CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1
Le Lecture 14 14 Access Control 2
Recall: Secu curity Service ces • Confidentiality: to assure information privacy and secrecy • Authentication: to assert who created or sent data • Integrity: to show that data has not been altered • Access Control: to prevent misuse of resources • Availability: to offer access to resources, permanence, non- erasure Examples of attacks on Availability: – Denial of Service (DoS) Attacks • e.g., against a name server – Malware that deletes or encrypts files 2
Acce ccess Control (AC) • A “language” for expressing access control policies: who can access what, how and when … • Enforcement of access control • Identify all resources (objects) and their granularity • Identify all potential users (subjects) • Specify rules for subject/object interaction • Guard them in real time 4
Mo Mode del a and T nd Term rmino nology Subjects: users or processes • Objects: resources (files, memory, printers, • routers, plotters, disks, processes, etc., etc.,...) 5
Focu cus of Acce ccess Control What a subject is allowed to do • What may be done with an object • 6
Acce ccess Modes “Look” at an object, e.g.: • Read file • Check printer queue • Print remote screen • Query database • etc., etc. • “Change” an object, e.g.: • Write/append/erase file • Print or fax • Display on screen • etc., etc. • 7
Acce ccess Rights execute, read, append, and write Execute Append Read Write X Observe Alter X X X 8
UN UNIX/Linux nux/*x Ope perating ng Systems execute: execute (program) file, search directory • read: read from file, list directory • write: write (re-write or append) file, create or • rename file in directory 9
Exampl Ex ple: Windo ndows NT/2000 (NTFS) execute • read • write • delete • change permission • change ownership • 10
AC AC Types Who is in charge of setting AC policy? Discretionary: resource owner • Mandatory: system-wide policy • 11
Acce ccess Control Struct ctures i. Access Control Matrix ii. Capabilities iii. Access Control Lists 12
Acce ccess Control Matrix Object Bill.doc Edit.exe Fun.com Alice {execute} {execute,read} {0} Subject Bob {read,write} {execute} {execute,read,write} 13
Acce ccess Control Lists 1/2 Keep access rights to an object with that object: § ACL for bill.doc: § Bob: read, write § ACL for edit.exe: § Alice: execute; § Bob: execute § ACL for fun.com: § Alice: execute, read; § Bill: execute, read, write • As many ACLs as there are objects • Each ACL either signed or stored in protected place • Hard to manage 14
Acce ccess Control Lists 2/2 Managing access rights can be difficult • Groups can be helpful … • Groups simplify definition of access control • policies 15
Acce ccess Control Lists S2 S3 S1 G1 X O5 O4 O2 O3 O1 16
Ca Capabiliti ties es 1/ 1/2 Capabilities are associated with discretionary • access control Reason: difficult to get full view of who has • permission to access an object Very difficult to revoke a capability • (owners/objects have to keep track of all issued capabilities) • As many capabilities as there are subject/object pairs • Each capability either signed or otherwise protected • Hard to revoke in a distributed setting 17
Ca Capabiliti ties es 2/ 2/2 Keep access rights with the subject: • Alice's capabilities: • [edit.exe:execute]; • [fun.com:execute,read] • Bob's capabilities: • [bill.doc:read,write] • [edit.exe:execute] • [fun.com:execute,read,write] 18
In In Su Summa mmary Centralized Systems: • ACLs are better • Distributed Systems: • Capabilities are better • 19
Example: Android Security/Permissions 20
Android Security Model • Application-level permissions model • Controls access to app components • Controls access to system resources • Specified by the app writers and seen by the users • Kernel-level sandboxing and isolation • Isolate apps from each other and the system • Prevent bypass of application-level controls • Relies on Linux Discretionary Access Control (DAC) • Normally invisible to the users and app writers 21
Discretionary Access Control (DAC) • Typical form of access control in Linux • Access to data is entirely at the discretion of the owner/creator of the data • Some processes (e.g., uid 0) can override and some objects (e.g., sockets) are unchecked • Based on user & group identity • Limited granularity, coarse-grained privilege 22
Android and DAC • Restrict use of system facilities by apps • e.g., bluetooth, network, storage access • requires kernel modifications, “special” group IDs • Isolate apps from each other • unique user and group ID per installed app • assigned to app processes and files • Hardcoded, scattered “policy” 23
Security Enhanced (SE)Linux : What is it? • Mandatory Access Control (MAC) for Linux • Defines and enforces a system-wide security policy • Over all processes, objects, and operations • Based on security labels • Can confine flawed and malicious applications • Even ones that run as “root”/uid 0 • Can prevent privilege escalation 24
How Can SELinux Help Android? • Confine privileged daemons • Protect them from misuse • Limit the damage that can be done via them • Sandbox and isolate apps • Strongly separate apps from each other and from the system • Prevent privilege escalation by apps • Provide centralized, analyzable policy 25
Security Enhanced (SE)Linux in Android More details at: http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf 26
ROLE BASED ACCESS CONTROL (RBAC) 27
RBAC Basics • Users are associated with roles • Roles are associated with permissions • A user has permission only if s/he has a role associated with that permission 28
Example: The Three Musketeers (User/Permission Association) Athos Aramis palace uniform Porthos weapons 29
Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Athos Aramis palace uniform Porthos weapons 30
Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Athos Aramis palace uniform Porthos weapons 31
Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Here RBAC doesn ’ t work … Athos Aramis palace uniform Porthos weapons 32
Example: (D ’ Artagnon becomes a Musketeer) palace D'Artagnan Musketeer uniform weapons palace D'Artagnan uniform weapons 33
Recommend
More recommend