le lecture 15 15
play

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service - PowerPoint PPT Presentation

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to assure information privacy and secrecy Authentication: to assert who created or sent data Integrity: to show that data has not been altered


  1. Le Lecture 15 15 Access Control 1

  2. Recall: Secu curity Service ces • Confidentiality: to assure information privacy and secrecy • Authentication: to assert who created or sent data • Integrity: to show that data has not been altered • Access Control: to prevent misuse of resources • Availability: to offer access to resources, permanence, non- erasure Examples of attacks on Availability: – Denial of Service (DoS) Attacks • e.g., against a name server – Malware that deletes or encrypts files 2

  3. Acce ccess Control (AC) • A “language” for expressing access control policies: who can access what, how and when … • Enforcement of access control • Identify all resources (objects) and their granularity • Identify all potential users (subjects) • Specify rules for subject/object interaction • Guard them in real time 3

  4. Mo Mode del a and T nd Term rmino nology Subjects: users or processes • Objects: resources (files, memory, printers, • routers, plotters, disks, processes, etc., etc.,...) 4

  5. Focu cus of Acce ccess Control What a subject is allowed to do • What may be done with an object • 5

  6. Acce ccess Modes “Look” at an object, e.g.: • Read file • Check printer queue • Print remote screen • Query database • etc., etc. • “Change” an object, e.g.: • Write/append/erase file • Print or fax • Display on screen • etc., etc. • 6

  7. Acce ccess Rights execute, read, append, and write Execute Append Write Read X Observe Alter X X X 7

  8. UN UNIX/Linux nux/*x Ope perating ng Systems execute: execute (program) file, search directory • read: read from file, list directory • write: write (re-write or append) file, create or • rename file in directory 8

  9. Exampl Ex ple: Windo ndows NT/2000 (NTFS) execute • read • write • delete • change permission • change ownership • 9

  10. AC AC Types Who is in charge of setting AC policy? Discretionary: resource owner • Mandatory: system-wide policy • 10

  11. Acce ccess Control Struct ctures i. Access Control Matrix ii. Capabilities iii. Access Control Lists 11

  12. Acce ccess Control Matrix Object Bill.doc Edit.exe Fun.com Alice {execute} {execute,read} {0} Subject Bob {read,write} {execute} {execute,read,write} 12

  13. Acce ccess Control Lists 1/2 Keep access rights to an object with that object: § ACL for bill.doc: § Bob: read, write § ACL for edit.exe: § Alice: execute; § Bob: execute § ACL for fun.com: § Alice: execute, read; § Bill: execute, read, write • As many ACLs as there are objects • Each ACL either signed or stored in protected place • Hard to manage 13

  14. Acce ccess Control Lists 2/2 Managing access rights can be difficult • Groups can be helpful … • Groups simplify definition of access control • policies 14

  15. Acce ccess Control Lists S2 S3 S1 G1 X O5 O4 O3 O2 O1 15

  16. Ca Capabiliti ties es 1/ 1/2 Capabilities are associated with discretionary • access control Reason: difficult to get full view of who has • permission to access an object Very difficult to revoke a capability • (owners/objects have to keep track of all issued capabilities) • As many capabilities as there are subject/object pairs • Each capability either signed or otherwise protected • Hard to revoke in a distributed setting 16

  17. Ca Capabiliti ties es 2/ 2/2 Keep access rights with the subject: • Alice's capabilities: • [edit.exe:execute]; • [fun.com:execute,read] • Bob's capabilities: • [bill.doc:read,write] • [edit.exe:execute] • [fun.com:execute,read,write] 17

  18. In In Su Summa mmary Centralized Systems: • ACLs are better • Distributed Systems: • Capabilities are better • 18

  19. Example: Android Security/Permissions 19

  20. Android Security Model • Application-level permissions model • Controls access to app components • Controls access to system resources • Specified by the app writers and seen by the users • Kernel-level sandboxing and isolation • Isolate apps from each other and the system • Prevent bypass of application-level controls • Relies on Linux Discretionary Access Control (DAC) • Normally invisible to the users and app writers 20

  21. Discretionary Access Control (DAC) • Typical form of access control in Linux • Access to data is entirely at the discretion of the owner/creator of the data • Some processes (e.g., uid 0) can override and some objects (e.g., sockets) are unchecked • Based on user & group identity • Limited granularity, coarse-grained privilege 21

  22. Android and DAC • Restrict use of system facilities by apps • e.g., bluetooth, network, storage access • requires kernel modifications, “special” group IDs • Isolate apps from each other • unique user and group ID per installed app • assigned to app processes and files • Hardcoded, scattered “policy” 22

  23. Security Enhanced (SE)Linux : What is it? • Mandatory Access Control (MAC) for Linux • Defines and enforces a system-wide security policy • Over all processes, objects, and operations • Based on security labels • Can confine flawed and malicious applications • Even ones that run as “root”/uid 0 • Can prevent privilege escalation 23

  24. How Can SELinux Help Android? • Confine privileged daemons • Protect them from misuse • Limit the damage that can be done via them • Sandbox and isolate apps • Strongly separate apps from each other and from the system • Prevent privilege escalation by apps • Provide centralized, analyzable policy 24

  25. Security Enhanced (SE)Linux in Android More details at: http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf 25

  26. ROLE BASED ACCESS CONTROL (RBAC) 26

  27. RBAC Basics • Users are associated with roles • Roles are associated with permissions • A user has permission only if s/he has a role associated with that permission 27

  28. Example: The Three Musketeers (User/Permission Association) Athos Aramis palace uniform Porthos weapons 28

  29. Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Athos Aramis palace uniform Porthos weapons 29

  30. Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Athos Aramis palace uniform Porthos weapons 30

  31. Example: The Three Musketeers (RBAC) Athos palace Porthos Musketeer Aramis uniform weapons Here RBAC doesn ’ t work … Athos Aramis palace uniform Porthos weapons 31

  32. Example: (D ’ Artagnon becomes a Musketeer) palace D'Artagnan Musketeer uniform weapons palace D'Artagnan uniform weapons 32

Recommend


More recommend