Download SecurityPolicies

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts
no text concepts found
Transcript 
CSC 382: Computer Security
Security Policies
CSC 382: Computer Security
Slide #1
Topics
1. What is a security policy?
2. Types of Access Control
1. Discretionary (DAC)
2. Mandatory (MAC)
3. Originator-based (ORBAC)
3. Types of Policies
1. Multilevel: Bell LaPadula
2. Clark Wilson
3. Chinese Wall
4. Policy Expression Languages
CSC 382: Computer Security
Slide #2
Security Policy
Security policy partitions system states into:
– Authorized (secure)
• These are states the system is allowed to enter.
– Unauthorized (nonsecure)
• If the system enters any of these states, it’s a
security violation.
Secure system
– Starts in authorized state.
– Never enters unauthorized state.
CSC 382: Computer Security
Slide #3
Policy vs. Mechanism
Security Policy
– Statement that divides system into authorized
and unauthorized states.
Mechanism
– Entity or procedure that enforces some part of a
security policy.
CSC 382: Computer Security
Slide #4
Dirty Politics
Republican Senate staffers gained access to
Democrat computer files 2002-2003.
– Both parties share computer server.
– 2001 misconfiguration allowed access w/o pw.
– Defence: "The bottom line here is that the
technology staff of the Democrats was negligent.
They put these memos in a shared hard drive. It
was like putting the memos on our desk.” –
Manuel Miranda
CSC 382: Computer Security
Slide #5
Types of Access Control
• Discretionary Access Control (DAC, IBAC)
– Individual user sets access control mechanism to allow
or deny access to an object. UNIX and NT ACLs.
• Mandatory Access Control (MAC)
– System mechanism controls access to object, and
individual cannot alter that access.
• Originator Controlled Access Control (ORCON)
– Originator (creator, not current owner of file) of
information controls who can access information.
DRM-controlled files.
CSC 382: Computer Security
Slide #6
MAC Example: SELinux
• What is SELinux?
– Linux kernel modifications to provide MAC.
• What’s the problem with DAC?
– TCB large: Security depends on kernel, all
privileged aplications, and their configurations.
– Coarse-grained: Applications run with all user
privileges, even for root user.
• Security of MAC depends on:
– kernel
– SElinux security policy configuration
CSC 382: Computer Security
Slide #7
SELinux Advantages and Issues
• Advantages
– Fine-grained control by program, not by user.
– Protects system from flawed or malicious code.
• Security policy configuration is complex.
– Policy language resembles DTEL.
– Fine-grained: can control program accesses to
individual files, signals, etc.
• Difficult to find security policies that work for
everyone.
– Fedora Core 2’s strict policy caused many problems.
– Fedora Core 3 applies policies to known server and
system process, lets other programs run w/o restriction.
CSC 382: Computer Security
Slide #8
SELinux Command Extensions
> id -Z
user_u:system_r:unconfined_t
> ps -eZ |head
LABEL
user_u:system_r:unconfined_t
user_u:system_r:unconfined_t
user_u:system_r:syslogd_t
user_u:system_r:unconfined_t
user_u:system_r:portmap_t
user_u:system_r:ypbind_t
PID
1
21
3826
3841
3852
4024
TTY
TIME
? 00:00:00
? 00:00:00
? 00:00:00
? 00:00:00
? 00:00:00
? 00:00:00
CMD
init
kacpid
syslogd
irqbalance
portmap
ypbind
> ls -lZ /boot/vmlinuz-2.6.10-1.741_FC3smp
-rw-r--r-- root
root
system_u:object_r:boot_t
/boot/vmlinuz-2.6.10-1.741_FC3smp
CSC 382: Computer Security
Slide #9
ORBAC Example: CSS
• Content Scrambling System (CSS)
– Used to encrypt DVDs.
– DVD reader needs CSS decryption key.
• CSS limits use of DVDs even though you
control the OS (MAC) and filesystem ACLs.
– Region-coding.
– Unskippable commercials.
CSC 382: Computer Security
Slide #10
Types of Security Policies
• Confidentiality
– Military/government policies.
• Integrity
– Commercial policies.
• Availability
– Quality of service agreements.
CSC 382: Computer Security
Slide #11
Confidentiality
• X set of entities, I information.
• I has confidentiality property with respect to X if
no x in X can obtain information from I.
• I can be disclosed to others.
• Example:
– X is the set of students.
– I is the final exam answer key.
– I is confidential with respect to X if students cannot
obtain final exam answer key.
CSC 382: Computer Security
Slide #12
Integrity
• X set of entities, I information.
• I has integrity property with respect to X if all x in
X trust information in I.
• Types of integrity:
– trust I, its conveyance and protection (data integrity)
– I information about origin of something or an identity
(origin integrity, authentication)
– I resource: means resource functions as it should
(assurance)
CSC 382: Computer Security
Slide #13
Availability
• X set of entities, I resource.
• I has availability property with respect to X
if all x in X can access I.
• Types of availability:
– traditional: x gets access or not
– quality of service: promise specific level of
access (e.g., a specific level of bandwidth)
CSC 382: Computer Security
Slide #14
Multilevel Security Policies
Bell-LaPadula Model
Classifications
1.
2.
3.
4.
Top Secret
Secret
Confidential
Unclassified
Simple Security Property
No read up.
*-Property
No write down.
CSC 382: Computer Security
Slide #15
Multilateral Security Policies
Chinese Wall Model
If you read one CD of
CD: Company
a COI, you never can
dataset
read any other CDs
COI: Conflict of
from
that
COI.
interest class
Bank COI Class
US Bank
PNC
Citibank
CSC 382: Computer Security
Oil COI Class
Shell
BP
Exxon
ARCO
Slide #16
Policy Languages
• Express security policies in a precise way.
• High-level languages
– Policy constraints expressed abstractly.
• Low-level languages
– Policy constraints expressed in terms of
program options, input, or specific
characteristics of entities on system.
CSC 382: Computer Security
Slide #17
High-Level Policy Languages
• Constraints expressed independent of
enforcement mechanism.
• Constraints restrict entities, actions.
• Constraints expressed unambiguously
– Requires a precise language, usually a
mathematical, logical, or programming-like
language.
CSC 382: Computer Security
Slide #18
Example: Web Browser
• Goal: restrict actions of Java programs that
are downloaded and executed under control
of web browser.
• Policy language specific to Java programs.
• Expresses constraints as conditions
restricting invocation of entities.
CSC 382: Computer Security
Slide #19
Expressing Constraints
• Entities are classes, methods
– Class: set of objects that an access constraint constrains.
– Method: set of ways an operation can be invoked.
• Operations
– Instantiation: s creates instance of class c: s -| c
– Invocation: s1 executes object s2: s1 |-> s2
• Access constraints
– deny(s op x) when b
– While b is true, subject s cannot perform op on (subject
or class) x; empty s means all subjects.
CSC 382: Computer Security
Slide #20
Sample Constraints
• Downloaded program cannot access password
database file on UNIX system
• Program’s class and methods for files:
class File {
public file(String name);
public String getfilename();
public char read();
• Constraint:
deny( |-> file.read) when
(file.getfilename() == /etc/passwd)
CSC 382: Computer Security
Slide #21
Another Sample Constraint
• At most 100 network connections open.
• Socket class defines network interface
– Network.numconns method giving number of
active network connections.
• Constraint
deny( -| Socket) when
(Network.numconns >= 100)
CSC 382: Computer Security
Slide #22
Discussion: Buying HDs on Ebay
• 2 MIT grad students bought 158 used HDs.
–
–
–
–
28 (17%) had fully functioning operating systems.
57 (36%) were formatted, but recoverable.
29 (18%) didn’t work at all.
In total, 117 (74%) had recoverable data.
• Recovered data included
– Personal and corporate financial records.
– Personal e-mail and credit cards.
• Is discarded data a security issue?
CSC 382: Computer Security
Slide #23
Low-Level Policy Languages
• Set of inputs or arguments to commands.
– Check or set constraints on system.
• Low level of abstraction.
– Need details of system, commands.
CSC 382: Computer Security
Slide #24
Example: X Window System
• UNIX X11 Windowing System.
• Access to X11 display controlled by list
– List says what hosts allowed, disallowed access
xhost +groucho -chico
• Connections from host groucho allowed.
• Connections from host chico not allowed.
CSC 382: Computer Security
Slide #25
Example: tripwire
File scanner that reports changes to file
system and file attributes
– tw.config describes what may change
/usr/mab/tripwire +gimnpsu012345678-a
• Check everything but time of last access (“-a”)
– database holds previous values of attributes
CSC 382: Computer Security
Slide #26
Example Database Record
/usr/mab/tripwire/README 0 ..../. 100600 45763 1
917 10 33242 .gtPvf .gtPvY .gtPvY 0
.ZD4cc0Wr8i21ZKaI..LUOr3
.0fwo5:hf4e4.8TAqd0V4ubv ?...... ...9b3
1M4GX01xbGIX0oVuGo1h15z3
?:Y9jfa04rdzM1q:eqt1APgHk
?.Eb9yo.2zkEh1XKovX1:d0wF0kfAvC
?1M4GX01xbGIX2947jdyrior38h15z3 0
file name, version, bitmask for attributes, mode,
inode number, number of links, UID, GID, size,
times of creation, last modification, last access,
cryptographic checksums
CSC 382: Computer Security
Slide #27
Comments
• System administrators not expected to edit
database to set attributes properly.
• Checking for changes with tripwire is easy.
– Just run once to create the database, run again to check.
• Checking for conformance to policy is harder.
– Need to either edit database file, or (better) set system
up to conform to policy, then run tripwire to construct
database.
CSC 382: Computer Security
Slide #28
Example: PAM
• Pluggable Authentication Modules
• Config: /etc/pam.conf or /etc/pam.d/prog
login auth required pam_unix.so
login account required pam_unix.so
login password required pam_unix.so
login session required pam_unix.so
• Format: service modtype controlflag module
CSC 382: Computer Security
Slide #29
Example: PAM (cont.)
• Module Types:
–
–
–
–
Auth: authenticates user
Account: non-auth access control (time, place)
Password: updates auth token
Session: user setup (including logging)
• Control Flags:
– required: must succeed for access, all entries checked
– requisite: required, but returns immediately on failure
– sufficient: access granted if this condition true
CSC 382: Computer Security
Slide #30
Key Points
• Policies describe what is allowed.
• Mechanisms control how policies are
enforced.
• Types of Access Control
– Discretionary (DAC)
– Mandatory (MAC)
– Originator Based (ORBAC)
• Trust underlies everything.
CSC 382: Computer Security
Slide #31
References
1. Anderson, Ross, Security Engineering, Wiley, 2001.
2. David E. Bell and Leonard J. LaPadula, Secure Computer
System: Unified Exposition and MULTICS Interpretation,
MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA
01730 (Mar. 1976)
http://csrc.nist.gov/publications/history/bell76.pdf
3. Bishop, Matt, Introduction to Computer Security, AddisonWesley, 2005.
4. Department of Defense, Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD (“Orange Book”), National
Computer Security Center, Ft. Meade, MD 20755 (Dec. 1985)
http://csrc.nist.gov/publications/history/dod85.pdf
5. Peter Loscocco and Stephen Smalley, “Integrating Flexible
Support for Security Policies into the Linux Operating
System,” Proceedings of the FREENIX Track of the 2001
USENIX Annual Technical Conference, 2001.
CSC 382: Computer Security
Slide #32
Related documents
CSS 5xx: Advanced Database Management
CSS 5xx: Advanced Database Management
CSC 386 Operating Systems Concepts
CSC 386 Operating Systems Concepts
Germany
Germany
13-8 Reciprocal Trigonometric Functions Evaluate and graph
13-8 Reciprocal Trigonometric Functions Evaluate and graph
Welcome - williamt.com
Welcome - williamt.com
CSC 101
CSC 101
Precalculus Quiz 1 Section 4
Precalculus Quiz 1 Section 4
Isolation and characterization of cancer stem cells in head and neck
Isolation and characterization of cancer stem cells in head and neck
CSC LED Corp
CSC LED Corp
Introduction To Artificial Intelligence
Introduction To Artificial Intelligence