t owards access control for isolated applications secrypt
play

+ T owards Access Control for Isolated Applications SECRYPT 2016, - PowerPoint PPT Presentation

Feb 15, 2024 •303 likes •731 views

+ T owards Access Control for Isolated Applications SECRYPT 2016, Lisbon, Portugal Kirill Belyaev and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, CO, USA + 2 Introduction Growing trends Modern

  1. + T owards Access Control for Isolated Applications SECRYPT 2016, Lisbon, Portugal Kirill Belyaev and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, CO, USA

  2. + 2 Introduction Growing trends  Modern single machine instance can deploy large number of application and data services  UNIX based OS is a good candidate  Services can be deployed within Isolated Runtime Environments (IRE)  IRE can have all the necessary libraries for service deployment

  3. + 3 Introduction Sample deployment (1)  Single data service can be partitioned into several components

  4. + 4 Introduction Sample deployment (2)  Single OS node can host multiple multi-component data services

  5. + 5 Problem Limitations of OS Access Control  Linux OS has no concept of application-level Access Control

  6. + 6 Problem Privilege escalation  Applications deployed with super-user privileges make them not bound to normal Access Control rules

  7. + 7 Problem Limitations of UNIX IPC  UNIX System V Inter-Process Communication (IPC) does not ofger regulated way of inter-application interaction

  8. + 8 Motivation  How to provide Access Control (AC) at the granularity of individual applications?  How to confjne applications with minimum privileges without running them with super user privileges?  How to enable controlled application interaction across isolated runtime environments (IREs) without reliance on conventional UNIX IPC mechanisms?  How to provide manageable user-space AC interface for a large number of data services?

  9. + 9 Proposed Contributions  Develop a novel object-oriented framework for application- level AC in Linux:  Capabilities Policy Class Model – enables management and enforcement of application-level resource control  Communication Policy Class Model – enables management and enforcement of controlled inter-application interaction across isolated runtime environments  Unifjed framework – combines both models in a unifjed abstraction

  10. + 10 Proposed Contributions Unifjed Framework  2 types of policy classes to provide application-level Access Control

  11. + 11 Outline  Capabilities Policy Class Model  Communication Policy Class Model  Architecture  Proposed Evaluation

  12. + Capabilities Policy Class Model 12

  13. + Capabilities Policy Class Model 13 What we have  Access to OS/hardware resources is managed through kernel-space Linux (POSIX) capabilities  Capabilities split up super user privileges into independent fragments  Capabilities can manage resource control on the principle of least privilege  No user-friendly management layer to manage capabilities

  14. + Capabilities Policy Class Model 14 Sample capabilities  Linux capabilities for instance include:  CAP_AUDIT_CONTROL - Enable and disable kernel auditing; change auditing fjlter rules; retrieve auditing status and fjltering rules  CAP_DAC_OVERRIDE - Bypass fjle read, write, and execute permission checks  CAP_IPC_LOCK - Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2))  CAP_NET_ADMIN - Perform various network-related operations such as: interface confjguration; administration of IP fjrewall, masquerading, and accounting; modify routing tables; bind to any address for transparent proxying; set type-of-service (TOS); clear driver statistics; set promiscuous mode; enabling multicasting; use setsockopt(2) to set the advanced socket options  CAP_SYS_BOOT - Use reboot(2) and kexec_load(2) system calls

  15. + Capabilities Policy Class Model 15 What we need  Capabilities could be grouped into various policy classes

  16. + Capabilities Policy Class Model 16 Operations  The following high-level operations are proposed:  create a capabilities policy class  add/remove capabilities to/from a policy class  show capabilities in a policy class  add/remove applications to/from a policy class  show/count apps in a policy class

  17. + Capabilities Policy Class Model 17 Sample usage  Here is how the model is used in practice:  SHOW_CAPABILITIES;  SHOW_POLICY_CLASSES;  CREATE_POLICY_CLASS 1 general_applications_policy_class;  ADD_POLICY_CLASS_POLICY 1 CAP_KILL;  ADD_POLICY_CLASS_POLICY 1 CAP_CHOWN;  MOVE_APP_TO_POLICY_CLASS / containers/A / apps / app-A 1;  REMOVE_POLICY_CLASS_POLICY 1 CAP_CHOWN;  SHOW_POLICY_CLASS_POLICIES 1;  SHOW_POLICY_CLASS_APPS 1;

  18. + Communication Policy Class Model 18

  19. + Communication Policy Class Model 19 What we have  A group of applications (service components) may provide a single data service  A single application can be partitioned into a set of compartments  Applications in separate isolated runtime environments (IREs) need to communicate  Communication often involves: sharing data objects  Exchanging control objects 

  20. + Communication Policy Class Model 20 What we need  Provide bidirectional replication of data objects  Provide only unidirectional replication of data objects

  21. + Communication Policy Class Model 21 T ypes of Communication  Group of applications (service components) may:  Coordinate - exchange of coordination messages  Collaborate - share mutual data objects via replication

  22. + Communication Policy Class Model 22 Properties  Group of applications can communicate only within the same class

  23. + Communication Policy Class Model 23 Operations  The following high-level operations are proposed:  create a communication policy class  add/remove applications to/from a policy class  show/count apps in a policy class  add/remove associations of an app to request a replica of a data object(s) to/from a policy class  enable/disable application coordination with other application(s) in a policy class

  24. + 24 Architecture

  25. + 25 Architecture System design (1)  Unifjed framework proposed in the form of Linux Policy Machine

  26. + 26 Architecture System design (2)  Unifjed framework stored in the embedded Sqlite database

  27. + 27 Architecture Communication design (1)  Adapt indirect communication paradigm - tuple space to enforce decoupled content-based inter-application interaction

  28. + 28 Architecture Communication design (2) - Limitations  The basic model relies on a global shared RAM tuple space  Has number of issues:  T uple collisions could happen  Wide array of possible security attacks  Overheads of memory utilization  Could be inaccessible due to access control policies  Suitable mainly for a single application with multiple threads

  29. + 29 Architecture Communication design (3) - Adaptation  Personal tuple space per application  Disk/fmash based implementation

  30. + 30 Architecture Communication design (4) - Operations  Propose a set of tentative operations - tuple space calculus:  create tuple space  delete tuple space  read operation - returns the value of individual tuple without afgecting the contents of a tuple space  append operation - adds a tuple without afgecting existing tuples in a tuple space  take operation - returns a tuple while removing it from a tuple space

  31. + 31 Architecture Communication design (5) - Patterns  Application allowed to perform all calculus operations  Policy Machine restricted to read and append operations

  32. + 32 Architecture Communication design (6) – T uple T ypes  Control tuples - provide the instructions about coordination or sharing  Content tuples - mechanism by which data gets shared across applications

  33. + 33 Architecture Communication design (7) – Collaborative Transaction  Policy machine periodically checks for the presence of control tuples

  34. + 34 Architecture Communication design (8) – Coordinative T ransaction  Policy machine periodically checks for the presence of control tuples

  35. + 35 Proposed Evaluation  Capabilities policy classes do not incur performance overhead  no extra disk I/O aside from the I/O load of the base system  no additional memory utilization  Communication policy classes are resource intensive  Evaluate performance with integrated tuple space controller: Sizes of mediated data Number of communicating objects applications Disk I/O utilization Disk I/O utilization CPU utilization CPU utilization RAM utilization RAM utilization

  36. + 36 Summary  Unifjed Framework consists of:  model of Capabilities Policy Classes – regulates Linux capabilities on a per-application granularity  model of Communication Policy Classes - regulates inter- application interaction  Enforcement of the framework is done via:  Capabilities model – Linux LibCap library  Communication model – Tuple Space Library/Controller (to be developed)  T argets deployment of decoupled multi-component data services on multi-core server instance

  37. + 37 Future Work  Address the distributed deployment of unifjed framework  Address the problems of policy representation and validation  Investigate additional security for tuple spaces on fast persistent storage  Investigate scalability issues  Investigate the applicability for Dockers

Recommend

Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic

Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic

TELECOM Bretagne Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic Cuppens & Nora Cuppens Boulahia TELECOM Institute ; TELECOM Bretagne D epartement R eseau S ecurit e et Multim

395 views • 17 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution Key Features Advanced Access Control Emergency Handling Monitoring and Controlling Hardware Access Control Reports and Features

1.3k views • 77 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar Chandra SRI University of Notre Dame 1 INTRODUCTION : Heterogeneous Applications Name resolution - CoDNS Scientific citations - OverCite

441 views • 17 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
lecture 20 Input / Output (I/O) 2 - isolated vs. memory mapped I/O - program controlled

lecture 20 Input / Output (I/O) 2 - isolated vs. memory mapped I/O - program controlled

lecture 20 Input / Output (I/O) 2 - isolated vs. memory mapped I/O - program controlled I/O: polling - direct memory access (DMA) Wed. March 23, 2016 Isolated I/O In MARS simulator of MIPS, we uses syscall for I/O e.g.

831 views • 32 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
CSCE 790 Computer Systems Security Access Control Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Access Control Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Access Control Professor Qiang Zeng Spring 2020 Previous Class Biometrics Measurement and applications of human characteristics Applications Advantages and Disadvantages False

400 views • 28 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is access control? Access control is the part of security that constrains the actions that are performed in a system based on access control rules .

1.4k views • 113 slides
1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

399 views • 7 slides
Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben

Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben

Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben Cardenas Kodjo Agbossou Universit du Qubec Trois-Rivires Qubec-Canada Outline Introduction Droops

227 views • 21 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides

More recommend