOE.CONFIDENTIAL
JOE.UNCLASSIFIED
User
User
Principals
Principals
Computer Science
CSC 474/574
Dr. Peng Ning
6
Users and Principals
JANE.CHAIRPERSON
JANE.FACULTY
JANE
JANE. EMPLOYEE
JANE.SUPER-USER
User
User
Principals
Principals
Computer Science
CSC 474/574
Dr. Peng Ning
7
Users and Principals
• There should be a one-to-many mapping
from users to principals
– a user may have many principals, but
– each principal is associated with an unique user
• This ensures accountability of a user's
actions
In
Inother
otherwords,
words,shared
sharedaccounts
accounts
(principals)
(principals)are
arebad
badfor
foraccountability
accountability
Computer Science
CSC 474/574
Dr. Peng Ning
8
Principals and Subjects
• A subject is a program (application)
executing on behalf of a principal
• A principal may at any time be idle, or have
one or more subjects executing on its behalf
Computer Science
CSC 474/574
Dr. Peng Ning
9
Principals and Subjects
Mail Application
Word Processor
JOE.TOP-SECRET
Spreadsheet
Database Application
Principal
Principal
Computer Science
Subjects
Subjects
CSC 474/574
Dr. Peng Ning
10
Principals and Subjects
• Usually (but not always)
– each subject is associated with a unique principal
– all subjects of a principal have identical rights
(equal to the rights of the invoking principal)
• This case can be modeled by a one-to-one
mapping between subjects and principals
For
Forsimplicity,
simplicity,aaprincipal
principaland
andsubject
subjectcan
can
be
betreated
treatedas
asidentical
identicalconcepts.
concepts. On
Onthe
the
other
otherhand,
hand,aauser
usershould
shouldalways
alwaysbe
beviewed
viewed
as
asmultiple
multipleprincipals
principals
Computer Science
CSC 474/574
Dr. Peng Ning
11
Objects
• An object is anything on which a subject can
perform operations (mediated by rights)
• Usually objects are passive, for example:
– File
– Directory (or Folder)
– Memory segment
• But, subjects can also be objects, with operations
– kill
– suspend
– resume
Computer Science
CSC 474/574
Dr. Peng Ning
12
ACCESS MATRIX MODEL
Objects (and Subjects)
S
u
b
j
e
c
t
s
W
F
U
rw
own
W
rw
own
Computer Science
CSC 474/574
Dr. Peng Ning
13
Dr. Peng Ning
14
IMPLEMENTATION
• Access Control Lists
• Capabilities
• Relations
Computer Science
CSC 474/574
ACCESS CONTROL LISTS (ACLs)
• Each column of the access matrix is stored
with the object corresponding to that column
F
G
U:r
U:r
U:w
V:r
U:own
V:w
V:own
Computer Science
CSC 474/574
Dr. Peng Ning
15
CAPABILITY LISTS
• each row of the access matrix is stored with
the subject corresponding to that row
U
F/r, F/w, F/own, G/r
V
G/r, G/w, G/own
Computer Science
CSC 474/574
Dr. Peng Ning
16
ACCESS CONTROL TRIPLES
Subject
Access
Object
U
R
F
U
W
F
U
Own
F
U
R
G
V
R
G
V
W
G
V
Own
G
commonly
commonlyused
usedin
inrelational
relational
database
management
database managementsystems
systems
Computer Science
CSC 474/574
Dr. Peng Ning
17
ACL'S VS CAPABILITIES
• ACLs require authentication of subjects
• Capabilities do not require authentication of
subjects, but do require unforgeability and
control of propagation of capabilities
Computer Science
CSC 474/574
Dr. Peng Ning
18
ACL'S VS CAPABILITIES
• ACCESS REVIEW
– ACL's provide for superior access review on a
per-object basis
– Capabilities provide for superior access review
on a per-subject basis
• REVOCATION
– ACL's provide for superior revocation facilities
on a per-object basis
– Capabilities provide for superior revocation
facilities on a per-subject basis
Computer Science
CSC 474/574
Dr. Peng Ning
19
ACL'S VS CAPABILITIES
• The per-object basis usually wins out so
most Operating Systems protect files by
means of ACL's
• Many Operating Systems use an abbreviated
form of ACLs with just three entries
– owner
– group
– other
Computer Science
CSC 474/574
Dr. Peng Ning
20
ACL'S VS CAPABILITIES
• LEAST PRIVILEGE
– Capabilities provide for finer grained least
privilege control with respect to subjects,
especially dynamic short-lived subjects created
for specific tasks
Computer Science
CSC 474/574
Dr. Peng Ning
21
CONTENT DEPENDENT CONTROLS
• content dependent controls such as
– you can only see salaries less than 50K, or
– you can only see salaries of employees who
report to you
• are beyond the scope of Operating Systems
and are provided by Database Management
Systems
Computer Science
CSC 474/574
Dr. Peng Ning
22
CONTEXT DEPENDENT CONTROLS
• context dependent controls such as
– you cannot access classified information via a remote
login
– salary information can be updated only at year end
– the company's earnings report is confidential until
announced at the stockholders meeting
• can be partially provided by the Operating System
and partially by the Database Management System
• more sophisticated context dependent controls such
as based on past history of accesses definitely
require Database support
Computer Science
CSC 474/574
Dr. Peng Ning
23
DISCRETIONARY VERSUS MANDATORY
• Discretionary access controls (DAC)
– Allow access rights to be propagated from one
subject to another
– Possession of an access right by a subject is
sufficient to allow access to the object.
• Mandatory access controls (MAC)
– Restrict the access of subjects to objects on the
basis of security labels
• Label both the subjects and the objects.
• Allow a subject to access an object only when certain
constraints are satisfied.
Computer Science
CSC 474/574
Dr. Peng Ning
24
INHERENT WEAKNESS OF DAC
• Unrestricted DAC allows information from
an object which can be read by a subject to
be written to any other object
• Suppose our users are trusted not to do this
deliberately. It is still possible for Trojan
Horses to copy information from one object
to another.
Computer Science
CSC 474/574
Dr. Peng Ning
25
TROJAN HORSES
• A Trojan Horse is rogue software installed,
perhaps unwittingly, by duly authorized
users
• A Trojan Horse does what a user expects it
to do, but in addition exploits the user's
legitimate privileges to cause a security
breach
Computer Science
CSC 474/574
Dr. Peng Ning
26
TROJAN HORSE EXAMPLE
ACL
File F
File G
A:r
A:w
B:r
A:w
Principal
PrincipalBBcannot
cannotread
readfile
fileFF
Computer Science
CSC 474/574
Dr. Peng Ning
27
TROJAN HORSE EXAMPLE
• Principal B can read contents of file F copied
to file G
ACL
Principal A
executes
Program Goodies
read
File F
Trojan Horse
write
Computer Science
CSC 474/574
File G
Dr. Peng Ning
A:r
A:w
B:r
A:w
28
TROJAN HORSES
• Trojan Horses are the most insidious threat
• Viruses and logic bombs are examples of
Trojan Horses
• It is possible to embed Trojan Horses in
hardware and firmware
• It is possible to embed Trojan Horses in
critical system software such as compilers
and Database Management Systems
Computer Science
CSC 474/574
Dr. Peng Ning
29
A Preview of A MAC Model
• Bell LaPadula (BLP) Model
– Simple security: Subject S can read object O only if
• Label(S) dominates label(O).
• Information can flow from label(O) to label(S)
• Intuitively, no read up
– Star property: Subjects can write object O only if
• Label(O) dominates label(S)
• Information can flow from label(S) to label(O).
• Intuitively, no write down.
Computer Science
CSC 474/574
Dr. Peng Ning
30
BLP Model
Top secret
Secret
Confidential
Unclassified
dominance
Can-flow
Computer Science
CSC 474/574
Dr. Peng Ning
31
Trojan Horse Example Again
User Alice
Alice: TS
Bob: S
TS
executes
read
Relation R
Alice: r
Alice: w
Program Goodies
Trojan Horse
write S
Relation S
Bob: r
Alice: w
The program cannot write to Relation S.
Computer Science
CSC 474/574
Dr. Peng Ning
32
Related documents
CSC 474/574 Information Systems Security Authentication • Authentication is the process of reliably
CSC 474/574 Information Systems Security Authentication • Authentication is the process of reliably
CSC 111 Computers for Math and Science
CSC 111 Computers for Math and Science
Topic 2.5 - Dr. Peng Ning
Topic 2.5 - Dr. Peng Ning
06.平台教學運用小撇步高雄市福山國中張興蘭老師
06.平台教學運用小撇步高雄市福山國中張興蘭老師
CSC Sept 2013 minutes
CSC Sept 2013 minutes
Download
advertisement