OS Security

Access Control & Authentication

OS System vulnerabilities

• Operational fault• Environmental fault• Coding fault

Protection Mechanisms

• Concept of sharing resources– No Protection– Isolation– Share all or Share Nothing– Share via access limitation– Share via dynamic capabilities– Limit use of an object

• Protection of Memory• Protection based on an OS mode• File sharing

Access Control• Permit or deny the use of an object by a

subject• Services– Identification– Authentication– Authorization– Accountability

• Access Control Techniques

Security Models

• A model is a simplified representation used to explain a real world system

• Security models are used to design a system to protect secrets

Discretionary Access Control(DAC)

• No precise definition• Widely used in modern operating systems• In most implementations it has the notion of

owner of an object• The owner controls other users’ accesses to

the object• Allows access rights to be propagated to other

subjects

Discretionary Access Control (DAC) Security Model

• The owner of an object controls who and what may access it. Access is at the owner’s discretion.– Example: shared file server where access

permissions are administered by the owners (users) of its contents.

Access Control Matrix

• Abstract ,formal security model used in computer systems

• Subjects• Objects• Rights

1) Access Control Matrix

U

V

F G

orw

orwr

subjects

objects (and subjects)

rights

o – own r – read w – write

Subjects

• Are subjects users?

user

principals

subjects

User - Principals

• One to many mapping between user and principals

• System authenticates user in the context of principal

• Shared principals (accounts) are not good for accountability

user principals

Alice

Alice.Top-secret

Alice.Secret

Bob

Bob.Dean

Bob.Faculty

Bob.Super-user

Principal - Subjects• One to many mapping

between principal and subjects

• A subject is a program or application run on behalf of principal

• Subjects are often treated the same as principal if all subjects of a principal have the same rights

subjectsprincipal

Alice.Top-secret

Email

Word

Database

Objects• An object is anything on which a subject can perform

operations (mediated by rights)

• Usually objects are passive, for example– File – Directory (or Folder)– Memory segment

• But, subjects can also be objects, with operations– Kill– Suspend – Resume

Rights

• A right specifies what kind of access a subject can perform on an object– Own– Read– Write– Execute– Create– Delete– Transfer

Implementation of Access Control Matrix

U

V

F G

orw

orwr

subjects

objects

rightsCapabilities

ACL (Access Control Lists)

2) Access Control List (ACL)• ACL – Each column of access control matrix is stored

with corresponding object

• ACL requires subjects to be authenticated before access to a particular object

U:o

U:r

U:w

V:r

V:o

V:r

V:w

F G File PointerSubj

Access right

F

G U

V

V

orw

r

orw

3) Capabilities

• Capabilities – Each row of access control matrix is stored with corresponding subject

• Capabilities do not require subjects to be authenticated but require– Capabilities are unforgeable – Propagation of capabilities are under control

F/o, F/r, F/w

F/r, G/o, G/r, G/w

U

V

Comparison of ACL and Capabilities• ACL– Access rights stored with

objects– Requires authentication

of subjects

– Provides access review on a per-object basis

– Most operating systems such as UNIX and Windows use ACL to protect files

• Capabilities– Access rights stored with

subjects– Requires unforgeability of

capabilities and propagation control of capabilities

– Provides revocation facilities on a per-subject basis

– Used in authentication systems such as Kerberos

Problems with DAC in OS• DAC cannot protect against

– Trojan horse– Malware– Software bugs– Malicious local users

• It cannot control information flow

Mandatory Access Control (MAC) Security Model

• System controls access to resources• When a subject requests access to

an object– The system examines the user’s identity and

access rights, and compares to access permissions of the object

• System then permits or denies the access– Example: shared file server where access

permissions are administered by an administrator

Mandatory Access Control (MAC) Security Model

• MAC specifies the access that subjects have to objects based on subjects and objects classification– Based on security labels attached to subjects and

objects• Security label to subject security clearance• Security label to object security classification

– Users have no control of security labels, but information flow is restricted to certain can-flow paths

• This type of security has also been referred to as multilevel security

Multi-level Security Model

• Several levels of security– Such as Confidential, Secret, Top Secret

• People have varying levels of security clearance– Such as Confidential, Secret, Top Secret

• System will control access to objects according to their level and the level of the persons accessing them

Security levels• A security level a category set• The security level is an element from a totally

ordered set - example{Top Secret (TS), Secret (S), Confidential (C),

Unclassified (U)} where TS > S > C >U

• The category set is a set of elements, dependent from the application area in which data are to be used – example

{Army, Navy, Air Force, Nuclear}

Hierarchical Structure

• Military security classes as security labels:Top secret

Secret

Confidential

Unclassified

High level

Low level

Can-flow

Security levels• The security level ,at a commercial site, you

might define the following corporate hierarchy: {CORPORATE ,BRANCH, DEPARTMENTS}• In a commercial environment, your categories

might correspond to company departments, product names, ad campaigns, or any other setup you wish to implement:– example

{ACCOUNTING, PR, MARKETING, SALES, R&D}

Bell LaPadula Security Model(1973)

• A formal MAC model

• State machine model that addresses the

confidentiality of information.

• Uses No Read Up & No Write Down

BLP Model • Simple-security

property( ss – property)

– Subject S can read object O only if • Information can flow

from label(O) to label(S)

• Star-property(*-property)

– Subject S can write object O only if • Information can flow

from label(S) to label(O)

Label(S)

Label(O)

Can-flow

Label(O)

Label(S)

Can-flow

Read down

Write up

Bell LaPadula Security Model (cont.)

• No Read Up (NRU)– A subject can read all documents at or below his

level of security, but cannot read any documents above his level of security

– Prevents learning secrets at a higher security level– E.g., an unclassified user cannot read a top-secret

document

Bell LaPadula Security Model (cont.)

• No Write Down (NWD)– A subject can write documents at or above his level

of security, but cannot write documents below his level

– Prevents leaks of secrets– E.g., cannot copy top secret file into secret file

Bell LaPadula Model Problem

• In Bell LaPadula– A subject at a lower security level

can overwrite and potentially destroy secret information at a higher level (even though they cannot see it)

– No Write Down and No Read Up don't prevent this "Write Up" operation

• Bell LaPadula protects confidentiality but not integrity

The Biba Integrity Model(1977)

• The first formal integrity model, by preventing modifications to data by unauthorized persons.

• A subject cannot read documents below his level (no read down, NRD)

• A subject cannot write documents above his level (no write up, NWU)

Biba Model

• To guarantee the integrity of the data, we need precisely the reverse properties. – The simple integrity principle: A process

running at security level k can write only objects at its level or lower (no write up). – The integrity * property: A process running

at security level k can read only objects at its level or higher (no read down).

Example: Military Orders• Write Down is allowed– A General may write orders to a Colonel, who

can issue these orders to a Major• Integrity is preserved– In this fashion, the General's original orders are

kept intact and the mission of the military is protected

• Write Up is forbidden– Conversely, a Private can never issue orders to

his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission

Comparing the Models

• If you need to protect secrets, use Bell-Lapadula– No Write Down– No Read Up

• If you need to stay on target, use Biba– No Write Up– No Read Down

• Both of these are designed for the military, to protect high-level secrets

Role-based Access Control (RBAC) Security Model

• An improvement over the mandatory access control (MAC) security model

• Access permissions are granted to “roles” instead of “persons.”– Example: "Managers" can write to the Personnel

folder, but "Help Desk Workers" cannot

Role-based Access Control (RBAC) Security Model (cont.)

• Simplifies management in a complex system with many users and objects, used for commercial applications

• Makes changes much easier, because they involve changes to roles instead of to individuals

Authentication

• Process of establishing whether a client is who or what it claims to be

• User identity can be confirmed by:• Something you have• Something you know• Something you are

“Something you know…”• Login procedures– Usually something you know

• Password leaks– Commonly used password– Explicitly told

• Voluntarily• Trojan horse

– Trial and error– Intercepted communication

• paper, camera, wiretap, file on disk, emanations• password sniffing on networks

• Passwords are inconvenient– In client/server environment, user doesn’t want to enter

password for every service she connects to

“Something you have”• Authentication using a physical object• Several subcategories• One of interest here are cryptographic smart

cards:– Store user’s digital certificate and/or private key– Used to prevent private keys from being “hacked”

from user’s computer– What happens if a smart card is stolen?

“Something you are…”

• Authentication using Biometrics– Enrollment– Identification

• Fingerprint recognition• Face recognition• Voice Authentication etc…

“Something you are…”Biometrics

Official levels of Computer Security•United States Government Department of Defense (DoD)•Trusted Computer System Evaluation Criteria (TCSEC)- “Orange Book”•Requirements:

1. Specific security requirements2. Assurance requirements

TCSEC /Orange Book

• 4 divisions- A,B,C,D– Specifies evaluation classes (D, C1, C2, B1, B2, B3, A1)– Specifies functionality and assurance requirements

for each class

• Each class defines 4 requirements– Policy– Accountability– Assurance– Documentation

TCSEC Classes

• D – Minimal Protection• C1 – Discretionary Security Protection– Identification and authentication and DAC– users processing data at common sensitivity level, separates

users from data– Minimal Assurance, may be based on features, not

evaluation• C2 – Control led access protection– Adds object reuse and auditing– More testing requirements– Windows NT 3.5 evaluated C2

TCSEC Classes• B1 – Labelled Security Protection

– Adds MAC for some objects• Controlled objects “labeled”, access control based on these

– Stronger testing requirements. Information model of security policy. Bell-La Padula model.

– Trusted Unix tended to be B1

• B2 – Structured protection– MAC for all objects, including devices. – Design and implementation must enable thorough testing & review

• “well-defined largely independent modules”– Trusted Path. Least privilege.– Covert channel analysis, configuration management, more

documentation, formal model of security policy

TCSEC Classes• B3 – Security Domains

– Requirements on code modularity, layering, simplicity.– Argument (short of proof) that implementation meets design

specifications– Tamper-proof implementation– More stringent testing and documentation.– XTS-200/STOP

• A1 – Verified protection– Same functional requirements as B3– Five criteria

• Formal model of protection and proofs of consistency/adequacy• Formal specification for protection system• Demonstration that specification corresponds to model of

protection• “proof” that implementation is consistent with specification• Formal analysis of covert channel

– Existence proof : Honeywell’s SCOMP

Trusted Computing Base• Trusted Computing Base

– Hardware and software for enforcing security rules process• Reference monitor

– Part of TCB Reference– All system calls go throughreference monitor for security checking– Most OS not designed thisway

Security Breaches

• Interception• Interruption• Modification• FabricationSecurity Hole - Software & hardware vulnerability– Holes that allow DoS– Holes that allow Local users unauthorized access– Holes that allow Remote users unauthorized access

• Other types:– FTP– Gopher– Telnet– Sendmail– ARP– Portmap

Threats

• Covert channel– Unauthorized, hidden channel of communications

that exists within a legitimate communications channel

– Includes timing attacks that leak data through changes in response times

– Difficult to detect– Examples: unused fields in packets, steganography

Threats (cont.)

• Side channel attack– Observation of the physical characteristics of

a system in order to make inferences on its operation – Examples: timing, power consumption, emanations

• State attacks– Time of check to time of use (TOCTTOU), also known

as a race condition– Data can be altered between the time of check and

the time of use ("winning the race")

Threats (cont.)

• Emanations– RF (radio frequency) emissions from CRTs

and equipment

• Maintenance hooks and back doors– Secret master password– Really happened in "Lock My PC" -- link Ch 9i

• Privileged programs– Artifacts of development, testing– Can be used to elevate privileges

Countermeasures

• Reduce the potential of a threat by reducing its probability of occurrence or its impact – Sniffers (bug detectors)– Source code reviews– Auditing tools

• Filesystem integrity, like Tripwire• Configuration checking like Windows Defender• Log analyzers

– Penetration testing– Application vulnerability testing