Access Control CSE497b - Spring 2007 Introduction Computer and - - PowerPoint PPT Presentation

access control
SMART_READER_LITE
LIVE PREVIEW

Access Control CSE497b - Spring 2007 Introduction Computer and - - PowerPoint PPT Presentation

Sep 17, 2022 348 likes •608 views

Access Control CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Access Control

slide-1
SLIDE 1

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Control

CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse497b-s07/

slide-2
SLIDE 2

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Control

  • Describe the permissions available to computing

processes

– Originally, all permissions were available

  • Clearly, some controls are necessary

– Prevent bugs in one process from breaking another

  • But, what should determine access?

2

slide-3
SLIDE 3

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Permissions for Processes

  • What permissions should be granted to...

– An editor process? – An editor process that you run? – An editor process that someone else runs? – An editor process that contains malware? – An editor process used to edit a password file?

  • Q: How do we determine/describe the permissions

available to processes?

  • Q: How are they enforced?
  • Q: How might they change over time?

3

slide-4
SLIDE 4

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection System

  • Any “system” that provides

resources to multiple subjects needs to control access among them

– Operating system – Servers

  • Consists of:

– Protection state

  • Description of permission

assignments (i.e., policy)

  • Determines how security goals

are met

– Enforcement mechanism

  • Enforce protection state on

“system”

4

slide-5
SLIDE 5

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection State

  • Describes the conditions under which the system is

secure

– Secrecy – Integrity – Availability

  • Described in terms of

– Subjects: Users and processes – Objects: Files and sockets – Operations: Read and write

5

slide-6
SLIDE 6

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secure Protection State

  • Set of all protection states P
  • Set of secure protection states Q

– Subjects access to objects to perform operations – Meets secrecy, integrity, availability goal

  • Example: Protect access to your private key file

– Only protection states in which only you can read the private key file are secure – Protection states in which only you may write the public key file are secure

  • Not all processes are necessarily secure

– Recall programs running on your behalf

  • Hey, even some programs running on your behalf are not

to be trusted with the private key!

6

slide-7
SLIDE 7

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Matrix

O1 O2 O3 S1 Y Y N S2 N Y N S3 N Y Y

  • Subjects
  • Objects
  • Operations
  • Can determine

– Who can access an object – What objects can be accessed by a subject – What operations a subject can perform on an object

7

slide-8
SLIDE 8

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Control

  • Suppose the private key file for J is
  • bject O1

– Only J can read

  • Suppose the public key file for J is
  • bject O2

– All can read, only J can modify

  • Suppose all can read and write from
  • bject O3
  • What’s the access matrix?

8

O1 O2 O3 J ? ? ? S2 ? ? ? S3 ? ? ?

slide-9
SLIDE 9

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy

  • Does the following protection state ensure the secrecy
  • f J’s private key in O1?

9

O1 O2 O3 J R R W R W S2 N R R W S3 N R R W

slide-10
SLIDE 10

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Integrity

  • Does the following access matrix protect the integrity of

J’s public key file O2?

10

O1 O2 O3 J R R W R W S2 N R R W S3 N R R W

slide-11
SLIDE 11

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Trusted Processes

  • Does it matter if we do not trust some of J’s processes?

11

O1 O2 O3 J R R W R W S2 N R R W S3 N R R W

slide-12
SLIDE 12

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection vs Security

  • Protection

– Security goals met under trusted processes – Protects against an error by a non-malicious entity

  • Security

– Security goals met under potentially malicious processes – Protects against any malicious entity

  • For J:

– Non-malicious process shouldn’t leak the private key by writing it to O3 – A potentially malicious process may contain a Trojan horse that can write the private key to O3

12

slide-13
SLIDE 13

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Least Privilege

  • Limit permissions to those required and no more
  • Consider three processes for user J

– Restrict privilege of the process J1 to prevent leaks

13

O1 O2 O3 J1 R R W N J2 N R R W J3 N R R W

slide-14
SLIDE 14

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Options for Subjects

  • Possible subjects

14

slide-15
SLIDE 15

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Role-Based Access Control

  • Associate permissions with job functions

– Each job defines a set of tasks – The tasks need permissions – The permissions define a role

  • Bank Teller

– Read/Write to client accounts – Cannot create new accounts – Cannot create a loan – Role defines only the permissions allowed for the job

  • What kind of jobs can we define permission sets for?

15

slide-16
SLIDE 16

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Role-based Access Control

  • Model consists of two

relationships

– Role-permission assignments – User-role assignments

  • Assign permissions to roles

– These are largely fixed

  • Assign a user to the roles

they can assume

– These change with each user – Administrators must manage this relationship

16

slide-17
SLIDE 17

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Enforcement Mechanism

  • Every system needs to enforce its protection state
  • Q: What is required of such an enforcement

mechanism?

17

slide-18
SLIDE 18

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Reference Monitor

  • Properties

– Complete Mediation of all security-sensitive operations – Tamperproof – Simple enough for verification of correctness

  • Reference Monitor Structure

– Interface

  • Where is it called to mediate (authorize)?

– Mechanism

  • How are authorization queries processed?

– Policy

  • How are authorization decisions expressed?

18

slide-19
SLIDE 19

Page CSE497c Introduction to Computer and Network Security - Spring 2006 - Professors Jaeger and McDaniel

Reference Monitor

User Kernel Trap

Loadable Authorization Module Authorization Mechanism Policy Server

slide-20
SLIDE 20

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection State Transitions

  • Transition

– From one access matrix state to another – Add/delete subject, object,

  • peration assignment
  • Transition semantics

– Owner-driven – Delegation – Administrator-driven – Administrative permissions

  • Attenuation of Rights Principle

– Can’t grant a right that you do not possess

20

slide-21
SLIDE 21

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection State Transitions

  • Owner

– Implicitly has all rights to owned objects – Grants at will – Reader can copy object to self-owned object and distribute

  • Delegation

– Copy flag

  • Presence of copy flag permits granting of one’s rights to that object
  • Administrators

– Implicitly have all rights – Grant to subjects as necessary (w/i security goals)

  • Administrative permissions

– Permissions to perform administrative operations on objects – Distinction between active and administrative rights

21

slide-22
SLIDE 22

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Safety Problem

  • Is there a general algorithm that enables us to

determine whether a permission may be leaked to an unauthorized user from any future protection state?

  • Intuition:

– From a protection state, users can administer permissions for the objects that they own – Enable other subjects to access those objects

  • For typical access control models (UNIX)

– Problem is Undecidable – Can also extend representation (new users, objects)

  • Practice:

– Check current protection state for “safety”

22

slide-23
SLIDE 23

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Take Away

  • Access Control is expressed in terms of

– Protection Systems

  • Protection Systems consist of

– Protection State representation (e.g., access matrix) – Enforcement Mechanisms (e.g., reference monitor)

  • Protection States

– Challenge to choose subjects (RBAC) – Must to ensure security goals in spite of state transitions

  • Enforcement Mechanism

– Reference Monitor – Ensures protection state is enforced

  • Transitions

– Cannot prove safety for future protection states

23