1 / 32

CSC 382: Computer Security

CSC 382: Computer Security. Security Policies. Topics. What is a security policy? Types of Access Control Discretionary (DAC) Mandatory (MAC) Originator-based (ORBAC) Types of Policies Multilevel: Bell LaPadula Clark Wilson Chinese Wall Policy Expression Languages. Security Policy.

bruno
Télécharger la présentation

CSC 382: Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 382: Computer Security Security Policies CSC 382: Computer Security

  2. Topics • What is a security policy? • Types of Access Control • Discretionary (DAC) • Mandatory (MAC) • Originator-based (ORBAC) • Types of Policies • Multilevel: Bell LaPadula • Clark Wilson • Chinese Wall • Policy Expression Languages CSC 382: Computer Security

  3. Security Policy Security policy partitions system states into: • Authorized (secure) • These are states the system is allowed to enter. • Unauthorized (nonsecure) • If the system enters any of these states, it’s a security violation. Secure system • Starts in authorized state. • Never enters unauthorized state. CSC 382: Computer Security

  4. Policy vs. Mechanism Security Policy • Statement that divides system into authorized and unauthorized states. Mechanism • Entity or procedure that enforces some part of a security policy. CSC 382: Computer Security

  5. Dirty Politics Republican Senate staffers gained access to Democrat computer files 2002-2003. • Both parties share computer server. • 2001 misconfiguration allowed access w/o pw. • Defence: "The bottom line here is that the technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk.” – Manuel Miranda CSC 382: Computer Security

  6. Types of Access Control • Discretionary Access Control (DAC, IBAC) • Individual user sets access control mechanism to allow or deny access to an object. UNIX and NT ACLs. • Mandatory Access Control (MAC) • System mechanism controls access to object, and individual cannot alter that access. • Originator Controlled Access Control (ORCON) • Originator (creator, not current owner of file) of information controls who can access information. DRM-controlled files. CSC 382: Computer Security

  7. MAC Example: SELinux • What is SELinux? • Linux kernel modifications to provide MAC. • What’s the problem with DAC? • TCB large: Security depends on kernel, all privileged aplications, and their configurations. • Coarse-grained: Applications run with all user privileges, even for root user. • Security of MAC depends on: • kernel • SElinux security policy configuration CSC 382: Computer Security

  8. SELinux Advantages and Issues • Advantages • Fine-grained control by program, not by user. • Protects system from flawed or malicious code. • Security policy configuration is complex. • Policy language resembles DTEL. • Fine-grained: can control program accesses to individual files, signals, etc. • Difficult to find security policies that work for everyone. • Fedora Core 2’s strict policy caused many problems. • Fedora Core 3 applies policies to known server and system process, lets other programs run w/o restriction. CSC 382: Computer Security

  9. SELinux Command Extensions > id -Z user_u:system_r:unconfined_t > ps -eZ |head LABEL PID TTY TIME CMD user_u:system_r:unconfined_t 1 ? 00:00:00 init user_u:system_r:unconfined_t 21 ? 00:00:00 kacpid user_u:system_r:syslogd_t 3826 ? 00:00:00 syslogd user_u:system_r:unconfined_t 3841 ? 00:00:00 irqbalance user_u:system_r:portmap_t 3852 ? 00:00:00 portmap user_u:system_r:ypbind_t 4024 ? 00:00:00 ypbind > ls -lZ /boot/vmlinuz-2.6.10-1.741_FC3smp -rw-r--r-- root root system_u:object_r:boot_t /boot/vmlinuz-2.6.10-1.741_FC3smp CSC 382: Computer Security

  10. ORBAC Example: CSS • Content Scrambling System (CSS) • Used to encrypt DVDs. • DVD reader needs CSS decryption key. • CSS limits use of DVDs even though you control the OS (MAC) and filesystem ACLs. • Region-coding. • Unskippable commercials. CSC 382: Computer Security

  11. Types of Security Policies • Confidentiality • Military/government policies. • Integrity • Commercial policies. • Availability • Quality of service agreements. CSC 382: Computer Security

  12. Confidentiality • X set of entities, I information. • I has confidentiality property with respect to X if no x in X can obtain information from I. • I can be disclosed to others. • Example: • X is the set of students. • I is the final exam answer key. • I is confidential with respect to X if students cannot obtain final exam answer key. CSC 382: Computer Security

  13. Integrity • X set of entities, I information. • I has integrity property with respect to X if all x in X trust information in I. • Types of integrity: • trust I, its conveyance and protection (data integrity) • I information about origin of something or an identity (origin integrity, authentication) • I resource: means resource functions as it should (assurance) CSC 382: Computer Security

  14. Availability • X set of entities, I resource. • I has availability property with respect to X if all x in X can access I. • Types of availability: • traditional: x gets access or not • quality of service: promise specific level of access (e.g., a specific level of bandwidth) CSC 382: Computer Security

  15. Multilevel Security Policies Bell-LaPadula Model Classifications • Top Secret • Secret • Confidential • Unclassified Simple Security Property No read up. *-Property No write down. CSC 382: Computer Security

  16. Bank COI Class Oil COI Class US Bank Shell Exxon PNC Citibank ARCO BP Multilateral Security Policies Chinese Wall Model If you read one CD of a COI, you never can read any other CDs from that COI. CD: Company dataset COI: Conflict of interestclass CSC 382: Computer Security

  17. Policy Languages • Express security policies in a precise way. • High-level languages • Policy constraints expressed abstractly. • Low-level languages • Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system. CSC 382: Computer Security

  18. High-Level Policy Languages • Constraints expressed independent of enforcement mechanism. • Constraints restrict entities, actions. • Constraints expressed unambiguously • Requires a precise language, usually a mathematical, logical, or programming-like language. CSC 382: Computer Security

  19. Example: Web Browser • Goal: restrict actions of Java programs that are downloaded and executed under control of web browser. • Policy language specific to Java programs. • Expresses constraints as conditions restricting invocation of entities. CSC 382: Computer Security

  20. Expressing Constraints • Entities are classes, methods • Class: set of objects that an access constraint constrains. • Method: set of ways an operation can be invoked. • Operations • Instantiation: s creates instance of class c: s-|c • Invocation: s1 executes object s2: s1 |-> s2 • Access constraints • deny(sopx) whenb • While b is true, subject s cannot perform op on (subject or class) x; empty s means all subjects. CSC 382: Computer Security

  21. Sample Constraints • Downloaded program cannot access password database file on UNIX system • Program’s class and methods for files: class File { public file(String name); public String getfilename(); public char read(); • Constraint: deny( |-> file.read) when (file.getfilename() == /etc/passwd) CSC 382: Computer Security

  22. Another Sample Constraint • At most 100 network connections open. • Socket class defines network interface • Network.numconns method giving number of active network connections. • Constraint deny( -| Socket) when (Network.numconns >= 100) CSC 382: Computer Security

  23. Discussion: Buying HDs on Ebay • 2 MIT grad students bought 158 used HDs. • 28 (17%) had fully functioning operating systems. • 57 (36%) were formatted, but recoverable. • 29 (18%) didn’t work at all. • In total, 117 (74%) had recoverable data. • Recovered data included • Personal and corporate financial records. • Personal e-mail and credit cards. • Is discarded data a security issue? CSC 382: Computer Security

  24. Low-Level Policy Languages • Set of inputs or arguments to commands. • Check or set constraints on system. • Low level of abstraction. • Need details of system, commands. CSC 382: Computer Security

  25. Example: X Window System • UNIX X11 Windowing System. • Access to X11 display controlled by list • List says what hosts allowed, disallowed access xhost +groucho -chico • Connections from host groucho allowed. • Connections from host chico not allowed. CSC 382: Computer Security

  26. Example: tripwire File scanner that reports changes to file system and file attributes • tw.config describes what may change /usr/mab/tripwire +gimnpsu012345678-a • Check everything but time of last access (“-a”) • database holds previous values of attributes CSC 382: Computer Security

  27. Example Database Record /usr/mab/tripwire/README 0 ..../. 100600 45763 1 917 10 33242 .gtPvf .gtPvY .gtPvY 0 .ZD4cc0Wr8i21ZKaI..LUOr3 .0fwo5:hf4e4.8TAqd0V4ubv ?...... ...9b3 1M4GX01xbGIX0oVuGo1h15z3 ?:Y9jfa04rdzM1q:eqt1APgHk ?.Eb9yo.2zkEh1XKovX1:d0wF0kfAvC ?1M4GX01xbGIX2947jdyrior38h15z3 0 file name, version, bitmask for attributes, mode, inode number, number of links, UID, GID, size, times of creation, last modification, last access, cryptographic checksums CSC 382: Computer Security

  28. Comments • System administrators not expected to edit database to set attributes properly. • Checking for changes with tripwire is easy. • Just run once to create the database, run again to check. • Checking for conformance to policy is harder. • Need to either edit database file, or (better) set system up to conform to policy, then run tripwire to construct database. CSC 382: Computer Security

  29. Example: PAM • Pluggable Authentication Modules • Config: /etc/pam.conf or /etc/pam.d/prog login auth required pam_unix.so login account required pam_unix.so login password required pam_unix.so login session required pam_unix.so • Format: service modtype controlflag module CSC 382: Computer Security

  30. Example: PAM (cont.) • Module Types: • Auth: authenticates user • Account: non-auth access control (time, place) • Password: updates auth token • Session: user setup (including logging) • Control Flags: • required: must succeed for access, all entries checked • requisite: required, but returns immediately on failure • sufficient: access granted if this condition true CSC 382: Computer Security

  31. Key Points • Policies describe what is allowed. • Mechanisms control how policies are enforced. • Types of Access Control • Discretionary (DAC) • Mandatory (MAC) • Originator Based (ORBAC) • Trust underlies everything. CSC 382: Computer Security

  32. References • Anderson, Ross, Security Engineering, Wiley, 2001. • David E. Bell and Leonard J. LaPadula, Secure Computer System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976) http://csrc.nist.gov/publications/history/bell76.pdf • Bishop, Matt, Introduction to Computer Security, Addison-Wesley, 2005. • Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD (“Orange Book”), National Computer Security Center, Ft. Meade, MD 20755 (Dec. 1985) http://csrc.nist.gov/publications/history/dod85.pdf • Peter Loscocco and Stephen Smalley, “Integrating Flexible Support for Security Policies into the Linux Operating System,” Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference, 2001. CSC 382: Computer Security

More Related