secure architecture principles
play

Secure Architecture Principles Isolation and Least Privilege - PowerPoint PPT Presentation

Jun 15, 2023 •430 likes •1.03k views

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from

  1. Secure Architecture Principles • Isolation and Least Privilege • Access Control Concepts • Operating Systems • Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from Prof. David Mazieres 1

  2. Secure Architecture Principles Isolation and Least Privilege 3

  3. Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege • Defense in depth – Use more than one security mechanism – Secure the weakest link – Fail securely • Keep it simple 4

  4. Principle of Least Privilege • What’s a privilege? – Ability to access or modify a resource • Assume compartmentalization and isolation – Separate the system into isolated compartments – Limit interaction between compartments • Principle of Least Privilege – A system module should only have the minimal privileges needed for its intended purposes 5

  5. Monolithic design Network Network User input System User device File system File system 6

  6. Monolithic design Network Network User input System User device File system File system 7

  7. Monolithic design Network Network User input System User display File system File system 8

  8. Component design Network Network User input User display File system File system 9

  9. Component design Network Network User input User device File system File system 10

  10. Component design Network Network User input User device File system File system 11

  11. Principle of Least Privilege • What’s a privilege? – Ability to access or modify a resource • Assume compartmentalization and isolation – Separate the system into isolated compartments – Limit interaction between compartments • Principle of Least Privilege – A system module should only have the minimal privileges needed for its intended purposes 12

  12. Example: Mail Agent • Requirements – Receive and send email over external network – Place incoming email into local user inbox files • Sendmail – Traditional Unix – Monolithic design – Historical source of many vulnerabilities • Qmail – Compartmentalized design 13

  13. OS Basics (before examples) • Isolation between processes – Each process has a UID • Two processes with same UID have same permissions – A process may access files, network sockets, …. • Permission granted according to UID • Relation to previous terminology – Compartment defined by UID – Privileges defined by actions allowed on system resources 14

  14. Qmail design • Isolation based on OS isolation – Separate modules run as separate “users” – Each user only has access to specific resources • Least privilege – Minimal privileges for each UID – Only one “ setuid ” program • setuid allows a program to run as different users – Only one “root” program • root program has all privileges 15

  15. Structure of qmail qmail-smtpd qmail-inject qmail-queue Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local 16

  16. Isolation by Unix UIDs qmailq – user who is allowed to read/write mail queue qmaild user qmailq qmail-smtpd qmail-inject qmail-queue qmail-send qmailr qmails root qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local 17

  17. Structure of qmail qmail-smtpd qmail-inject qmail-queue Reads incoming mail directories Splits message into header, body Signals qmail-send qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local 18

  18. Structure of qmail qmail-smtpd qmail-inject qmail-queue qmail-send signals • qmail-lspawn if local • qmail-remote if remote qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local 19

  19. Structure of qmail qmail-smtpd qmail-inject qmail-queue qmail-send qmail-lspawn qmail-lspawn • Spawns qmail-local • qmail-local runs with ID of user receiving local mail qmail-local 20

  20. Structure of qmail qmail-smtpd qmail-inject qmail-queue qmail-send qmail-lspawn qmail-local • Handles alias expansion • Delivers local mail • Calls qmail-queue if needed qmail-local 21

  21. Structure of qmail qmail-smtpd qmail-inject qmail-queue qmail-send qmail-rspawn qmail-remote • Delivers message to remote MTA qmail-remote 22

  22. Isolation by Unix UIDs qmailq – user who is allowed to read/write mail queue qmaild user qmailq qmail-smtpd qmail-inject qmail-queue setuid qmail-send qmailr qmails root root qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local 23

  23. Least privilege qmail-smtpd qmail-inject qmail-queue setuid qmail-send qmail-rspawn qmail-lspawn root qmail-remote qmail-local 24

  24. Qmail summary • Security goal? • Threat model? • Mechanisms – Least privilege – Separation 25

  25. Secure Architecture Principles Access Control Concepts 29

  26. Access control • Assumptions – System knows who the user is • Authentication via name and password, other credential – Access requests pass through gatekeeper (reference monitor) • System must not allow monitor to be bypassed Reference monitor User ? Resource process access request policy 30

  27. Access control matrix [Lampson] Objects File 1 File 2 File 3 … File n User 1 read write - - read User 2 write write write - - Subjects User 3 - - - read read (Principal) … User m read write read write read 31

  28. Implementation concepts File 1 File 2 … • Access control list (ACL) User 1 read write - – Store column of matrix User 2 write write - with the resource User 3 - - read • Capability – User holds a “ticket” for … each resource User m Read write write – Two variations • store row of matrix with user, under OS control • unforgeable ticket in user space Access control lists are widely used, often with groups Some aspects of capability concept are used in many systems 32

  29. ACL vs Capabilities • Access control list – Associate list with each object – Check user/group against list – Relies on authentication: need to know user • Capabilities – Capability is unforgeable ticket • Random bit sequence, or managed by OS • Can be passed from one process to another – Reference monitor checks ticket • Does not need to know identify of user/process 33

  30. ACL vs Capabilities User U Capability c,d,e Process P Process P User U Capability c,e Process Q Process Q User U Capability c Process R Process R 34

  31. ACL vs Capabilities • Delegation – Cap: Process can pass capability at run time – ACL: Try to get owner to add permission to list? • More common: let other process act under current user • Revocation – ACL: Remove user or group from list – Cap: Try to get capability back from process? • Possible in some systems if appropriate bookkeeping – OS knows which data is capability – If capability is used for multiple resources, have to revoke all or none … • Indirection: capability points to pointer to resource – If C → P → R, then revoke capability C by setting P=0 35

  32. Roles (aka Groups) • Role = set of users – Administrator, PowerUser, User, Guest – Assign permissions to roles; each user gets permission • Role hierarchy – Partial order of roles Administrator – Each role gets PowerUser permissions of roles below – List only new permissions User given to each role Guest 37

  33. Role-Based Access Control Individuals Roles Resources Server 1 engineering Server 2 marketing Server 3 human res Advantage: users change more frequently than roles 38

  34. ACL vs Capabilities vs RBAC • Capability? ACL? RBAC? – I hereby delegate to David the right to read file 4 from 9am to 1pm – I want to give read and write right of a file to Alice – I guaranteed that Charlie will have the same authority as me when accessing a file – A person in the financial team can perform “create a credit account transaction” in a financial application – a nurse shall have access to all the patients who are on her ward, or who have been there in the last 90 days 39

  35. Access control summary • Access control involves reference monitor – Check permissions:  user info, action → yes/no – Important: no way around this check • Access control matrix – Access control lists vs capabilities – Advantages and disadvantages of each • Role-based access control – Use group as “user info”; use group hierarchies 40

  36. Secure Architecture Principles Access Control in UNIX 41

  37. Unix access control File 1 File 2 … User 1 read write - • Process has user id User 2 write write - – Inherit from creating process User 3 - - read – Process can change id … • Restricted set of options User m Read write write – Special “root” id • All access allowed • File has access control list (ACL) – Grants permission to user ids – Owner, group, other 42

  38. Unix file access control list • Each file has owner and group • Permissions set by owner setid – Read, write, execute - rwx rwx rwx – Owner, group, other ownr grp othr – Represented by vector of four octal values • Only owner, root can change permissions – This privilege cannot be delegated or shared • Setid bits – Discuss in a few slides 43

Recommend

A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language Description Language Jie Ren, Richard N. Taylor Department of Informatics University of California, Irvine Software Security Assurance Tools, Techniques,

354 views • 22 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch on the most commonly seen security problems Thinking about them is likely to lead to more secure code Lecture 13 Page 1 CS 236 Online 1.

439 views • 22 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM Implementation of for Mobile Devices for Mobile Devices Sang- -bum bum Suh Suh Sang sbuk.suh@samsung.com sbuk.suh@samsung.com SW Laboratories SW

598 views • 48 slides
Single-Source Architecture Principles Single-Source Architecture is strategy for building websites

Single-Source Architecture Principles Single-Source Architecture is strategy for building websites

Single-Source Architecture David Kirkwood, DrupalCon 2018, Nashville Single-Source Architecture Principles Single-Source Architecture is strategy for building websites in an iterative manner Each sub-site is distinct to the others o Content o

269 views • 3 slides
Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

1.1k views • 64 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve Weingart Senior Engineer (561) 392 6100 c1shw@us.ibm.com Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY 4758 PCI

386 views • 11 slides
Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design principles Introduction to Computer Security Software engineering for security Defensive programming 2 (combined lecture) Announcements intermission

632 views • 9 slides
Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer

1 Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer and Schroeder (1975) defined 8 principles that are based on the ideas of simplicity and restriction are based on the ideas of simplicity and

468 views • 17 slides
Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks Coursera course Trusted computing bases Every system has a TCB Your reference monitor Compiler OS CPU Memory Keyboard..

1.61k views • 143 slides
Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction

Outline More secure design principles Software engineering for security CSci 5271 Introduction to Computer Security Secure use of the OS Defensive programming and design, contd Announcements intermission Stephen McCamant Bernsteins

535 views • 8 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Making secure software Flawed approach : Design and build software, and ignore security at first Add security once

1.27k views • 109 slides
Overview General Principles of Pipelining Goal Computer Architecture: Pipelining

Overview General Principles of Pipelining Goal Computer Architecture: Pipelining

Overview General Principles of Pipelining Goal Computer Architecture: Pipelining Difficulties Creating a Pipelined Y86-64 Processor CSci 2021: Machine Architecture and Organization Rearranging SEQ March 25th-27th, 2020 Inserting

558 views • 6 slides
Learning outcomes First session Overview of IT architecture principles; modularization, loose

Learning outcomes First session Overview of IT architecture principles; modularization, loose

Platforms and Architecture Bendik Bygstad IN5210 INFORMATION SYSTEMS SEPT 18, 2017 Learning outcomes First session Overview of IT architecture principles; modularization, loose coupling etc. Understand the technical and economic

731 views • 20 slides
Principles and Techniques of Evolutionary Architecture Rebecca Parsons Chief Technology O ffi cer

Principles and Techniques of Evolutionary Architecture Rebecca Parsons Chief Technology O ffi cer

Principles and Techniques of Evolutionary Architecture Rebecca Parsons Chief Technology O ffi cer ThoughtWorks Agenda Why should I care? De fi nition of Evolutionary Architecture Principles of evolutionary architecture Techniques of evolutionary

256 views • 23 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

830 views • 70 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

2.04k views • 152 slides
1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly

603 views • 14 slides
Service Oriented Architecture: Principles and Practice Dr Mark Little Technical Development

Service Oriented Architecture: Principles and Practice Dr Mark Little Technical Development

Service Oriented Architecture: Principles and Practice Dr Mark Little Technical Development Manager, Red Hat Overview Evolution of distributed systems SOA principles Relationship to Web Services The Enterprise Service Bus

1.71k views • 152 slides

More recommend