Chapter 8 Authorization PDF
Document Details
Uploaded by BeneficiaryJubilation
Al-Imam Muhammad Ibn Saud Islamic University
Tags
Summary
This document provides an overview of access control, authentication, and authorization in computer systems. It covers topics like access control matrices, ACLs, capabilities, firewalls, intrusion detection systems, and covert channels. The document also explores the concept of multilevel security (MLS).
Full Transcript
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad ibn Saud Islamic University College of Computer and Information Sciences Part II: Access Control Chapter 8: Authorization IS492 Information Security Chapter 8: Authorization It is easier to exclude harmful passions than to rule...
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad ibn Saud Islamic University College of Computer and Information Sciences Part II: Access Control Chapter 8: Authorization IS492 Information Security Chapter 8: Authorization It is easier to exclude harmful passions than to rule them, and to deny them admittance than to control them after they have been admitted. ⎯Seneca You can always trust the information given to you by people who are crazy; they have an access to truth not available through regular channels. ⎯Sheila Ballantyne 2 Authentication vs Authorization • Authentication ⎯ Are you who you say you are? • Restrictions on who (or what) can access system • Authorization⎯ Are you allowed to do that? • Restrictions on actions of authenticated users • Authorization is a form of access control • Classic authorization enforced by • Access Control Lists (ACLs) • Capabilities (C-lists) 3 Lampson’s Access Control Matrix • Subjects (users) index the rows • Objects (resources) index the columns OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 4 Are You Allowed to Do That? • Access control matrix has all relevant info • Could be 1000’s of users, 1000’s of resources • Then matrix with 1,000,000’s of entries • How to manage such a large matrix? • Need to check this matrix before access to any resource is allowed • How to make this efficient? 5 Access Control Lists (ACLs) • ACL: store access control matrix by column • Example: ACL for insurance data is in blue OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 6 Capabilities (or C-Lists) • Store access control matrix by row • Example: Capability for Alice is in red OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 7 ACLs vs Capabilities Alice r --r Bob w r --- Fred rw r r file1 file2 file3 Access Control List Alice r w rw file1 Bob --r r file2 Fred r --r file3 Capability • Note that arrows point in opposite directions… • With ACLs, still need to associate users to files 8 Confused Deputy • Two resources ❑ Access control matrix • Compiler and BILL file Compiler BILL Alice x --- Compiler rx rw (billing info) • Compiler can write file BILL • Alice can invoke compiler with a debug filename • Alice not allowed to write to BILL 9 ACL’s and Confused Deputy Compiler Alice BILL • Compiler is deputy acting on behalf of Alice • Compiler is confused • Alice is not allowed to write BILL • Compiler has confused its rights with Alice’s 10 Confused Deputy • Compiler acting for Alice is confused • There has been a separation of authority from the purpose for which it is used • With ACLs, difficult to avoid this problem • With Capabilities, easier to prevent problem • Must maintain association between authority and intended purpose • Capabilities make it easy to delegate authority 11 ACLs vs Capabilities • ACLs • Good when users manage their own files • Protection is data-oriented • Easy to change rights to a resource • Capabilities • Easy to delegate---avoid the confused deputy • Easy to add/delete users • More difficult to implement • Capabilities loved by academics • Capability Myths Demolished 12 Multilevel Security (MLS) Part 2 Access Control 13 Classifications and Clearances • Classifications apply to objects • Clearances apply to subjects • US Department of Defense (DoD) uses 4 levels: TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED Part 2 Access Control 14 Clearances and Classification • To obtain a SECRET clearance requires a routine background check • A TOP SECRET clearance requires extensive background check • Practical classification problems • Proper classification not always clear • Level of granularity to apply classifications • Aggregation ⎯ flipside of granularity Part 2 Access Control 15 Subjects and Objects • Let O be an object, S a subject • O has a classification • S has a clearance • Security level denoted L(O) and L(S) • For DoD levels, we have TOP SECRET>SECRET> CONFIDENTIAL >UNCLASSIFIED Part 2 Access Control 16 Multilevel Security (MLS) • MLS needed when subjects/objects at different levels use/on same system • MLS is a form of Access Control • Military and government interest in MLS for many decades • Lots of research into MLS • Strengths and weaknesses of MLS well understood (almost entirely theoretical) • Many possible uses of MLS outside military Part 2 Access Control 17 MLS Applications • Classified government/military systems • Business example: info restricted to • Senior management only, all management, everyone in company, or general public • Network firewall • Confidential medical info, databases, etc. • Usually, MLS not a viable technical system • More of a legal device than technical system Part 2 Access Control 18 Covert Channel 19 Covert Channel • MLS designed to restrict legitimate channels of communication • May be other ways for information to flow • For example, resources shared at different levels could be used to “signal” information • Covert channel: a communication path not intended as such by system’s designers 20 Covert Channel Example • Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance • Suppose the file space shared by all users • Alice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0” • Once per minute Bob lists the files • If file FileXYzW does not exist, Alice sent 0 • If file FileXYzW exists, Alice sent 1 • Alice can leak TOP SECRET info to Bob! 21 Covert Channel Example Alice: Create file Delete file Create file Bob: Check file Check file Check file Data: 1 0 1 Delete file Check file 1 Check file 0 Time: 22 Covert Channel • • Other possible covert channels? • Print queue • ACK messages • Network traffic, etc. When does covert channel exist? 1. Sender and receiver have a shared resource 2. Sender able to vary some property of resource that receiver can observe 3. “Communication” between sender and receiver can be synchronized 23 Covert Channel • So, covert channels are everywhere • “Easy” to eliminate covert channels: • Eliminate all shared resources… • …and all communication • Virtually impossible to eliminate covert channels in any useful system • DoD guidelines: reduce covert channel capacity to no more than 1 bit/second • Implication? DoD has given up on eliminating covert channels! 24 Covert Channel • Consider 100MB TOP SECRET file • Plaintext stored in TOP SECRET location • Ciphertext (encrypted with AES using 256-bit key) stored in UNCLASSIFIED location • Suppose we reduce covert channel capacity to 1 bit per second • It would take more than 25 years to leak entire document thru a covert channel • But it would take less than 5 minutes to leak 256-bit AES key thru covert channel! 25 Real-World Covert Channel • Hide data in TCP header “reserved” field • Or use covert_TCP, tool to hide data in • Sequence number • ACK number 26 Real-World Covert Channel • Hide data in TCP sequence numbers • Tool: covert_TCP • Sequence number X contains covert info SYN Spoofed source: C Destination: B SEQ: X A. Covert_TCP sender B. Innocent server ACK (or RST) Source: B Destination: C ACK: X C. Covert_TCP receiver 27 CAPTCHA 28 Turing Test • Proposed by Alan Turing in 1950 • Human asks questions to another human and a computer, without seeing either • If questioner cannot distinguish human from computer, computer passes the test • The gold standard in artificial intelligence • No computer can pass this today • But some claim to be close to passing 29 CAPTCHA • CAPTCHA • Completely Automated Public Turing test to tell Computers and Humans Apart • Automated ⎯ test is generated and scored by a computer program • Public ⎯ program and data are public • Turing test to tell… ⎯ humans can pass the test, but machines cannot pass • Also known as HIP == Human Interactive Proof • Like an inverse Turing test (well, sort of…) 30 CAPTCHA Paradox? • “…CAPTCHA is a program that can generate and grade tests that it itself cannot pass…” • Paradox ⎯ computer creates and scores test that it cannot pass! • CAPTCHA used so that only humans can get access (i.e., no bots/computers) • CAPTCHA is for access control 31 CAPTCHA Uses? • Original motivation: automated bots stuffed ballot box in vote for best CS grad school • SJSU vs Stanford? • Free email services ⎯ spammers like to use bots to sign up for 1000’s of email accounts • CAPTCHA employed so only humans get accounts • Sites that do not want to be automatically indexed by search engines • CAPTCHA would force human intervention 32 CAPTCHA: Rules of the Game • Easy for most humans to pass • Difficult or impossible for machines to pass • Even with access to CAPTCHA software • From Trudy’s perspective, the only unknown is a random number • Analogous to Kerckhoffs’ Principle • Desirable to have different CAPTCHAs in case some person cannot pass one type • Blind person could not pass visual test, etc. 33 Do CAPTCHAs Exist? • Test: Find 2 words in the following Easy for most humans ❑ A (difficult?) OCR problem for computer ❑ o OCR == Optical Character Recognition 34 CAPTCHAs • Current types of CAPTCHAs • Visual ⎯like previous example • Audio ⎯ distorted words or music • No text-based CAPTCHAs • Maybe this is impossible… 35 CAPTCHA’s and AI • OCR is a challenging AI problem • Hard part is the segmentation problem • Humans good at solving this problem • Distorted sound makes good CAPTCHA • Humans also good at solving this • Hackers who break CAPTCHA have solved a hard AI problem • So, putting hacker’s effort to good use! • Other ways to defeat CAPTCHAs??? 36 Firewalls 37 Firewalls Internet Firewall Internal network • Firewall decides what to let in to internal network and/or what to let out • Access control for the network 38 Firewall as Secretary • A firewall is like a secretary • To meet with an executive • First contact the secretary • Secretary decides if meeting is important • So, secretary filters out many requests • You want to meet chair of CS department? • Secretary does some filtering • You want to meet the POTUS? • Secretary does lots of filtering 39 Firewall Terminology • No standard firewall terminology • Types of firewalls • Packet filter⎯ works at network layer • Stateful packet filter⎯ transport layer • Application proxy⎯ application layer • Other terms often used • E.g., “deep packet inspection” 40 Packet Filter • Operates at network layer • Can filters based on… • Source IP address • Destination IP address • Source Port • Destination Port • Flag bits (SYN, ACK, etc.) • Egress or ingress application transport network link physical 41 Packet Filter • Advantages? • Speed • Disadvantages? application transport • No concept of state • Cannot see TCP connections • Blind to application data network link physical 42 Packet Filter • Configured via Access Control Lists (ACLs) • Different meaning than at start of Chapter 8 Protocol Flag Bits 80 HTTP Any 80 > 1023 HTTP ACK All All All All Action Source IP Dest IP Source Port Allow Inside Outside Any Allow Outside Inside Deny All All Dest Port ❑ Q: Intention? ❑ A: Restrict traffic to Web browsing 43 Stateful Packet Filter • Adds state to packet filter application • Operates at transport layer • Remembers TCP connections, flag bits, etc. transport network • Can even remember UDP packets (e.g., DNS requests) link physical 44 Stateful Packet Filter • Advantages? application • Can do everything a packet filter can do plus... • Keep track of ongoing connections (so prevents TCP ACK scan) • Disadvantages? • Cannot see application data transport network link physical • Slower than packet filtering 45 Application Proxy • A proxy is something that acts on your behalf application • Application proxy looks at incoming application data transport • Verifies that data is safe before letting it in network link physical 46 Application Proxy • Advantages? • Complete view of connections and applications data • Filter bad data at application layer (viruses, Word macros) • Disadvantages? • application transport network Speed link physical 47 Application Proxy • Creates a new packet before sending it thru to internal network • Attacker must talk to proxy and convince it to forward message • Proxy has complete view of connection • Prevents some scans stateful packet filter cannot ⎯ next slides 48 Intrusion Detection Systems 49 Intrusion Prevention • Want to keep bad guys out • Intrusion prevention is a traditional focus of computer security • Authentication is to prevent intrusions • Firewalls a form of intrusion prevention • Virus defenses aimed at intrusion prevention • Like locking the door on your car 50 Intrusion Detection • In spite of intrusion prevention, bad guys will sometime get in • Intrusion detection systems (IDS) • Detect attacks in progress (or soon after) • Look for unusual or suspicious activity • IDS evolved from log file analysis • IDS is currently a hot research topic • How to respond when intrusion detected? • We don’t deal with this topic here… 51 Intrusion Detection Systems • Who is likely intruder? • May be outsider who got thru firewall • May be evil insider • What do intruders do? • Launch well-known attacks • Launch variations on well-known attacks • Launch new/little-known attacks • “Borrow” system resources “Bitcoin” • Use compromised system to attack others. etc. 52 IDS • Intrusion detection approaches • Signature-based IDS • Anomaly-based IDS • Intrusion detection architectures • Host-based IDS • Network-based IDS • Any IDS can be classified as above • In spite of marketing claims to the contrary! 53 Intrusion detection architectures 54 Host-Based IDS • Monitor activities on hosts for • Known attacks • Suspicious behavior • Designed to detect attacks such as • Buffer overflow • Escalation of privilege, … • Little or no view of network activities 55 Network-Based IDS • Monitor activity on the network for… • Known attacks • Suspicious network activity • Designed to detect attacks such as • Denial of service • Network probes • Malformed packets, etc. • Some overlap with firewall • Little or no view of host-base attacks • Can have both host and network IDS 56 Intrusion detection approaches 57 Signature Detection Example • Failed login attempts may indicate password cracking attack • IDS could use the rule “N failed login attempts in M seconds” as signature • If N or more failed login attempts in M seconds, IDS warns of attack • Note that such a warning is specific • Admin knows what attack is suspected • Easy to verify attack (or false alarm) 58 Signature Detection • Suppose IDS warns whenever N or more failed logins in M seconds • Set N and M so false alarms not common • Can do this based on “normal” behavior • But, if Trudy knows the signature, she can try N −1 logins every M seconds… • Then signature detection slows down Trudy, but might not stop her 59 Signature Detection • Many techniques used to make signature detection more robust • Goal is to detect “almost” signatures • For example, if “about” N login attempts in “about” M seconds • Warn of possible password cracking attempt • What are reasonable values for “about”? • Can use statistical analysis, heuristics, etc. • Must not increase false alarm rate too much 60 Signature Detection • Advantages of signature detection • Simple • Detect known attacks • Know which attack at time of detection • Efficient (if reasonable number of signatures) • Disadvantages of signature detection • Signature files must be kept up to date • Number of signatures may become large • Can only detect known attacks • Variation on known attack may not be detected 61 Anomaly Detection • Anomaly detection systems look for unusual or abnormal behavior • There are (at least) two challenges • What is normal for this system? • How “far” from normal is abnormal? • No avoiding statistics here! • mean defines normal • variance gives distance from normal to abnormal 62 How to Measure Normal? • How to measure normal? • Must measure during “representative” behavior • Must not measure during an attack… • …or else attack will seem normal! • Normal is statistical mean • Must also compute variance to have any reasonable idea of abnormal Part 2 Access Control 63 How to Measure Abnormal? • Abnormal is relative to some “normal” • Abnormal indicates possible attack • Statistical discrimination techniques include • Bayesian statistics • Linear discriminant analysis (LDA) • Quadratic discriminant analysis (QDA) • Neural nets, hidden Markov models (HMMs), etc. • Fancy modeling techniques also used • Artificial intelligence • Artificial immune system principles • Many, many, many others Part 2 Access Control 64 Anomaly Detection (1) • Spse we monitor use of three commands: open, read, close • Under normal use we observe Alice: open, read, close, open, open, read, close, … • Of the six possible ordered pairs, we see four pairs are normal for Alice, (open,read), (read,close), (close,open), (open,open) • Can we use this to identify unusual activity? Part 2 Access Control 65 Anomaly Detection (1) • We monitor use of the three commands open, read, close • If the ratio of abnormal to normal pairs is “too high”, warn of possible attack • Could improve this approach by • Also use expected frequency of each pair • Use more than two consecutive commands • Include more commands/behavior in the model • More sophisticated statistical discrimination Part 2 Access Control 66 Anomaly Detection (2) • Over time, Alice has ❑ accessed file Fn at rate Hn Recently, “Alice” has accessed Fn at rate An H0 H1 H2 H3 A0 A1 A2 A3 .10 .40 .40 .10 .10 .40 .30 .20 ❑ Is this normal use for Alice? ❑ We compute S = (H0−A0)2+(H1−A1)2+…+(H3−A3)2 = .02 o We consider S < 0.1 to be normal, so this is normal ❑ How to account for use that varies over time? Part 2 Access Control 67 Anomaly Detection • Advantages? • Chance of detecting unknown attacks • Disadvantages? • Cannot use anomaly detection alone… • …must be used with signature detection • Reliability is unclear • May be subject to attack • Anomaly detection indicates “something unusual”, but lacks specific info on possible attack Part 2 Access Control 68
