Computer Security Lecture (IS-820) PDF

Computer Security (IS-820) Instructor: Dr. Muhammad Usama Email: [email protected] Book: Computer Security - Principles and Practice (Chapter 4) Access Control Access Control Definitions 1/2 NIST-IR 7298 (Glossary of Key Information Security Terms, May 2013) defines access control as: “the process of granting or denying specific requests to: (1) obtain and use information and related information processing services; and (2) enter specific physical facilities” Access Control Definitions 2/2 RFC 4949, Internet Security Glossary, defines access control as: “a process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy” Basic Security Requirements 1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Derived Security Requirements 3 Control the flow of CUI in accordance with approved authorizations. 4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Table 4.1 5 Employ the principle of least privilege, including for specific security functions and privileged accounts. 6 Use non-privileged accounts or roles when accessing nonsecurity functions. Access 7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. Control 8 Limit unsuccessful logon attempts. 9 Provide privacy and security notices consistent with applicable CUI rules. Security 10 Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity. Requirements 11 12 Terminate (automatically) a user session after a defined condition. Monitor and control remote access sessions. ( SP 800-171) 13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. 14 Route remote access via managed access control points. 15 Authorize remote execution of privileged commands and remote access to security- relevant information. 16 Authorize wireless access prior to allowing such connections. 17 Protect wireless access using authentication and encryption. 18 Control connection of mobile devices. 19 Encrypt CUI on mobile devices. 20 Verify and control/limit connections to and use of external information systems. 21 Limit use of organizational portable storage devices on external information systems. 22 Control CUI posted or processed on publicly accessible information systems. CUI = controlled unclassified information (Table is on page 107 in the textbook) Access Control Principles In a broad sense, all of computer security is concerned with access control RFC 4949 defines computer security as: “measures that implement and assure security services in a computer system, particularly those that assure access control service” Source: Based on [SAND94]. Source: Based on [SAND94]. Access Control and Security Functions 7 Classes of Access Control Owner: This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator. For project resources, a project administrator or leader may be assigned ownership. Group: In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups. 8 Classes of Access Control World: The least amount of access is granted to users who can access the system but are not included in the categories owner and group for this resource. 9 Access Rights An access right describes the way in which a subject may access an object. Access rights could include the following: 10 Subjects, Objects, and Access Rights Access Subject Object right Describes the way in An entity capable of A resource to which which a subject may accessing objects access is controlled access an object Three classes Could include: Owner Read Entity used to contain Write Group and/or receive Execute World information Delete Create Search Access Control Policies Discretionary access Role-based access control (DAC) control (RBAC) o Controls access based on the o Controls access based on the identity of the requestor and roles that users have within the on access rules (authorizations) system and on rules stating stating what requestors are (or what accesses are allowed to are not) allowed to do users in given roles Mandatory access Attribute-based control (MAC) access control (ABAC) o Controls access based on o Controls access based on comparing security labels with attributes of the user, the security clearances resource to be accessed, and current environmental conditions Discretionary Access Control (DAC) Scheme in which an entity may be granted access rights that permit the entity, by its own violation, to enable another entity to access some resource Often provided using an access matrix o One dimension consists of identified subjects that may attempt data access to the resources o The other dimension lists the objects that may be accessed Each entry in the matrix indicates the access rights of a particular subject for a particular object Discretionary Access Control 14 OBJECTS File 1 File 2 File 3 File 4 Own Own User A Read Read Write Write Own SUBJECTS User B Read Read Write Read Write Read Own User C Read Read Write Write (a) Access matrix Figure 4.2 Example of Access Control Structures File 1 A B C User A File 1 F Discretionary Access Control 16 Example of DAC Access Matrix – Access Control List Column-wise → Object -wise 17 Example of DAC Access Matrix – Capability List Row-wise → Subject -wise 18 Example of DAC Access Matrix – Authorization Table Arranged subject-wise 19 An Access Control Model The model assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects. Protection state of a system is defined as the set of information, at a given point in time, that specifies the access rights for each subject with respect to each object. 20 An Access Control Model Requirements of a Protection State: Representing protection state. Enforcing access rights. Allowing subjects to alter the protection state in certain ways. 21 An Access Control Model Representing the universe of objects: Processes: Access rights include the ability to delete a process, stop (block), and wake up a process. Devices: Access rights include the ability to read/write the device, to control its operation (e.g., a disk seek), and to block/unblock the device for use. Memory locations or regions: Access rights include the ability to read/write certain regions of memory that are protected such that the default is to disallow access. Subjects: Access rights with respect to a subject have to do with the ability to grant or delete access rights of that subject to other objects, as explained subsequently. 22 The Extended Access Control Matrix For an access control matrix A, each entry A[S, X] contains strings, called access attributes, that specify the access rights of subject S to object X. For example, in Figure, S1 may read file F1, because ‘read’ appears in A[S1, F1]. 23 The Access Control Module From a logical or functional point of view, a separate access control module is associated with each type of object. The module evaluates each request by a subject to access an object to determine if the access right exists. An access attempt triggers the following steps: 1. A subject S0 issues a request of type α for object X. 2. The request causes the system (the operating system or an access control interface module of some sort) to generate a message of the form (S0, α, X) to the controller for X. 3. The controller interrogates the access matrix A to determine if α is in A[S0, X]. If so, the access is allowed; if not, the access is denied, and a protection violation occurs. The violation should trigger a warning and appropriate action. 24 The Access Control Function Every access by a subject to an object is mediated by the controller for that object, and that the controller’s decision is based on the current contents of the matrix. In addition, certain subjects have the authority to make specific changes to the access matrix. A request to modify the access matrix is treated as an access to the matrix, with the individual entries in the matrix treated as objects. Such accesses are mediated by an access matrix controller, which controls updates to the matrix. 26 Rules to Modify the Access Control Matrix 27 Rules to Modify the Access Control Matrix Suppose that the entry α* exists in A[S0, X]. This means that S0 has access right α to subject X and, because of the presence of the copy flag, can transfer this right, with or without copy flag, to another subject. In case of Rule R1 shown above, a subject would transfer the access right without the copy flag if there were a concern that the new subject would maliciously transfer the right to another subject that should not have that access right. 28 Rules to Modify the Access Control Matrix For example, S1 may place ‘read’ or ‘read* ’ in any matrix entry in the F1 column. 29 Rules to Modify the Access Control Matrix Rule R2 states that if S0 is designated as the owner of object X, then S0 can grant an access right to that object for any other subject. Rule R2 states that S0 can add any access right to A[S, X] for any S, if S0 has ‘owner’ access to X. 30 Rules to Modify the Access Control Matrix Rule R3 permits S0 to delete any access right from any matrix entry in a row for which S0 controls the subject and for any matrix entry in a column for which S0 owns the object. 31 Rules to Modify the Access Control Matrix Rule R4 permits a subject to read that portion of the matrix that it owns or controls. 32 Rules to Modify the Access Control Matrix Rule R5 states that any subject can create a new object, which it owns, and can then grant and delete access to the object. Under Rule R6, the owner of an object can destroy the object, resulting in the deletion of the corresponding column of the access matrix. 33 Rules to Modify the Access Control Matrix Rule R7 enables any subject to create a new subject; the creator owns the new subject, and the new subject has control access to itself. Rule R8 permits the owner of a subject to delete the row and column (if there are subject columns) of the access matrix designated by that subject. 34 Hierarchy of Subjects The ability of one subject to create another subject and to have ‘owner’ access right to that subject can be used to define a hierarchy of subjects. For example, in the above figure, S1 owns S2 and S3, so that S2 and S3 are subordinate to S1. By the rules of, S1 can grant and delete to S2 access rights that S1 already has. 35 Hierarchy of Subjects Thus, a subject can create another subject with a subset of its own access rights. This might be useful, for example, if a subject is invoking an application that is not fully trusted and does not want that application to be able to transfer access rights to other subjects. 36

Computer Security Lecture (IS-820) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue