CS 4803 Computer and Network Security



Similar documents
Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2)

Chapter 13. Design Principles Overview

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

Columbia University Web Security Standards and Practices. Objective and Scope

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Introduction to Computer Security

Content Teaching Academy at James Madison University

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Access Control Fundamentals

Complying with PCI Data Security

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Module 7 Security CS655! 7-1!

SPICE EduGuide EG0015 Security of Administrative Accounts

Chapter 14: Access Control Mechanisms

Security in EIS. The Future. This lecture. Jonny Pettersson 29/4 2010

Neutralus Certification Practices Statement

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Principles of Computer Security. Dr George Danezis

CS 161 Computer Security

Lecture VII : Public Key Infrastructure (PKI)

Configuring CQ Security

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Columbia University Web Application Security Standards and Practices. Objective and Scope

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

BM482E Introduction to Computer Security

CIS 551 / TCOM 401 Computer and Network Security

Authentication Application

Criteria for web application security check. Version

CAPITAL UNIVERSITY PASSWORD POLICY

SHARING FILE SYSTEM RESOURCES

Fundamentals of Computer Security

ADO and SQL Server Security

Introduction to Computer Security

Certified Secure Web Application Secure Development Checklist

Capability-Based Access Control

Overview. SSL Cryptography Overview CHAPTER 1

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Basic network security threats

Security IIS Service Lesson 6

Security in Grid Computing

System Security Policy Management: Advanced Audit Tasks

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

EdgeCast Networks Inc. Token-Based Authentication Administration Guide

How To Get To A Cloud Storage And Byod System

CS 4803 Computer and Network Security

Applying Cryptography as a Service to Mobile Applications

Thick Client Application Security

CS 161 Computer Security

CSP & PCI DSS Compliance on HP NonStop systems

CIS433/533 - Computer and Network Security Operating System Security

GPFS and Remote Shell

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

SecureDoc Disk Encryption Cryptographic Engine

LET S ENCRYPT SUBSCRIBER AGREEMENT

COMP3441 Lecture 9: Security Architecture

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Chapter 23. Database Security. Security Issues. Database Security

Seven Things To Consider When Evaluating Privileged Account Security Solutions

How To Secure An Rsa Authentication Agent

A Revocable Backup System (extended abstract)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Nixu SNS Security White Paper May 2007 Version 1.2

Why Open Source Software Only Seems More Secure

SQL Server Hardening

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Websense Content Gateway HTTPS Configuration

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

With Great Power comes Great Responsibility: Managing Privileged Users

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Account Management Standards

UNCLASSIFIED Version 1.0 May 2012

Minimum Requirements for Integrating Services with Central Authentication Version 1.0 December 2008

Sync Security and Privacy Brief

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

User Accounts and Password Standard and Procedure

Chapter 12 File Management

Chapter 12 File Management. Roadmap

What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team

Cal State Fullerton Account and Password Guidelines

Apache Milagro (incubating) An Introduction ApacheCon North America

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2004

Architectural Principles for Secure Multi-Tenancy

Part III. Access Control Fundamentals

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Aitoc Software LLC License Agreement for Magento Extensions

Advanced Authentication

Two SSO Architectures with a Single Set of Credentials

Guideline on Access Control

IPv6 First Hop Security Protecting Your IPv6 Access Network

Basic network security threats

Danske Bank Group Certificate Policy

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

What Are Certificates?

Transcription:

Access to general objects CS 4803 Computer and Network Security Memory protection is only one example Need a way to protect more general objects Before we begin, some design principles Alexandra (Sasha) Boldyreva More on access control. General design principles 1 2 Overview Key point I Seminal article by Saltzer and Schroeder (1975) Eight principles underlying design and implementation of security mechanisms Linked from the course homepage Simplicity Make designs/mechanisms easy to understand Less chance of error 3 4

Key point II Principle 1 Restriction Minimize the power of an entity E.g., only allow access to information it needs E.g., only allow necessary communication; restrict type of communication allowed Less chance of harm! Principle of least privilege A subject should be given only the privileges it needs to accomplish its task If a subject needs certain privileges only to complete a specific task, it should relinquish those privileges upon completion of the task 5 6 In practice Systems are often not designed with the necessary granularity E.g., append may not be distinct from write E.g., in UNIX, no access controls for root Anyone who can make backup files can also delete those files Principle of Fail-Safe Defaults Principle 2 Unless a subject is given explicit access to an object, it should be denied access I.e., the default is no access E.g., a process reporting an error message should not try to expand its rights in an attempt to correct the error 7 8

Economy of Mechanism Principle 3 Security mechanisms should be as simple as possible but no simpler! Can simplify formal proofs of security (or even informal audits) Consequences If design/implementation are simple, less chance for error Software testing is also simpler Software interfaces especially suspect Typically make assumptions about the input/output format of the other module E.g., finger protocol: DoS attack by returning infinite stream of characters 9 10 Principle 4 Principle of Complete Mediation All accesses to objects should be checked to ensure they are allowed OS should mediate any request to read an object --- even on the second such request by the same subject! Don t cache authorization results Insecure example In UNIX, when a process tries to read a file, the system checks access rights If allowed, it gives the process a file descriptor File descriptor is presented to OS for access If permissions are subsequently revoked, the process still has a valid file descriptor! Insufficient mediation 11 12

Principle 5 Principle 6 Open Design No security through obscurity Security of a system should not depend on the secrecy of its implementation Of course, secret keys do not violate this principle! Separation of Privilege (As much as is feasible ) a system should not grant permission based on a single condition E.g., require more than one sys admin to issue a critical command, or more than one teller to issue an ATM card 13 14 Principle 7 Principle of Least Common Mechanism Minimize mechanisms depended upon by all users Shared mechanisms are a potential information path, and should not compromise security Also expose the system to potential DoS attacks Psychological Acceptability Principle 8 Security mechanisms should not make access to the resource more difficult If mechanisms are too cumbersome, they will be circumvented! Even if they are used, they may be used incorrectly 15 16

Back to specifics File protection as the running example But everything said here is more generally applicable Access control matrix One central matrix indexed by all subjects and objects Characterizes rights of each subject with respect to each object Formally: set of objects O and subjects S Matrix A contains an entry for every pair (S, O) The entry contains the rights for S on O Examples: read/write/execute/etc. 17 18 More complex access control In general, rights may be functions Actual rights depend on the system state Equivalently, may depend on system history Drawbacks Number of subjects/objects is very large Most entries blank/default One central matrix is modified every time subjects/objects are created/deleted or rights are modified 19 20

Access control lists (ACLs) Can be viewed as storing the rows of the access control matrix with the appropriate object One list per object, showing all subjects with access and their rights Possible to assign default rights to an object Easy to make an object public Example: access based on user, group, and compartment Use of wildcards Some design decisions. How fine-grained to allow ACLs?. E.g., user-level, group-level, or only public/private?. Granularity of rights (e.g., append?). How to handle conflicts if two subjects give different permissions on an object. Disallow multiple owners. Allow access if any entry gives rights. Allow access only if no entry denies rights. Apply first applicable entry. Revocation? 21 22 Capabilities Some burden for implementing protection placed on the user rather than just the OS Analogy: user has a ticket which grants access to an object A capability is an unforgeable token giving user access to an object and describing the level of allowable access Object owners can specify new types of rights Two general approaches Ticket is held by OS, which returns to the subject a pointer to the ticket Ticket is held by the user, but protected from forgery by cryptographic mechanisms How? Not encrypted as mistakenly claimed in book! Two possibilities: ticket verified by the object or by the OS itself Who holds the key in each case? 23 24

Drawback Does not really satisfy principle of complete mediation Can add automatic expiration to mitigate this 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information