Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer Security Access Control 5/23/2017 1 The Orange Book First published in 1983, the Department of Defense Trusted Computer System Evaluation Criteria, known as the Orange Book is the de facto standard for computer security today. The Orange Book, and others in the Rainbow Series, are still the benchmark for systems produced almost two decades later, and Orange Book classifications such as C2 provide a shorthand for the base level security features of modern operating systems. 5/23/2017 2 Access Control Terminology • subject, object, reference monitor • access request Subject 5/23/2017 Access request Reference monitor Object 3 Access Control Terminology • Authentication of statement s: . . answers the question: “who said s ? ” • Authorization of object o: .. answers the question: “who is trusted to access o ?” Subject s 5/23/2017 Access request Reference monitor Object o 4 Access Control We can specify • What a subject is allowed to do • Way may be done with an object 5/23/2017 5 Access Control Who is a subject? • A principal, a user identity • We might say that a subject `speaks for’ a principal 5/23/2017 6 Access Operations • Access modes – Observe look at the contents of an object – Alter change the contents of an object 5/23/2017 7 Access Operations • Access rights & attributes – Bell-LaPadula security model Access rights execute append observe alter 5/23/2017 x read write x x x 8 Access Operations • Unix file read write execute directory read from a file list directory contents write to a file create or rename a file in a directory execute a (program) file search the directory Access rights specific to a file are changed by my modifying the file’s entry in its directory 5/23/2017 9 Access Operations • Windows NT Permissions of Windows New Technology File System (NTFS) – – – – – – read write execute delete change permission change ownership 5/23/2017 10 Ownership • The owner of a resource decrees who is allowed to access it. • A system wide policy decrees who has access. 5/23/2017 11 Access Control Structures Now we must state which access operations are permitted. We do this by studying their structures. Let • S be a set of subjects, • O a set of objects, • A a set of access operations 5/23/2017 12 Access Control Matrix Access rights are determined by a matrix M = (Mso)seS,oeO with Mso A The Bell-LaPadula model employs access contol matrices to model discretionary access policies of the Orange Book. 5/23/2017 13 Access Control Matrix An example bill.doc Alice Bob 5/23/2017 --{read,write} edit.exe fun.com {execute} {execute, read} {execute} {execute,read,write} 14 Access Control Matrix Access rights can be kept with the • subjects or the • objects. 5/23/2017 15 Access Control Matrix Capabilities If the access rights are kept with the subjects then these are the subject’s access rights. Every subject is given a capability. Alice’s capability: edit.exe: execute; fun.com: execute, read Bob’s capability: bill.doc: read, write; edit.exe: execute; fun.com: execute, read, write 5/23/2017 16 Access Control Matrix Access control lists (ACL) An ACL stores the access rights to an object with the object itself. ACLs are a typical feature of secure operating systems of the Orange Book class C2 ACL for bill.doc: Bob: read write ACL for edit.exe: Alice: execute; Bill: execute ACL for fun.com: Alice: execute, read; Bill: execute, read, write 5/23/2017 17 Access Control Matrix Access control lists (ACL) Management of access rights can be cumbersome. Therefore users are placed in groups, and derive access from a user’s group. 5/23/2017 18 Intermediate control Managing a security policy defined by an Access Control Matrix is a complex task in large systems. There are several means of simplifying this task. 5/23/2017 19 Group permissions subjects s1 s2 groups o1 objects 5/23/2017 s3 s4 g1 o2 s5 g2 o3 o4 o5 o6 20 Group and negative permissions subjects groups s1 s2 x o1 objects 5/23/2017 s3 x g1 o2 s4 o3 s5 g2 o4 o5 o6 21 Privileges subjects s1 s2 privileges op1 s3 s4 pr1 op2 s5 pr2 op3 op4 op5 op6 operations 5/23/2017 22 Role Based Access Control Privileges come predefined with the OS • Roles: a collection of procedures – roles are assigned to users; a user can have many roles • Procedures: high-level access control methods. Can only be applied to objects of certain data types. • Datatypes: each object has a certain datatype and can only be accessed throuhg procedures defined for this datatype. 5/23/2017 23 Protection rings 0 1 2 3 operating system kernel operating system utilities user processors Each application is assigned a number 0,1,2,3… depending on its importance. 5/23/2017 24 Protection rings 3 5/23/2017 2 1 0 0 operating system kernel 1 operating system 2 utilities 3 user processors 25 Protection rings Protection rings are mainly used for integrity protection An example is the QNX Neutrino microkernel OS * • The Neutrino microkernel runs in ring 0 • The Neutrino process runs in ring 1 • All other programs run in ring 3 * A microkernel OS is structured as a tiny kernel that provides the minimal services used by a team of optional cooperating processes, which in turn provide the higher level OS functionality. 5/23/2017 26 Protection rings Unix employs a similar protection but uses only two levels 5/23/2017 27 The lattice OS Security levels The Mandatory Access Control (MAC) policies and the multi-level security policies of the Orange Book refer to security levels. top secret secret confidential unclassified This a linearly ordered set, a special case of a lattice. 5/23/2017 28 A lattice {a,b,c} {a,b} {a,c} {a} {b} {b,c} {c} 5/23/2017 29 A lattice A lattice (L, ) is a set with a partial ordering " " such that: For each pair of elements a,b of L there is a lub u in L and a glb v in L. 5/23/2017 30 An example • Let H be a set of classifications with hierarchical ordering . • Take a set of categories C, e.g. project names, company divisions, etc • A compartment H is a set of categories, i.e. a subset of C. • A security label (level) is a pair (h,c), where h in H is the security level and c in C is a compartment. 5/23/2017 31 An example • The partial ordering is defined by: (h1,c1) (h2,c2) if and only if h1 h2 and c1 c2 5/23/2017 32 The VSTa operating system • VSTa (Valencia's Simple Tasker) is an operating system with microkernel architecture. • Abilities are defined as finite strings of positive integers separated by a dot, e.g.: .10.0.0.5 • Abilities are ordered using a partial ordering: .3 .3.31 .3.1.100 but (⌐ .3.1 ≤ 3.2) • Access is granted if the ability of a subject is a prefix of the object’s ability. • The ability “.” defines a superuser. 5/23/2017 33