Introduction to Computer and Network Security: Access Control and Protection Domains - Pro, Study notes of Computer Science

A part of the cse543 course at penn state university, focusing on computer and network security. It covers the concepts of trusted computing base, blindly following policy, access control, protection domains, and access control policy. The importance of access control systems, the difference between subjects and objects, and the role of protection domains in restricting access to computing system resources.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-y3i-1
koofers-user-y3i-1 🇺🇸

10 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
3YSTEMSAND)NTERNET
)NFRASTRUCTURE3ECURITY
I
I
.ETWORKAND3ECURITY2ESEARCH#ENTER
$EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING
0ENNSYLVANIA3TATE5NIVERSITY5NIVERSITY0ARK0!
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to
Computer and Network Security
Module:
Access Control
Professor Patrick McDaniel
Fall 2008
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download Introduction to Computer and Network Security: Access Control and Protection Domains - Pro and more Study notes Computer Science in PDF only on Docsity!

3YSTEMSAND)NTERNET

)NFRASTRUCTURE3ECURITY

I I .ETWORKAND3ECURITY2ESEARCH#ENTER $EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING 0ENNSYLVANIA3TATE5NIVERSITY 5NIVERSITY0ARK0! CSE543 - Introduction to Computer and Network Security Module:Access Control Professor Patrick McDaniel Fall 2008 1

Trusted Computing Base

  • (^) The trusted computing base is the infrastructure that you assume will behave correctly ‣ Hardware (keyboard, monitor, …) ‣ Operating Systems ‣ Implementations ‣ Local networks ‣ Administrators ‣ Other users on the same system
  • (^) Axiom: the larger the TCB, the more assumptions you must make (and hence, the more opportunity to have your assumptions violated). 2

… when policy goes wrong

  • (^) Driving license test: take until you pass ‣ Mrs. Miriam Hargrave of Yorkshire, UK failed her driving test

39 times between 1962 and 1970!!!!

‣ … she had 212 driving lessons …. ‣ (^) She finally got it on the 40th try. ‣ Some years later, she was quoted as saying, “sometimes I still have trouble turning right ” 4

Access Control/Authorization

  • (^) An access control system determines what rights a particular entity has for a set of objects
  • (^) It answers the question ‣ E.g., do you have the right to read /etc/passwd ‣ (^) Does Alice have the right to view the EECS website? ‣ Do students have the right to share project data? ‣ (^) Does Dr. McDaniel have the right to change your grades?
  • (^) An Access Control Policy answers these questions 5

Protection domain

Protection Domains

Program A Files

  • (^) The protection domain restricts access of external parties to our computing system’s resources
  • (^) How is this done today? ‣ Memory protection ‣ E.g., UNIX protected memory, file-system permissions (rwx…)
  • A protection state describes access of all programs 7 Memory

Access Control Policy

  • (^) “A policy is a set of acceptable behaviors.”
    • F. Schneider
  • (^) An access control policy is a function:

P(S,O,R) -> { accept, deny }

‣ (^) Where, set S=subjects, O=objects, R=rights

  • (^) The policy is a lot of these tuples, whether explicitly represented that way or not.
  • There are many, many ways to represent these. 8

Designing an access control system

  • (^) Separation of policy from mechanism ‣ We enforce policy via mechanism, e.g., the filesystem, etc. ‣ Policy is that which specifies rights
  • (^) Idea: separation gives us the ability to chance the meaning of policy or the enforcement of it quickly “Let me try to explain to you, what to my taste is characteristic for all intelligent thinking. It is, that one is willing to study in depth an aspect of one’s subject matter in isolation for the sake of its own consistency, all the time knowing that one is occupying oneself only with one of the aspects. We know that a program must be correct and we can study it from that viewpoint only; we also know that is should be efficient and we can study its efficiency on another day. But nothing is gained on the contrary by tackling these various aspects simultaneously. It is what I sometimes have called the separation of concerns.” (Dijkstra) 10

Access Policy Enforcement

  • (^) A protection state defines what each subject can do ‣ E.g., in an access matrix
  • (^) A reference monitor enforces the protection state ‣ A service that responds to the query...
  • (^) A correct reference monitor implementation meets the following guarantees ‣ Tamperproof ‣ Complete Mediation ‣ Simple enough to verify
  • (^) A protection system consists of a protection state, operations to modify that state, and a reference monitor to enforce that state 11

Access Control

  • (^) Suppose the private key file for J is object O 1 ‣ Only J can read
  • Suppose the public key file for J is object O 2 ‣ (^) All can read, only J can modify
  • (^) Suppose all can read and write from object O 3
  • (^) What’s the access matrix? O 1 O 2 O 3 J??? S 2?^?^? S 3?^?^? 13

Trusted Processes

  • (^) Does it matter if we do not trust some of J’s processes? O 1 O 2 O 3 J R RW RW S 2 N R RW S 3 N R RW 14

Integrity

  • (^) Does the following access matrix protect the integrity of J’s public key file O 2? O 1 O 2 O 3 J R RW RW S 2 N^ R^ RW S 3 N^ R^ RW 16

Protection vs Security

  • (^) Protection

‣ Security goals met under trusted processes

‣ Protects against an error by a non-malicious entity

  • (^) Security

‣ Security goals met under potentially malicious

processes

‣ Protects against any malicious entity

‣ Hence, For J:

  • (^) Non-malicious process shouldn’t leak the private key by writing it to O 3
  • A potentially malicious process may contain a Trojan horse that can write the private key to O 3 17

Access Control Administration There are two central ways to specify a policy

1. Discretionary - object “owners” define policy ‣ Users have discretion over who has access to what objects and when (trusted users) ‣ Canonical example, the UNIX filesystem - (^) RWX assigned by file owners 2. Mandatory - Environment enforces static policy ‣ Access control policy defined by environment, user has no control control over access control (untrusted users) ‣ Canonical example, process labeling - (^) System assigns labels for processes, objects, and a dominance calculus is used to evaluate rights 19

DAC vs. MAC

  • (^) Discretionary Access Control ‣ User defines the access policy ‣ Can pass rights onto other subjects (discretion) ‣ Their programs can pass their rights - Consider a Trojan horse
  • (^) Mandatory Access Control ‣ System defines access policy ‣ Subjects cannot pass rights ‣ Subjects’ programs cannot pass rights - (^) Consider a Trojan horse here 20