Document Details

WorthJasper9548

Uploaded by WorthJasper9548

Radboud University

Ioan-Radu Bocu

Tags

computer security trusted computing base authorization security

Summary

This document is an assignment with questions and answers related to computer security, specifically concerning Trusted Computing Bases (TCBs) and privilege escalation. The assignment explores different aspects of TCBs, including their advantages, disadvantages and security implications. It discusses various methods for authorization and privilege escalation, and the use cases of the role-based access controls, attribute-based access control, and the principle of least privilege.

Full Transcript

Name : Ioan-Radu Bocu Student number : s1104958 1. According to the Orange Book, the Trusted Computing Base represents the combination of hardware, software, and controls within in that work together within it in order to enforce a computer security p...

Name : Ioan-Radu Bocu Student number : s1104958 1. According to the Orange Book, the Trusted Computing Base represents the combination of hardware, software, and controls within in that work together within it in order to enforce a computer security policy. 2. I would say that a big TCB has a larger (more comprehensive) security coverage. A larger TCB could include extensive mechanisms for logging, encryption and secure communications. Because, of this security can be enforced in terms of multiple aspects. Also a larger TCB can provide more exibility of use, in the sense that developers can bene t from the large number of built-in functions that can be used straight away without needed to come up with additional security engineering. 3. A small TCB, because of its size (less components to secure) , is easier to protect as it has less vulnerabilities. Also, a small TCB provides portability, in the sense that a small TCB is easier to integrate in most systems, it is easy to transfer it from one system to another without many e orts. 4. Three elements that are inside the TCB are : Kernel, the authentication mechanisms (biometrics/passwords) and the cryptography component ( the stores and manages the keys, secure encryption and decryption mechanisms). 5. Three elements that should probably not be inside the TCB are : third-party applications, activity surveillance mechanisms (such as loggers, which can introduce risks if sensitive data is exposed) and other unnecessary user applications that just increase the complexity of the TCB (so, in this way would be more exposed to vulnerabilities) 6. I would say the biggest threat the TCB poses is the hardware it relies on. Without secure/ reliable hardware you cannot achieve a TCB as hardware is a key component within the TCB. A way in which the hardware can be under threat is via supply-chain attack. 7. A way in which this can be mitigated is to establish harsh control on all hardware components that come from the exterior of the company. The components should be scanned or reverse engineered in such a way that their reliability can be ensured. ff fl fi 8. I would say a that the TCB should be as small as possible, while still being large enough to support the system’s essential security needs. 1) The privileges of a user in a system are all the operations that a user is allowed to perform based on the context he/she is in, the role of the user in hierarchy (root user or any other user). Privileges can be : reading, writing, modifying les, installing or removing software, managing user accounts and modifying systems. 2) I would say that the con dentiality is a ected. The con dentiality is about ensuing the protection of the sensitive content. The credentials are also sensitive data so that also need to be protected. 3) If the authorization mechanism were to be broken, then there could be the case that being a root user, you would not be able to perform some speci c administrative operations. As a root user, you need to be able to run administrative operations. So, the integrity of the software is a ected because the software was manipulated via one of its vulnerabilities. Taking advantage of the vulnerability breaks the integrity. 4) The authorization mechanism is broken. If the attacker nds out that they have the right to change another user’s password, then it means that the attacks has been granted some strong privileges such that he/she is able to perform this. If an attacker was granted such important privileges that are out of the scope of the attacker’s role, then the authorization is broken. 5) It can be the case that a basic user may be able to perform the same administrative tasks as the root user (sudo). The sudo con guration may be miscon gured, in such a way that a basic user can run sudo commands. By running the sudo command, the user gains access to the root shell. In this way , because of this vulnerability of the authorization, the privilege escalation can take place. 6) The authorization model can be switched to the “principle of least privilege” , a user should be granted the minimum privileges to perform their tasks. By strictly respecting this principle, the escalation in privilege cannot happen. ff fi fi ff fi fi fi fi fi 1) A Role-Based Access control according to the paper “Role Based Access Controls” by David Ferraiolo and Richard Kush is a system in which access control decisions are based on the functions a user is allowed to perform. A role is comes with a series of functions that can be performed and executed by the user being assigned this corresponding role. 2) A use case of RBAC can be within a company that makes use of databases that contain nancial data about the company and employee records. The administrator is the most privileged and has full access to the whole database, then the manager of department should have access to all information about that department and information about employees within that department. The department manager should not have rights to modify any data. Then we have the employee which has access only to personal data where employee information is stored. So, the system activates when the users are logged in and their roles are checked, based on these roles they should be allowed to perform certain operations. 3) ABAC comes up with the following thing : user permissions don’t depend just on the role assigned , but also on dynamic attributes such as time of the day. RBAC is very strict when it comes to permissions; they only depend on the role assigned. If things change, you need to come up with a new role based on every attribute that comes up. This would lead to a role explosion. So, ABAC integrates mechanisms that makes situation more exible , it can take dynamic attributes into account in an e cient way. A company that uses ABAC can adapt easier to changes. fi ffi fl 4) According to the paper, the primary disadvantage of ABAC is changing user permissions. Determining user permissions is also di cult cause the dynamic attributes of an user need to be determined and tested against all possible rules, which can be many cause there are a lot of dynamic attributes in a company. 5) RBAC-A makes use of the following concepts : static role de nition and dynamic attributes. In RBAC , for such a situation you need to de ne a speci c role. “Teller” working on “Monday” from “‘9-17” is a di erent role from “Teller” working on “Tuesday” from “17-23”. In ABAC, you would have 2 rules like : “If the role is teller and working day is Tuesday and the working hours are 17-23, then following procedures are allowed : proc1, proc2, proc3” and “If the role is teller and working day is Monday and the working hours are 9-17, then following procedures are allowed : proc4, proc5, proc6”. In RBAC-A , you have , static role de nition, in both cases we have “Tellers”, and dynamic attributes {Working day : Monday, Working hours : 9-17} and {Working day : Tuesday ,Working hours : 17-23}. Based on the dynamic attributes some of the permissions from the standard role may be removed (because of the dynamic attributes), or other new permissions may be added. So, in essence, there is only one role of “Teller” for both people, but adding attributes distinguishes between their permissions. The thing is that in RBAC-A , the attributes are checked in real time. 6) Linux makes use of MAC system. There are multiple types of MAC systems that Linux makes use of are : Security-Enhanced Linux (SELinux which implements a robust MAC framework) and AppArmor (provides a simpler, path-based MAC approach that con nes applications to a set of speci ed resources). SELinux is a powerful MAC framework that ensures security policies via a combination of RBAC , type enforcement (TE) and multi-level-security (MLS). On the other hand, AppArmor is a MAC system that makes use of path-based access control to restrict the capabilities of the applications. 7) Security-Enhanced Linux uses MAC via a framework which is di erent from RBAC, while AppArmor gives the permission based on path not on roles. SeLinux can be used to secure a web-server, while AppArmor is used for preventing unauthorized le modi cations. 8) I would still say yes, cause depending on the context , di erent types of con guration may be used. References : https://medium.com/@tamerbenhassan/5-must-know-use-cases-of-apparmor-in-kubernetes- simple-examples-included-ea475cf00148 https://www.geeksforgeeks.org/securing-linux-with-mandatory-access-controls/ fi ff ffi fi fi ff fi ff fi fi fi fi fi

Use Quizgecko on...
Browser
Browser