Chapter 8_ Authorization.pdf
Document Details
Uploaded by BeneficiaryJubilation
Tags
Related
- Session 1 Cyber security Awareness & Network (1).pdf
- IT502 - Information Security.pdf
- wgu-d430-fundamentals-of-information-security-exam-latest-update-2024-2025-325-questions-and-verifie.pdf
- 2-Fundamentals of Security - Introduction-16-07-2024.pdf
- 1.-Concept-of-Information-Security.pdf
- 3 - Identidad y Control de Acceso.pdf
Full Transcript
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad ibn Saud Islamic University College of Computer and Information Sciences Part II: Access Control Chapter 8: Authorization IS492 Information Security Chapter 8: Authorization It is easier to exclude harmful passions than to rule...
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad ibn Saud Islamic University College of Computer and Information Sciences Part II: Access Control Chapter 8: Authorization IS492 Information Security Chapter 8: Authorization It is easier to exclude harmful passions than to rule them, and to deny them admittance than to control them after they have been admitted. ⎯Seneca You can always trust the information given to you by people who are crazy; they have an access to truth not available through regular channels. ⎯Sheila Ballantyne 2 Authentication vs Authorization • Authentication ⎯ Are you who you say you are? • Restrictions on who (or what) can access system • Authorization⎯ Are you allowed to do that? • Restrictions on actions of authenticated users • Authorization is a form of access control • Classic authorization enforced by • Access Control Lists (ACLs) • Capabilities (C-lists) 3 Lampson’s Access Control Matrix • Subjects (users) index the rows • Objects (resources) index the columns OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 4 Are You Allowed to Do That? • Access control matrix has all relevant info • Could be 1000’s of users, 1000’s of resources • Then matrix with 1,000,000’s of entries • How to manage such a large matrix? • Need to check this matrix before access to any resource is allowed • How to make this efficient? 5 Access Control Lists (ACLs) • ACL: store access control matrix by column • Example: ACL for insurance data is in blue OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 6 Capabilities (or C-Lists) • Store access control matrix by row • Example: Capability for Alice is in red OS Accounting Accounting Insurance program data data Payroll data Bob rx rx r --- --- Alice rx rx r rw rw Sam rwx rwx r rw rw rx rx rw rw rw Accounting program 7 ACLs vs Capabilities Alice r --r Bob w r --- Fred rw r r file1 file2 file3 Access Control List Alice r w rw file1 Bob --r r file2 Fred r --r file3 Capability • Note that arrows point in opposite directions… • With ACLs, still need to associate users to files 8 Confused Deputy • Two resources ❑ Access control matrix • Compiler and BILL file Compiler BILL Alice x --- Compiler rx rw (billing info) • Compiler can write file BILL • Alice can invoke compiler with a debug filename • Alice not allowed to write to BILL 9 ACL’s and Confused Deputy Compiler Alice BILL • Compiler is deputy acting on behalf of Alice • Compiler is confused • Alice is not allowed to write BILL • Compiler has confused its rights with Alice’s 10 Confused Deputy • Compiler acting for Alice is confused • There has been a separation of authority from the purpose for which it is used • With ACLs, difficult to avoid this problem • With Capabilities, easier to prevent problem • Must maintain association between authority and intended purpose • Capabilities make it easy to delegate authority 11 ACLs vs Capabilities • ACLs • Good when users manage their own files • Protection is data-oriented • Easy to change rights to a resource • Capabilities • Easy to delegate---avoid the confused deputy • Easy to add/delete users • More difficult to implement • Capabilities loved by academics • Capability Myths Demolished 12 Multilevel Security (MLS) Part 2 Access Control 13 Classifications and Clearances • Classifications apply to objects • Clearances apply to subjects • US Department of Defense (DoD) uses 4 levels: TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED Part 2 Access Control 14 Clearances and Classification • To obtain a SECRET clearance requires a routine background check • A TOP SECRET clearance requires extensive background check • Practical classification problems • Proper classification not always clear • Level of granularity to apply classifications • Aggregation ⎯ flipside of granularity Part 2 Access Control 15 Subjects and Objects • Let O be an object, S a subject • O has a classification • S has a clearance • Security level denoted L(O) and L(S) • For DoD levels, we have TOP SECRET>SECRET> CONFIDENTIAL >UNCLASSIFIED Part 2 Access Control 16 Multilevel Security (MLS) • MLS needed when subjects/objects at different levels use/on same system • MLS is a form of Access Control • Military and government interest in MLS for many decades • Lots of research into MLS • Strengths and weaknesses of MLS well understood (almost entirely theoretical) • Many possible uses of MLS outside military Part 2 Access Control 17 MLS Applications • Classified government/military systems • Business example: info restricted to • Senior management only, all management, everyone in company, or general public • Network firewall • Confidential medical info, databases, etc. • Usually, MLS not a viable technical system • More of a legal device than technical system Part 2 Access Control 18 Covert Channel 19 Covert Channel • MLS designed to restrict legitimate channels of communication • May be other ways for information to flow • For example, resources shared at different levels could be used to “signal” information • Covert channel: a communication path not intended as such by system’s designers 20 Covert Channel Example • Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance • Suppose the file space shared by all users • Alice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0” • Once per minute Bob lists the files • If file FileXYzW does not exist, Alice sent 0 • If file FileXYzW exists, Alice sent 1 • Alice can leak TOP SECRET info to Bob! 21 Covert Channel Example Alice: Create file Delete file Create file Bob: Check file Check file Check file Data: 1 0 1 Delete file Check file 1 Check file 0 Time: 22 Covert Channel • • Other possible covert channels? • Print queue • ACK messages • Network traffic, etc. When does covert channel exist? 1. Sender and receiver have a shared resource 2. Sender able to vary some property of resource that receiver can observe 3. “Communication” between sender and receiver can be synchronized 23 Covert Channel • So, covert channels are everywhere • “Easy” to eliminate covert channels: • Eliminate all shared resources… • …and all communication • Virtually impossible to eliminate covert channels in any useful system • DoD guidelines: reduce covert channel capacity to no more than 1 bit/second • Implication? DoD has given up on eliminating covert channels! 24 Covert Channel • Consider 100MB TOP SECRET file • Plaintext stored in TOP SECRET location • Ciphertext (encrypted with AES using 256-bit key) stored in UNCLASSIFIED location • Suppose we reduce covert channel capacity to 1 bit per second • It would take more than 25 years to leak entire document thru a covert channel • But it would take less than 5 minutes to leak 256-bit AES key thru covert channel! 25 Real-World Covert Channel • Hide data in TCP header “reserved” field • Or use covert_TCP, tool to hide data in • Sequence number • ACK number 26 Real-World Covert Channel • Hide data in TCP sequence numbers • Tool: covert_TCP • Sequence number X contains covert info SYN Spoofed source: C Destination: B SEQ: X A. Covert_TCP sender B. Innocent server ACK (or RST) Source: B Destination: C ACK: X C. Covert_TCP receiver 27 CAPTCHA 28 Turing Test • Proposed by Alan Turing in 1950 • Human asks questions to another human and a computer, without seeing either • If questioner cannot distinguish human from computer, computer passes the test • The gold standard in artificial intelligence • No computer can pass this today • But some claim to be close to passing 29 CAPTCHA • CAPTCHA • Completely Automated Public Turing test to tell Computers and Humans Apart • Automated ⎯ test is generated and scored by a computer program • Public ⎯ program and data are public • Turing test to tell… ⎯ humans can pass the test, but machines cannot pass • Also known as HIP == Human Interactive Proof • Like an inverse Turing test (well, sort of…) 30 CAPTCHA Paradox? • “…CAPTCHA is a program that can generate and grade tests that it itself cannot pass…” • Paradox ⎯ computer creates and scores test that it cannot pass! • CAPTCHA used so that only humans can get access (i.e., no bots/computers) • CAPTCHA is for access control 31 CAPTCHA Uses? • Original motivation: automated bots stuffed ballot box in vote for best CS grad school • SJSU vs Stanford? • Free email services ⎯ spammers like to use bots to sign up for 1000’s of email accounts • CAPTCHA employed so only humans get accounts • Sites that do not want to be automatically indexed by search engines • CAPTCHA would force human intervention 32 CAPTCHA: Rules of the Game • Easy for most humans to pass • Difficult or impossible for machines to pass • Even with access to CAPTCHA software • From Trudy’s perspective, the only unknown is a random number • Analogous to Kerckhoffs’ Principle • Desirable to have different CAPTCHAs in case some person cannot pass one type • Blind person could not pass visual test, etc. 33 Do CAPTCHAs Exist? • Test: Find 2 words in the following Easy for most humans ❑ A (difficult?) OCR problem for computer ❑ o OCR == Optical Character Recognition 34 CAPTCHAs • Current types of CAPTCHAs • Visual ⎯like previous example • Audio ⎯ distorted words or music • No text-based CAPTCHAs • Maybe this is impossible… 35 CAPTCHA’s and AI • OCR is a challenging AI problem • Hard part is the segmentation problem • Humans good at solving this problem • Distorted sound makes good CAPTCHA • Humans also good at solving this • Hackers who break CAPTCHA have solved a hard AI problem • So, putting hacker’s effort to good use! • Other ways to defeat CAPTCHAs??? 36 Firewalls 37 Firewalls Internet Firewall Internal network • Firewall decides what to let in to internal network and/or what to let out • Access control for the network 38 Firewall as Secretary • A firewall is like a secretary • To meet with an executive • First contact the secretary • Secretary decides if meeting is important • So, secretary filters out many requests • You want to meet chair of CS department? • Secretary does some filtering • You want to meet the POTUS? • Secretary does lots of filtering 39 Firewall Terminology • No standard firewall terminology • Types of firewalls • Packet filter⎯ works at network layer • Stateful packet filter⎯ transport layer • Application proxy⎯ application layer • Other terms often used • E.g., “deep packet inspection” 40 Packet Filter • Operates at network layer • Can filters based on… • Source IP address • Destination IP address • Source Port • Destination Port • Flag bits (SYN, ACK, etc.) • Egress or ingress application transport network link physical 41 Packet Filter • Advantages? • Speed • Disadvantages? application transport • No concept of state • Cannot see TCP connections • Blind to application data network link physical 42 Packet Filter • Configured via Access Control Lists (ACLs) • Different meaning than at start of Chapter 8 Protocol Flag Bits 80 HTTP Any 80 > 1023 HTTP ACK All All All All Action Source IP Dest IP Source Port Allow Inside Outside Any Allow Outside Inside Deny All All Dest Port ❑ Q: Intention? ❑ A: Restrict traffic to Web browsing 43 Stateful Packet Filter • Adds state to packet filter application • Operates at transport layer • Remembers TCP connections, flag bits, etc. transport network • Can even remember UDP packets (e.g., DNS requests) link physical 44 Stateful Packet Filter • Advantages? application • Can do everything a packet filter can do plus... • Keep track of ongoing connections (so prevents TCP ACK scan) • Disadvantages? • Cannot see application data transport network link physical • Slower than packet filtering 45 Application Proxy • A proxy is something that acts on your behalf application • Application proxy looks at incoming application data transport • Verifies that data is safe before letting it in network link physical 46 Application Proxy • Advantages? • Complete view of connections and applications data • Filter bad data at application layer (viruses, Word macros) • Disadvantages? • application transport network Speed link physical 47 Application Proxy • Creates a new packet before sending it thru to internal network • Attacker must talk to proxy and convince it to forward message • Proxy has complete view of connection • Prevents some scans stateful packet filter cannot ⎯ next slides 48 Intrusion Detection Systems 49 Intrusion Prevention • Want to keep bad guys out • Intrusion prevention is a traditional focus of computer security • Authentication is to prevent intrusions • Firewalls a form of intrusion prevention • Virus defenses aimed at intrusion prevention • Like locking the door on your car 50 Intrusion Detection • In spite of intrusion prevention, bad guys will sometime get in • Intrusion detection systems (IDS) • Detect attacks in progress (or soon after) • Look for unusual or suspicious activity • IDS evolved from log file analysis • IDS is currently a hot research topic • How to respond when intrusion detected? • We don’t deal with this topic here… 51 Intrusion Detection Systems • Who is likely intruder? • May be outsider who got thru firewall • May be evil insider • What do intruders do? • Launch well-known attacks • Launch variations on well-known attacks • Launch new/little-known attacks • “Borrow” system resources “Bitcoin” • Use compromised system to attack others. etc. 52 IDS • Intrusion detection approaches • Signature-based IDS • Anomaly-based IDS • Intrusion detection architectures • Host-based IDS • Network-based IDS • Any IDS can be classified as above • In spite of marketing claims to the contrary! 53 Intrusion detection architectures 54 Host-Based IDS • Monitor activities on hosts for • Known attacks • Suspicious behavior • Designed to detect attacks such as • Buffer overflow • Escalation of privilege, … • Little or no view of network activities 55 Network-Based IDS • Monitor activity on the network for… • Known attacks • Suspicious network activity • Designed to detect attacks such as • Denial of service • Network probes • Malformed packets, etc. • Some overlap with firewall • Little or no view of host-base attacks • Can have both host and network IDS 56 Intrusion detection approaches 57 Signature Detection Example • Failed login attempts may indicate password cracking attack • IDS could use the rule “N failed login attempts in M seconds” as signature • If N or more failed login attempts in M seconds, IDS warns of attack • Note that such a warning is specific • Admin knows what attack is suspected • Easy to verify attack (or false alarm) 58 Signature Detection • Suppose IDS warns whenever N or more failed logins in M seconds • Set N and M so false alarms not common • Can do this based on “normal” behavior • But, if Trudy knows the signature, she can try N −1 logins every M seconds… • Then signature detection slows down Trudy, but might not stop her 59 Signature Detection • Many techniques used to make signature detection more robust • Goal is to detect “almost” signatures • For example, if “about” N login attempts in “about” M seconds • Warn of possible password cracking attempt • What are reasonable values for “about”? • Can use statistical analysis, heuristics, etc. • Must not increase false alarm rate too much 60 Signature Detection • Advantages of signature detection • Simple • Detect known attacks • Know which attack at time of detection • Efficient (if reasonable number of signatures) • Disadvantages of signature detection • Signature files must be kept up to date • Number of signatures may become large • Can only detect known attacks • Variation on known attack may not be detected 61 Anomaly Detection • Anomaly detection systems look for unusual or abnormal behavior • There are (at least) two challenges • What is normal for this system? • How “far” from normal is abnormal? • No avoiding statistics here! • mean defines normal • variance gives distance from normal to abnormal 62 How to Measure Normal? • How to measure normal? • Must measure during “representative” behavior • Must not measure during an attack… • …or else attack will seem normal! • Normal is statistical mean • Must also compute variance to have any reasonable idea of abnormal Part 2 Access Control 63 How to Measure Abnormal? • Abnormal is relative to some “normal” • Abnormal indicates possible attack • Statistical discrimination techniques include • Bayesian statistics • Linear discriminant analysis (LDA) • Quadratic discriminant analysis (QDA) • Neural nets, hidden Markov models (HMMs), etc. • Fancy modeling techniques also used • Artificial intelligence • Artificial immune system principles • Many, many, many others Part 2 Access Control 64 Anomaly Detection (1) • Spse we monitor use of three commands: open, read, close • Under normal use we observe Alice: open, read, close, open, open, read, close, … • Of the six possible ordered pairs, we see four pairs are normal for Alice, (open,read), (read,close), (close,open), (open,open) • Can we use this to identify unusual activity? Part 2 Access Control 65 Anomaly Detection (1) • We monitor use of the three commands open, read, close • If the ratio of abnormal to normal pairs is “too high”, warn of possible attack • Could improve this approach by • Also use expected frequency of each pair • Use more than two consecutive commands • Include more commands/behavior in the model • More sophisticated statistical discrimination Part 2 Access Control 66 Anomaly Detection (2) • Over time, Alice has ❑ accessed file Fn at rate Hn Recently, “Alice” has accessed Fn at rate An H0 H1 H2 H3 A0 A1 A2 A3 .10 .40 .40 .10 .10 .40 .30 .20 ❑ Is this normal use for Alice? ❑ We compute S = (H0−A0)2+(H1−A1)2+…+(H3−A3)2 = .02 o We consider S < 0.1 to be normal, so this is normal ❑ How to account for use that varies over time? Part 2 Access Control 67 Anomaly Detection • Advantages? • Chance of detecting unknown attacks • Disadvantages? • Cannot use anomaly detection alone… • …must be used with signature detection • Reliability is unclear • May be subject to attack • Anomaly detection indicates “something unusual”, but lacks specific info on possible attack Part 2 Access Control 68
