Outline Multilevel and mandatory access control CSci 5271 - PDF document

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Stephen McCamant Capability-based access control University of Minnesota, Computer Science & Engineering MAC vs. DAC Motivation: it’s classified Discretionary access control (DAC) Government defense and intelligence Users mostly decide permissions on their agencies use classification to restrict own files access to information If you have information, you can pass it on to anyone E.g.: Unclassified, Confidential, Secret, E.g., traditional Unix file permissions Top Secret Mandatory access control (MAC) Multilevel Secure (MLS) systems first Restrictions enforced regardless of developed to support mixing subject choices classification levels under timesharing Typically specified by an administrator Motivation: system integrity Bell-LaPadula, linear case State-machine-like model developed for Limit damage if a network server US DoD in 1970s application is compromised 1. A subject at one level may not read a Unix DAC is no help if server is root resource at a higher level Limit damage from Simple security property, “no read up” browser-downloaded malware 2. A subject at one level may not write a Windows DAC is no help if browser is resource at a lower level “administrator” user * property, “no write down”

High watermark property Biba and low watermark Inverting a confidentiality policy gives Dynamic implementation of BLP an integrity one Process has security level equal to Biba: no write up, no read down highest file read Low watermark policy Written files inherit this level BLP ❫ Biba ✮ levels are isolated Information-flow perspective Covert channels Problem: conspiring parties can misuse Confidentiality: secret data should not other mechanisms to transmit flow to public sinks information Integrity: untrusted data should not flow Storage channel: writable shared state to critical sinks E.g., screen brightness on mobile phone Timing channel: speed or ordering of Watermark policies are process-level events conservative abstractions E.g., deliberately consume CPU time Multilateral security / compartments Partial orders and lattices ✔ on integers is a total order In classification, want finer divisions Reflexive, antisymmetric, transitive, ❛ ✔ ❜ based on need-to-know or ❜ ✔ ❛ Also, selected wider sharing (e.g., with Dropping last gives a partial order allied nations) A lattice is a partial order plus Many other applications also have this operators for: character Least upper bound or join t Anderson’s example: medical data Greatest lower bound or meet ✉ How to adapt BLP-style MAC? Example: subsets with ✒ , ❬ , ❭

Subset lattice example Subset lattice example Lattice model Classification lattice example Generalize MLS levels to elements in a lattice BLP and Biba work analogously with lattice ordering No access to incomparable levels Potential problem: combinatorial explosion of compartments Lattice BLP example Another notation Faculty ✦ (Faculty, ❄ ) Faculty//5271 ✦ (Faculty, ❢ ✺✷✼✶ ❣ ) Faculty//5271//8271 ✦ (Faculty, ❢ ✺✷✼✶❀ ✽✷✼✶ ❣ )

MLS operating systems Multi-VM systems One (e.g., Windows) VM for each 1970s timesharing, including Multics security level “Trusted” versions of commercial Unix More trustworthy OS underneath (e.g. Solaris) provides limited interaction SELinux (called “type enforcement”) E.g., NSA NetTop: VMWare on SELinux Integrity protections in Windows Vista Downside: administrative overhead and later Air gaps, pumps, and diodes Chelsea Manning cables leak Manning (n´ ee Bradley) was an The lack of a connection between intelligence analyst deployed to Iraq networks of different levels is called an PC in a T-SCIF connected to SIPRNet air gap (Secret), air gapped A pump transfers data securely from CD-RWs used for backup and software one network to another transfer A data diode allows information flow in Contrary to policy: taking such a only one direction CD-RW home in your pocket ❤tt♣✿✴✴✇✇✇✳❢❛s✳♦r❣✴s❣♣✴❥✉❞✴♠❛♥♥✐♥❣✴✵✷✷✽✶✸✲st❛t❡♠❡♥t✳♣❞❢ Outline Note to early readers This is the section of the slides most Multilevel and mandatory access control likely to change in the final version If class has already happened, make Announcements intermission sure you have the latest slides for announcements Capability-based access control In particular, the BCVI vulnerability announcement is embargoed

Outline ACLs: no fine-grained subjects Multilevel and mandatory access control Subjects are a list of usernames maintained by a sysadmin Announcements intermission Unusual to have a separate subject for an application Capability-based access control Cannot easily subset access (sandbox) ACLs: ambient authority Confused deputy problem Compiler writes to billing database All authority exists by virtue of identity Compiler can produce debug output to Kernel automatically applies all available user-specified file authority Specify debug output to billing file, Authority applied incorrectly leads to disrupt billing attacks (Object) capabilities Capability slogans (Miller et al.) No designation without authority A capability both designates a resource Dynamic subject creation and provides authority to access it Subject-aggregated authority mgmt. Similar to an object reference No ambient authority Unforgeable, but can copy and distribute Composability of authorities Typically still managed by the kernel Access-controlled delegation Dynamic resource creation

Partial example: Unix FDs Distinguish: password capabilities Authority to access a specific file Bit pattern itself is the capability Managed by kernel on behalf of process No centralized management Can be passed between processes Modern example: authorization using Though rare other than parent to child cryptographic certificates Unix not designed to use pervasively Revocation with capabilities Confinement with capabilities Use indirection: give real capability via ❆ cannot pass a capability to ❇ if it a pair of middlemen cannot communicate with ❆ at all ❆ ✦ ❇ via ❆ ✦ ❋ ✦ ❘ ✦ ❇ Disconnected parts of the capability Retain capability to tell ❘ to drop graph cannot be reconnected capability to ❇ Depends on controlled delegation and Depends on composability data/capability distinction OKL4 and seL4 Joe-E and Caja Commercial and research microkernels Dialects of Java and JavaScript (resp.) Recent versions of OKL4 use capability using capabilities for confined execution design from seL4 E.g., of JavaScript in an advertisement Used as a hypervisor, e.g. underneath Note reliance on Java and JavaScript paravirtualized Linux type safety Shipped on over 1 billion cell phones

Next time Techniques for higher assurance