Computer and Network Security: Understanding Security Policies and Access Control - Prof. , Study notes of Computer Science

An introduction to computer and network security, focusing on security policies and access control. Topics covered include the goals of computer security policy, computer security policy mistakes, trusted processes, secrecy, integrity, and availability. The document also discusses discretionary and mandatory access control, administrative operations, and conflict resolution in access matrices.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-583
koofers-user-583 🇺🇸

10 documents

1 / 43

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
3YSTEMSAND)NTERNET
)NFRASTRUCTURE3ECURITY
I
I
.ETWORKAND3ECURITY2ESEARCH#ENTER
$EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING
0ENNSYLVANIA3TATE5NIVERSITY5NIVERSITY0ARK0!
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to
Computer and Network Security
Module:
Access Control
Professor Patrick McDaniel
Fall 2009
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b

Partial preview of the text

Download Computer and Network Security: Understanding Security Policies and Access Control - Prof. and more Study notes Computer Science in PDF only on Docsity!

3YSTEMSAND)NTERNET

)NFRASTRUCTURE3ECURITY

I I .ETWORKAND3ECURITY2ESEARCH#ENTER $EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING 0ENNSYLVANIA3TATE5NIVERSITY 5NIVERSITY0ARK0! CSE543 - Introduction to Computer and Network Security Module:Access Control Professor Patrick McDaniel Fall 2009 1

Trusted Computing Base (TCB)

  • (^) The trusted computing base is the infrastructure that you assume will behave correctly ‣ Hardware (keyboard, monitor, …) ‣ Operating Systems ‣ Implementations ‣ Local networks ‣ Administrators ‣ Other users on the same system
  • (^) Axiom: the larger the TCB, the more assumptions you must make (and hence, the more opportunity to have your assumptions violated). 2

Computer Security Policy Goals

  • (^) Secrecy ‣ (^) Don’t allow reading by unauthorized subjects ‣ Control where data can be written by authorized subjects - (^) Why is this important?
  • (^) Integrity ‣ (^) Don’t permit dependence on lower integrity data/code - (^) Why is this important? ‣ What is “dependence”?
  • (^) Availability ‣ The necessary function must run ‣ Doesn’t this conflict with above? 4

… when policy goes wrong

  • (^) Driving license test: take until you pass ‣ Mrs. Miriam Hargrave of Yorkshire, UK failed her driving

test 39 times between 1962 and 1970!!!!

‣ … she had 212 driving lessons …. ‣ (^) She finally got it on the 40th try. ‣ Some years later, she was quoted as saying, “sometimes I still have trouble turning right ” 5 “A policy is a set of acceptable behaviors.”

  • F. Schneider

Access Policy Enforcement

  • (^) A protection state defines what each subject can do ‣ E.g., in an access bits --- the policy
  • (^) A reference monitor enforces the protection state ‣ A service that responds to the query...
  • (^) A correct reference monitor implementation meets the following guarantees ‣ Tamperproof ‣ Complete Mediation ‣ Simple enough to verify
  • (^) A protection system consists of a protection state, operations to modify that state, and a reference monitor to enforce that state 7

Access Control/Authorization

  • (^) An access control system determines what rights a particular entity has for a set of objects
  • (^) It answers the question ‣ E.g., do you have the right to read /etc/passwd ‣ (^) Does Alice have the right to view the EECS website? ‣ Do students have the right to share project data? ‣ (^) Does Dr. McDaniel have the right to change your grades?
  • (^) An Access Control Policy answers these questions 8

The Access Matrix

  • (^) An access matrix is one way to

represent policy.

‣ (^) Frequently used mechanism for describing policy

  • (^) Columns are objects, subjects are

rows.

‣ To determine if Si has right to access object O j , find the appropriate entry. ‣ There is a matrix for each right.

  • (^) The access matrix is a succinct

descriptor for O(|S|*|O|) rules

O

1

O

2

O

3 S 1 Y^ Y^ N S 2 N^ Y^ N S 3 N^ Y^ Y 10

Access Control

  • (^) Suppose the private key file for J is object O 1 ‣ Only J can read
  • Suppose the public key file for J is object O 2 ‣ (^) All can read, only J can modify
  • (^) Suppose all can read and write from object O 3
  • (^) What’s the access matrix? O 1 O 2 O 3 J??? S 2?^?^? S 3?^?^? 11

Secrecy

  • (^) Does the following protection state ensure the secrecy of J’s private key in O 1? O 1 O 2 O 3 J R RW RW S 2 N^ R^ RW S 3 N^ R^ RW 13

Integrity

  • (^) Does the following access matrix protect the integrity of J’s public key file O 2? O 1 O 2 O 3 J R RW RW S 2 N^ R^ RW S 3 N^ R^ RW 14

Least Privilege

  • (^) Limit permissions to those required and no more
  • Consider three processes for user J ‣ Restrict privilege of the process J 1 to prevent leaks O 1 O 2 O 3 J 1 R R N J 2 N RW N J 3 N R RW 16

Access Control Administration There are two central ways to specify a policy

1. Discretionary - object “owners” define policy ‣ Users have discretion over who has access to what objects and when (trusted users) ‣ Canonical example, the UNIX filesystem - (^) RWX assigned by file owners 2. Mandatory - Environment enforces static policy ‣ Access control policy defined by environment, user has no control control over access control (untrusted users) ‣ Canonical example, process labeling - (^) System assigns labels for processes, objects, and a dominance calculus is used to evaluate rights 17

Administrative Operations

  • (^) An access matrix defines a protection state
  • (^) A protection system also includes a set of operations for modifying that state
  • (^) Examples ‣ Add right (UNIX): If the user is the owner of the object, then the user can add an operation to set of operations of another user ‣ (^) Add right: If domain has the copy flag set for that right in its access matrix row, then it can add that right to any other domain’s access row 19

DAC vs. MAC in Access Matrix

  • (^) Subjects: ‣ DAC: users ‣ MAC: labels
  • (^) Objects: ‣ DAC: files, sockets, etc. ‣ MAC: labels
  • (^) Operations: ‣ Same
  • (^) Administration: ‣ DAC: owner, copy flag, ... ‣ MAC: external
  • (^) MAC: largely static matrix; DAC: all can change

O

1

O

2

O

3 S 1 Y^ Y^ N S 2 N^ Y^ N S 3 N^ Y^ Y 20