Lecture 3

advertisement
EE5552 Network Security and
Encryption
block 3
Dr. T.J. Owens Cmath, FIMA, MIEEE
Dr T. Itagaki MIET, MIEEE, MAES
Block 3
Access Control
Objectives (1)
• To introduce Access Control
• To explain basic concepts of operating system access
controls:
–
–
–
–
–
Access Control Matrices
Groups and Roles
Access Control Lists
Capabilities
Permission bits
Objectives (2)
• To provide an overview of operating system
vulnerabilities:
– Smashing the stack and other technical attacks
– User interface failures
– Remedies for buffer overflows
• To introduce the principle of least privilege
Access Control (1)
Access control is described by Ross Anderson as the centre of
gravity of computer security.
It controls which principals can access which system resources,
the files they can read, the programs they can execute, with
which other principals they can share data, etc.
Access control works at a number of levels:
– Application
– Middleware
– Operating system
– Hardware
Access Control (2)
At the application layer a user may see access controls
implementing a complex security policy which could assign
them many roles.
Applications may be written on top of middleware which
enforces a number of protection measures.
For example,
– bookkeeping software may ensure a debit is always
matched by a credit.
– parental control (lock) on digital TV
– Smartcard lock for digital TV’s pay channels
Access Control (3)
The middleware uses functions provided by the underlying
operating system.
As this constructs resources such as files from lower level
components it acquires responsibility for providing ways to
control access to them.
The operating system access controls usually rely on hardware
features provided by the processor or memory management
hardware.
– These control the memory addresses a process can access.
Moving up from the hardware to the application layer the
controls become more complicated and less reliable.
Access Control (4)
Access control only makes sense in terms of protection goals
expressed in a security policy.
In the following operating system access control mechanisms are
discussed, as their requirements usually drive the design of
the hardware protection systems.
Operating system access controls (1)
The access controls provided with an operating system usually
authenticate principals using a mechanism such as passwords
or Kerberos and then mediate their access to files,
communication ports, and other system resources.
The effect of operating system access controls can be modelled
by an Access Control Matrix which is a matrix of access
permissions with columns for resources and rows for
principles.
Operating system access controls (2)
Let
• R denote permission to read
• W denote permission to write
• E denote permission to execute a program
Then the Access Control Matrix lists what users are allowed to do
with system resources:
Alice
Bob
Carol
David
Eve
Data 1
RW
R
RW
Data 2
RW
R
R
R
Program 1 Program 2
E
RWE
E
E
RWE
RE
Operating system access controls (3)
Then the Access Control Matrix lists what users are allowed to do
with system resources:
– Principals are active parties; they access
– Resources are passive; they are accessed
– When checking if access is allowed, both principal and resource must
be identified
– Identities must be unique within their domain
Alice
Bob
Carol
David
Eve
Data 1
RW
R
RW
Data 2
RW
R
R
R
Program 1 Program 2
E
RWE
E
E
RWE
RE
Operating system access controls (4)
There are three ways to represent an access control matrix:
• Access Control Lists
- registers per resource what rights the listed principals have to the
resource
• Capability Lists
- registers per principal what rights the principal has to the listed
resources
• Permission bits
- Explained by example later
Operating system access controls (5)
More formally,
• Each row is a process (“subject”)
• Each column is a file (“object”)
• Each matrix entry is the access rights that subject has for that
object
Access Control Matrix Operations
• System can transition from one ACM state to another
• Primitive operations: create subject, create object; destroy
subject, destroy object; add access right; delete access right
• Transitions are, of course, conditional
Access Control Lists (1)
Simplify access rights management by storing the access control
matrix a column at a time along with the resource to which
the column refers.
ACLs are widely used in environments where the users manage
the security of their own files such as Unix systems.
Access Control Lists (2)
Advantages:
• Easy to understand
• Easily answer the question "who has what kind of access to
this resource“
• Work well in distributed systems; Rights stored together with
resources
Disadvantage:
• May be inefficient. Determining rights may require searching
a long list
Groups and Roles
Staff in large organizations usually fit into a small number of
categories, staff need to be assignable to a small number of
groups or functional roles.
A group is a list of principals.
A role is a fixed set of access permissions that one or more
principals may assume for a period of time.
e.g. “root”, “super user”, “administrator”
Efficient use of ACLs (1)
• Groups, to shorten lists
• Rules if someone (through groups) appears twice in a list with
different rights
• “Access: None” to create a temporary smaller group out of an
existing large one
• Specific system manager rules
These points are demonstrated by example below. They can be
extended to Role Based Access Control data bases which are
discussed later.
Efficient use of ACLs (2)
Groups in ACLs
– Group1: Alice, Bob, Cynthia, David, Eve
– Group2: Alice, Bob, Cynthia, David
– Group3: Bob, Cynthia, David, Eve
– File 1: Group 1, R; Group 3, RW
Suppose Eve wants to write to File 1
• First relevant entry policy: Access denied
• Any permission in list policy: Access allowed
Efficient use of ACLs (3)
“First relevant entry” rule in ACL
• Efficient (shorter searches on the average compared to “Any
permission”)
• Order in ACL crucial
• Effect of additions/deletions to list depends entirely on
previous/later items
• Efficient use of already existing groups is possible
Efficient use of ACLs (4)
“First relevant entry” effects
Group1: Alice, Bob, Cynthia, David, Ron
Group2: Alice, Bob, Cynthia, David, Eve
File 1: Group1, R; Group2, R;………; Ron, RW
• The effect of “Remove Group2, R” is that everyone except Eve
can still read the file
• Ron’s entry has no effect. He cannot write.
• The only effect of “Remove Group1, R” is that Ron gets his
write permission!
• Placing Ron’s entry first slows down list search
Efficient use of ACLs (5)
“Any permission” rule in ACL
• Longer search (always until a permission is found or list
exhausted)
• Efficiency depends on order in ACL (frequent users should be
first in list)
• Removal of one permission may be without effect
Efficient use of ACLs (6)
“Any permission” effects
Group1: Alice, Bob, Cynthia, David, Ron
Group2: Alice, Bob, Cynthia, David, Eve
File 1: Group1, R; Group2, R;………; Ron, RW
• Finding Ron’s write permission takes time
• Remove “Group2, R”! and everyone except Eve can still read
the file
Efficient use of ACLs (7)
“Access: None”
–
–
–
–
Group1: Alice, Bob, Cynthia, David, Eve
Group2: Alice, Bob, Cynthia, David
File 1: Group1, RW
File 2: Group2, RW
is equivalent to
– Group1: Alice, Bob, Cynthia, David, Eve
– File 1: Group1, RW
– File 2: Eve, None; Group1, RW
In this way Eve is denied access to File 2 without the need for a
Group 2 to be explicitly defined.
Efficient use of ACLs (8)
Unix Operating System Access Control Lists (1)
In Unix, and its variant Linux, files are only allowed rwx attributes
for the resource owner, the group, and the world.
The access control list as normally shown has a flag to show
whether the file is a directory, then r, w, x flags for the owner,
group, and world. For a directory with all the flags set the ACL
looks like:
drwxrwxrwx
Alice Accounts
N.B. “d” indicates “directory” or “folder”
Efficient use of ACLs (9)
Unix Operating System Access Control Lists (2)
An example with an FTP client
Efficient use of ACLs (10)
Unix Operating System Access Control Lists (3)
The list
-rw-r---- Alice Accounts
states the file is not a directory, the file owner Alice can read and
write to it, the members of the group Accounts can read it but
not write to it, non-group members have no access to it.
N.B. -rwxrwxrwx owner, GROUP, others
Efficient use of ACLs (11)
Unix Operating System Access Control Lists (4)
an html file for www
-rwxr-x-r-x index.html
The user can write/read and execute, but group members and
others can read and execute only.
an executable programme
-rwx--x--x game.exe
N.B. drwxrwxrwx owner, GROUP, others
See also “http://en.wikipedia.org/wiki/Attrib”
Efficient use of ACLs (12)
Unix Operating System Access Control Lists (5)
While a directory for web materials are set to:
drwx----- web
and
an html file under the directory is set to:
-rwxr-xr-x index.html
Can a visitor to the site read the file?
<< hierarchical access control : “AND”, “OR”
Efficient use of ACLs (13)
Unix Operating System Access Control Lists (6)
Permission bits – mode
If you wish to set an html file “index.html” with
-r-xr-xr-x index.html
Access control (= attribute), a command “chmod” is used.
chmod 555 index.html
555 means 101(2) 101(2) 101(2)
Owner: rx Group: rx Others: rx enabled.
When the owner wants to make an amendment, you need to fire
“chmod 755 index.html” - 7 means 111(2) rwx enabled.
Efficient use of ACLs (14)
Unix Operating System Access Control Lists (7)
Permission bits – mode
Window XP
“Attributes”
Efficient use of ACLs (15)
System administrator (1)
• Usually the system administrator has default maximum
privileges
o This is the “root” in Unix where the root userid is usually made
available to the system administrator
• Often no checks are made for access as system administrator
• Sometimes specific rights are given to the system
administrator in the ACL, meaning there are things on the
system administrator only they can do
Efficient use of ACLs (16)
System administrator (2)
• System administrators can normally give themselves any
privilege they don’t already have
o This means it is difficult to implement an audit trail as a file the system
administrator cannot modify
o However, when a system administrator gives themselves a privilege
they were not assigned that event should be logged in non-erasable
form
• The simplest and most common way to protect the system log
file from being compromised by the system administrator is to
keep it separate, this means sending it to another machine
administered by someone else
Efficient use of ACLs (17)
Owner
• Usually the creator of an object has default maximum
privileges for the object
• Granting access to others is one of those privileges
• Sometimes only the owner and system administrator can ever
change the ACL for the object
• Some systems allow ACLs to have ACLs
Capabilities and the full matrix (1)
An access control matrix may be stored by rows called
capabilities.
• A list is of course just the contents of a row of the access
control matrix
• Tickets and attribute certificates are subsets of this.
o Tickets etc. do not reveal the subjects full permissions to the checking
party
Capabilities and the full matrix (2)
Capability lists
The strengths and weaknesses of capabilities are more or less
the opposite of ACLs.
Capabilities were first presented as actual lists per subject.
The main problem with capabilities is that changing a program’s
status, for example so no user may execute it, can be difficult
because it can be hard to find out which users have
permission to execute the program.
This equally applies to changing a files status and can be a
problem when investigating an incident or preparing evidence
of a crime.
Capabilities and the full matrix (3)
Capability lists
Capabilities are now commonly implemented in the form of
tickets or attribute certificates.
Attribute certificates are closely related to public key certificates
which will be covered in detail later.
Attribute certification in essence is a way of extending
authentication-oriented use of PKI to support tasks related to
authorization. Attribute Certificates provide a solution to
certify binding of attributes to a given subject.
Capabilities and the full matrix (4)
Capability lists
Some operating systems (e.g., KeyKOS, EROS, IBM AS/400, Mach) combine
the notion of an object’s name/reference that is given to a subject and the
access rights that this subject obtains to this object into a single entity:
capability = (object-reference, rights)
Capabilities can be implemented efficiently as an integer value that points to
an entry in a tamper-resistant capability table associated with each
process (like a POSIX file descriptor).
Capabilities can include the right to be passed on to other subjects. This way,
S1 can pass an access right for O to S2, without sharing any of its other
rights. Problem: Revocation?
Temporal Access Control (1)
• Permit access only at certain times
• Model: time-locks on bank vaults
• Obvious way to implement: add extra fields to ACL
Temporal Access Control (2)
Problems and Attacks
• Is your syntax powerful enough for concepts like holidays; on
what calendar?
• What if the clock is wrong?
• Can the enemy change the clock?
• How is the clock set; by whom or what?
Temporal Access Control (3)
Access Control at the Middleware Level (1)
It is common for enterprises to have critical databases containing
highly sensitive information such as credit card numbers.
As an operating system sees a database as a single large file all it
can do is identify legitimate users of the database and
distinguish the database from the other applications running
on the same machine.
Database products such as Oracle have their own access control
mechanisms which, in general, being modelled on operating
system access controls use a mixture of ACLs and capabilities.
Temporal Access Control (4)
Access Control at the Middleware Level (2)
Nevertheless, the architecture of database access controls is
usually more complicated than that of operating system
access controls in the sense of their being more types of
privileges.
This is because database access controls involve higher levels of
abstraction that access controls applied to files or processes.
Temporal Access Control (5)
Smashing the stack
Many technical attacks on operating systems involve memory overwriting
attacks known as smashing the stack.
Programmers are often careless about checking the size of arguments.
A classic example was, a vulnerability in the Unix finger command.
An implementation of this would accept an argument of any length but only
256 bytes had been allocated for the argument by the program.
When an attacker used the command with an argument longer than 256
bytes the trailing bytes of the argument were executed by the CPU.
Temporal Access Control (6)
Buffer Overflow
Trying to write a segment of data over a memory location that does not have
enough space. i.e. data size > memory size
A segmentation fault occurs when a program attempts to access a memory
location that it is not allowed to access, or attempts to access a memory
location in a way that is not allowed (for example, attempting to write to a
read-only location, or to overwrite part of the operating system).
If the overflow goes into the system memory area that controls the overall
operation of the computer/system, it could cause more critical problems.
Temporal Access Control (7)
Stack Overflow (1)
Besides changing values of unrelated variables, buffer overflows
can often be used (exploited) by attackers to cause a running
program to execute arbitrary supplied code.
The techniques available to an attacker to seek control over a
process depend on the memory region where the buffer
resides, for example the stack memory region, where data can
be temporarily "pushed" onto the "top" of the stack, and later
"popped" to read the value of the variable.
Temporal Access Control (8)
Stack Overflow (2)
Typically, when a function begins executing, temporary data
items (local variables) are pushed, which remain accessible
only during the execution of that function.
The simplest and most significant method of exploiting a stack
based buffer overflow is to overwrite the function return
address with a pointer to attacker-controlled data (usually on
the stack itself).
Temporal Access Control (9)
Stack Overflow (3)
http://en.wikipedia.org/wiki/Stack_buffer_overflow
Temporal Access Control (10)
Other technical attacks (1)
SQL injection is a code injection technique. It commonly arises
when a web developer passes user input to a database
without filtering it to see if it contains SQL code.
Temporal Access Control (11)
Other technical attacks (2)
Format string attacks arise from the use of unfiltered user input
as the format string parameter in certain C functions that
perform formatting, such as printf().
o E.g. a programmer tries to print user supplied data and allows
the print command printf() to interpret any formatting
instructions, such as n%, contained in the user’s data.
o A malicious user could write arbitrary data to arbitrary
locations using the %n format token, which commands printf()
and similar functions to write the number of bytes formatted
to an address stored on the stack.
Temporal Access Control (12)
Other technical attacks (3)
Race conditions are where a transaction is carried out in two or more stages
and it is possible for an attacker to alter it after the stage that involves
verifying access rights.
For example, Unix command mkdir (make directory: mkdir <name>) used to
work in two steps.
Firstly, storage was allocated and then ownership was transferred to the user.
A user could initiate mkdir in the background and if this completed only the
first step before being suspended, a second process could be used to
replace the newly created directory with a link to the password file.
Then the original process would resume and change the ownership of the
password file to the user.
Temporal Access Control (13)
Other technical attacks (4)
A wide variety of bugs have enabled users to assume root status (system
administrator) and take over the system.
Some Unix implementations had the feature that if a user tried to execute the
command su (super user login) when the maximum number of files were
open, then su was unable to open the password file, and responded by
giving the user root status.
There have been a number of bugs that allowed denial of service attacks.
Temporal Access Control (14)
Other technical attacks (5)
Until the late 1990s most implementations of the Internet protocols allocated
a fixed amount of buffer space to process SYN packets with which TCP/IP
connections are initiated.
This led to SYN flooding attacks.
By sending a large number of SYN packets, an attacker could exhaust the
available buffer space and prevent the machine accepting any new
connections.
This is now fixed using syncookies.
Temporal Access Control (15)
User interface failures (1)
One of the earliest attacks was the Trojan Horse, a program the
administrator is invited to run that will cause harm if run.
Attackers wrote games that checked occasionally if the player
was the system administrator, and if so would create another
administrator account with a known password.
Perhaps the most serious example of user interface failure in
terms of the number of systems at risk is in Windows NT.
Temporal Access Control (16)
User interface failures (2)
In this operating system, a user must be the system
administrator to install anything.
This is useful in preventing staff from loading up viruses.
However, in many working environments staff must be able to
install software to get their work done.
In practice this has resulted in millions of people having
administrator privileges who should not need them.
These people are vulnerable to attacks in which malicious code
pops up in a box telling them to do something.
Temporal Access Control (17)
User interface failures (4)
Microsoft’s solution is User Account Control.
Introduced in Windows Vista and Windows Server 2008
operating systems, User Account Control limits the use of
application software to standard user privileges until an
administrator authorizes higher privileges.
Only applications trusted by the user can receive administrative
privileges as the user has to request these privileges.
However, this requires care to implement properly.
Temporal Access Control (18)
User interface failures (4)
Furthermore, it provides no protection where applications such
as web servers must run as root, are visible to the outside
work, and contain software bugs that allow them to be taken
over.
To reduce the possibility of lower-privilege applications
communicating with higher-privilege ones User Interface
Privilege Isolation is used in conjunction with User Account
Control to isolate these processes from each other. One
prominent use of this is Internet Explorer 7's "Protected
Mode".
Temporal Access Control (19)
Remedies
See
http://en.wikipedia.org/wiki/Buffer_overflow
http://en.wikipedia.org/wiki/Stack-smashing_protection
The principle of least privilege (1)
From: http://hissa.nist.gov/rbac/paper/node5.html
The principle of least privilege requires that a user be given no more privilege
than necessary to perform a job.
Ensuring least privilege requires identifying what the user's job is,
determining the minimum set of privileges required to perform that job,
and restricting the user to a domain with those privileges and nothing
more.
By denying to subjects transactions that are not necessary for the
performance of their duties, those denied privileges cannot be used to
circumvent the organizational security policy.
The principle of least privilege (2)
From: http://hissa.nist.gov/rbac/paper/node5.html
Through the use of Role Based Access Control (RBAC), enforced minimum
privileges for general system users can be easily achieved.
It can also be applied to processes on the computer; each system component
or process should have the least authority necessary to perform its duties.
This helps reduce the "attack surface" of the computer by eliminating
unnecessary privileges that can result in network exploits and computer
compromises.
The principle of least privilege (3)
From: http://hissa.nist.gov/rbac/paper/node5.html
In particular, programs should only have as much privilege as necessary.
Software should be designed so that the default configuration, and in general,
the easiest way of doing something, is safe.
The main function of access control in computer operating systems is to limit
the damage that can be done by particular, groups, users, and programs,
whether through error or malice.
home work
•
•
•
•
Unix
“chmod” command
DOS/OS 2 “attrib” command with /r /a /s /h
see also http://en.wikipedia.org/wiki/Chattr
Windows – file attribute
Download