Chapter 25: User Security
•
•
•
•
•
Policy
Access
Files, devices
Processes
Electronic communications
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-1
Policy
• Assume user is on Drib development network
–
Policy usually highly informal and in the mind of the
user
• Our users’ policy:
U1 Only users have access to their accounts
U2 No other user can read, change file without owner’s
permission
U3 Users shall protect integrity, confidentiality,
availability of their files
U4 Users shall be aware of all commands that they enter
or that are entered on their behalf
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-2
Access
• U1: users must protect access to their
accounts
– Consider points of entry to accounts
• Passwords
• Login procedure
• Leaving system
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-3
Passwords
• Theory: writing down passwords is BAD!
• Reality: choosing passwords randomly makes
them hard to remember
– If you need passwords for many systems, assigning
random passwords and not writing something down
won’t work
• Problem: Someone can read the written password
• Reality: degree of danger depends on
environment, how you record password
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-4
Isolated System
• System used to create boot CD-ROM
– In locked room; system can only be accessed
from within that room
• No networks, modems, etc.
– Only authorized users have keys
• Write password on whiteboard in room
– Only people who will see it are authorized to
see it
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-5
Multiple Systems
• Non-infrastructure systems: have users use
same password
– Done via centralized user database shared by all
non-infrastructure systems
• Infrastructure systems: users may have
multiple accounts on single system, or may
not use centralized database
– Write down transformations of passwords
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-6
Infrastructure Passwords
• Drib devnet has 10 infrastructure systems, 2 lead
admins (Anne, Paul)
– Both require privileged access to all systems
– root, Administrator passwords chosen randomly
• How to remember? Memorize an algorithm!
– Anne: “change case of 3rd letter, delete last char”
– Paul: “add 2 mod 10 to first digit, delete first letter”
• Each gets printout of transformed password
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-7
Non-Infrastructure Passwords
• Users can pick
– Proactive password checker vets proposed password
• Recommended method: passwords based on
obscure poems or sayings
– Example: “ttrs&vmbi” from first letter of second,
fourth words of each line, putting “&” between them:
He took his vorpal sword in hand:
Long time the manxome foe he sought—
So rested he by the Tumtum tree,
And stood awhile in thought.
Third verse of Jabberwocky, from Alice in Wonderland
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-8
Analysis
• Isolated system meets U1
– Only authorized users can enter room, read password,
access system
• Infrastructure systems meet U1
– Actual passwords not written down
– Anne, Paul don’t write down algorithms
– Stealing papers does not reveal passwords
• Non-infrastructure systems meet U1
– Proactive password checker rejects easy to guess
passwords
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-9
Analysis
• Procedures about walking away meet U1
– Screen locking programs required, as is locking doors
when leaving office; failure to do so involves
disciplinary action
– If screen locking password forgotten, system
administrators can remotely access system and
terminate program
• Procedures about modems meet U1
– No modems allowed; hooking one up means getting
fired (or similar nasty action)
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-10
Persistence
• Disk blocks of deleted file returned to pool of
unused disk blocks
• When reassigned, new process may be able to read
previous contents of disk blocks
– Most systems offer a “wipe” or “cleaning” procedure
that overwrites disk blocks with zeros or random bit
patterns as part of file deletion
– Useful when files being deleted contain sensitive data
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-11
Why?
• Eliminate password sharing problem
– Role accounts under Linux are user accounts
– If two or more people need access, both need role
account’s password
• Program solves this problem
– Runs with root privileges
– User supplies his/her password to authenticate
– If access allowed, program spawns command
interpreter with privileges of role account
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-12
Requirements
1. Access to role account based on user,
location, time of request
2. Settings of role account’s environment
replaces corresponding settings of user’s
environment, but rest of user’s
environment preserved
3. Only root can alter access control
information for access to role account
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-13
More Requirements
4. Mechanism provides restricted,
unrestricted access to role account
•
•
Restricted: run only specified commands
Unrestricted: access command interpreter
5. Access to files, directories, objects owned
by role account restricted to those
authorized to use role account, users
trusted to install system programs, root
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-14
High-Level Design
1. Obtain role account, command, user, location,
time of day
• If command omitted, assume command interpreter
(unrestricted access)
2. Check user allowed to access role account
a) at specified location;
b) at specified time; and
c) for specified command (or without restriction)
If user not, log attempt and quit
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-15
Time Representation
• Use ranges expressed (reasonably) normally
Mon-Thu 9AM-5PM
– Any time between 9AM and 5PM on Mon, Tue, Wed,
or Thu
Mon 9AM-Thu 5PM
– Any time between 9AM Monday and 5PM Thursday
Apr 15 8AM-Sep 15 6PM
– Any time from 8AM on April 15 to 6PM on September
15, on any year
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-16
Windows Vista Firewall
• Both inbound and outbound
• Authentication and
authorization aware
• Outbound application-aware
filtering is now possible
– Includes IPSec management
– Of course, policy-based
administration
– Great for Peer-to-Peer control
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-17
Network Access Protection
Policy Servers
e.g. Microsoft Security
Center, SMS, Antigen
or 3rd party
3
1
Windows
Vista Client
Not policy
compliant
2
DHCP, VPN
Switch/Router
Microsoft
Network
Policy Server
Fix Up
Servers
Restricted
Network
e.g. WSUS, SMS
& 3rd party
Policy
compliant
5
November 1, 2004
4
Introduction to Computer Security
©2004 Matt Bishop
Corporate Network
Slide #12-18
Control Over Device Installation
• Control over removable device installation via a policy
– Mainly to disable USB-device installation, as many corporations worry
about intellectual property leak
– You can control them by device class or driver
• Approved drivers can be pre-populated into trusted Driver Store
• Driver Store Policies (group policies) govern driver packages
that are not in the Driver Store:
– Non-corporate standard drivers
– Unsigned drivers
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-19
Client Security Scanner
• Finds out and reports Windows client’s security state:
–
–
–
–
Patch and update levels
Security state
Signature files
Anti-malware status
• Ability for Windows to self-report its state
• Information can be collected centrally, or just reviewed
in the Security Center by the users and admins
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-20
Code Integrity
• All DLLs and other OS executables have
been digitally signed
• Signatures verified when components load
into memory
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-21
BitLocker™
• BitLocker strongly encrypts and signs the entire hard drive (full
volume encryption)
– TPM chip provides key management
– Can use additional protection factors such as a USB dongle, PIN or
password
• Any unauthorised off-line modification to your data or OS is
discovered and no access is granted
– Prevents attacks which use utilities that access the hard drive while
Windows is not running and enforces Windows boot process
• Protects data after laptop theft etc.
• Data recovery strategy must be planned carefully!
– Vista supports three modes: key escrow, recovery agent, backup
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-22
RMS, EFS, and BitLocker
• Three levels of protection:
– Rights Management Services
• Per-document enforcement of policy-based rights
– Encrypting File Systems
• Per file or folder encryption of data for confidentiality
– BitLocker™ Full Volume Encryption
• Per volume encryption (see earlier)
• Note: it is not necessary to use a TPM for RMS and EFS
– EFS can use smartcards and tokens in Vista
– RMS is based, at present, on a “lockbox.dll” technology, not a TPM
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-23
Vista Supports NSA Suite B
www.nsa.gov/ia/industry/crypto_suite_b.cfm
• Required cryptographic algorithms for all US non-classified and classified
(SECRET and TOP-SECRET) needs
– Higher special-security needs (e.g. nuclear security) – guided by Suite A
(definition classified)
– Announced by NSA at RSA conference in Feb 2005
• Encryption: AES
– FIPS 197 (with keys sizes of 128 and 256 bits)
• Digital Signature: Elliptic Curve Digital Signature Algorithm
– FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
• Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV
– Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit
prime moduli)
• Hashing: Secure Hash Algorithm
– FIPS 180-2 (using SHA-256 and SHA-384)
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-24
Resource Access Control Facility
(RACF)
• Access control software for IBM
mainframe.
• Operates at the OS level.
• Can interface with Customer Information
Control System (CICS), IBM’s system for
end user account management.
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-25
RACF Functions
• identify and verify system users
• identify, classify, and protect
system resources
• authorize the users who need
access to the resources you've
protected
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-26
RACF Functions
• control the means of access to
these resources
• log and report unauthorized
attempts at gaining access to the
system and to the protected
resources
• administer security to meet your
installation's security goals.
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-27
Summary
Hierarchy of logical security:
Operating system
Access control software
Data communication software
Application
Data level
Procedures
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop
Slide #12-28