Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer Security Access Control 5/23/2017 1 The Orange Book First published in 1983, the Department of Defense Trusted Computer System Evaluation Criteria, known as the Orange Book is the de facto standard for computer security today. The Orange Book, and others in the Rainbow Series, are still the benchmark for systems produced almost two decades later, and Orange Book classifications such as C2 provide a shorthand for the base level security features of modern operating systems. 5/23/2017 2 Access Control Terminology • subject, object, reference monitor • access request Subject 5/23/2017 Access request Reference monitor Object 3 Access Control We can specify • What a subject is allowed to do • Way may be done with an object 5/23/2017 4 Access Operations • Access modes – Observe look at the contents of an object – Alter change the contents of an object 5/23/2017 5 Access Operations • Access rights & attributes – Bell-LaPadula security model Access rights execute append observe alter 5/23/2017 read write x x x x 6 Access Operations • Unix file read read from a file Write write to a file execute execute a (program) file directory list directory contents create or rename a file in a directory search the directory Access rights are changed by my modifying the file’s entry in its directory 5/23/2017 7 Access Operations • Windows NT Permissions of Windows New Technology File System (NTFS) – – – – – – read write execute delete change permission change ownership One does not rely on operations on directories for deletion of files, or to change access rights. 5/23/2017 8 Ownership • The owner of a resource decrees who is allowed to access it. • A system wide policy decrees who has access./ 5/23/2017 9 Access Control Structures Now we must state which access operations are permitted. We do this by studying their structures. Let • S be a set of subjects, • O a set of objects, • A a set of access operations 5/23/2017 10 Access Control Matrix Access rights are determined by a matrix M = (Mso)seS,oeO with Mso A The Bell-LaPadula model employs access contol matrices to model discretionary access policies of the Orange Book. 5/23/2017 11 Access Control Matrix An example bill.doc Alice Bob 5/23/2017 --{read,write} edit.exe fun.com {execute} {execute, read} {execute} {execute,read,write} 12 Access Control Matrix Access rights can be kept with the • subjects or the • objects. 5/23/2017 13 Access Control Matrix Capabilities If the access rights are kept with the subjects then these are the subject’s access rights. Every subject is given a capability. Alice’s capability: edit.exe: execute; fun.com: read Bob’s capability: bill.doc: read, write; edit.exe: execute; fun.com: execute, read, write 5/23/2017 14 Access Control Matrix Access control lists (ACL) An ACL stores the access rights to an object with the object itself. ACLs are a typical feature of secure operating systems of the Orange Book class C2 ACL for bill.doc: Bill: read write ACL for bill.doc: Alice: execute; Bill: execute ACL for fun.com: Alice: execute, read; Bill: execute,read, write 5/23/2017 15 Access Control Matrix Access control lists (ACL) Management of access rights can be cumbersome. Therefore users are placed in groups, and derive access from a user’s group. 5/23/2017 16 Intermediate control Managing a security policy defined by an access control matrix is a complex task in large systems. There are several means of simplifying this task. 5/23/2017 17 Groups and negative permissions subjects s1 s2 groups o1 objects 5/23/2017 s3 s4 g1 o2 s5 g2 o3 o4 o5 o6 18 Groups and negative permissions subjects groups s1 s2 x o1 objects 5/23/2017 s3 x g1 o2 s4 o3 s5 g2 o4 o5 o6 19 Protection rings 0 1 2 3 operating system kernel operating system utilities user processors Each subject (or process) is assigned a number 0,1,2,3… depending on its importance. 5/23/2017 20 Protection rings 3 5/23/2017 2 1 0 0 operating system kernel 1 operating system 2 utilities 3 user processors 21 Protection rings Protection rings are mainly used for integrity protection An example is the QNX Neutrino microkernel OS * • The Neutrino microkernel runs in ring 0 • The Neutrino process runs in ring 1 • All other programs run in ring 3 * A microkernel OS is structured as a tiny kernel that provides the minimal services used by a team of optional cooperating processes, which in turn provide the higher level OS functionality. 5/23/2017 22 Protection rings Unix employs a similar protection but uses only two levels 5/23/2017 23 Privileges subjects s1 s2 privileges op1 s3 s4 pr1 op2 s5 pr2 op3 op4 op5 op6 operations 5/23/2017 24 Role base access control Privileges come predefined with the OS • Roles: a collection of procedures – roles are assigned to users; a user can have many roles • Procedures: high-level access control methods. Can only be applied to objects of certain data types. • Datatypes: each object has a certain datatype and can only be accessed throuhg procedures defined for this datatype. 5/23/2017 25 The lattice OS Security levels The Mandatory Access Control (MAC) policies and the multi-level security policies of the Orange Book refer to security levels. top secret secret confidential unclassified 5/23/2017 26 A lattice {a,b,c} {a,b} {b,c} {a,c} {a} {b} {c} {0} 5/23/2017 27 A lattice A lattice (L, ) is a set with a partial ordering Such that for each pair of elements a,b of L there is a lub u in L and a glb v in L. 5/23/2017 28 An example • Let H be a set of classifications with hierarchical ordering . • Take a set of categories C, e.g. project names, company divisions, etc • A compartment is a set of categories. • A security label (level) is a pair (h,c), where h in H is the security level and c in C is a compartment. 5/23/2017 29 An example • The partial ordering is defined by: (h1,c1) (h2,c2) if and only if h1 h2 and c1 c2 5/23/2017 30