Mandatory Access Control



Similar documents
Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

Database Security Part 7

Part III. Access Control Fundamentals

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Security Enhanced Linux and the Path Forward

Mandatory Access Control in Linux

Role Based Access Control: Adoption and Implementation in the Developing World

Access Control Intro, DAC and MAC. System Security

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Secure computing: SELinux

Chapter 23. Database Security. Security Issues. Database Security

... Lecture 3 Access Control. Information & Communication Security (WS 14/15) Prof. Dr. Kai Rannenberg

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

Access Control Fundamentals

Access Control Models Part I. Murat Kantarcioglu UT Dallas

CSE331: Introduction to Networks and Security. Lecture 34 Fall 2006

SELinux Policy Management Framework for HIS

CIS 551 / TCOM 401 Computer and Network Security. Spring 2005 Lecture 4

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

CIS433/533 - Computer and Network Security Operating System Security

Chapter 23. Database Security. Security Issues. Database Security

Access Control Lists in Linux & Windows

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Access Control Matrix

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

A Survey of Access Control Policies

? Resource. Outline. Access Control and Operating System Security. Access control. Access control matrix. Capabilities. Two implementation concepts

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements

? Resource. Access Control and Operating System Security. Access control matrix. Access control. Capabilities. Two implementation concepts.

Introduction to Computer Security

Advanced Systems Security: Retrofitting Commercial Systems

Security Architecture and Design

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

CIS 551 / TCOM 401 Computer and Network Security

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

Objectives. Windows 7 Security. Desktop OS Market Share. Windows Background. CS140M Fall Lake

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

SECURITY SUBSYSTEM IN WINDOWS

Introduction to Computer Security

MULTILATERAL SECURITY. Based on chapter 9 of Security Engineering by Ross Anderson

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

NSA Security-Enhanced Linux (SELinux)

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

A Firewall Model of File System Security

Confining the Apache Web Server with Security-Enhanced Linux

INFO/CS 330: Applied Database Systems

How To Model Access Control Models In Cse543

What is a secret? Ruth Nelson

Information Security Policy

Access Control Basics. Murat Kantarcioglu

FREQUENTLY ASKED QUESTIONS

CS52600: Information Security

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Reference Guide for Security in Networks

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Database Security. Chapter 21

Information Security Information & Network Security Lecture 2

Operating System Security

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Role-Based Access Control (RBAC)

DIVISION OF INFORMATION SECURITY (DIS)

Identity Management and Access Control

ITM661 Database Systems. Database Security and Administration

Computer Security: Principles and Practice

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Capability-Based Access Control

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

What is Auditing? Auditing. Problems. Uses. Audit System Structure. Logger. Reading: Chapter 24. Logging. Slides by M. Bishop are used.

05.0 Application Development

Find the Who, What, Where and When of Your Active Directory

Technical Proposition. Security

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Windows security for n00bs part 1 Security architecture & Access Control

Firewalls CSCI 454/554

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

Database Security and Authorization

Windows Operating Systems. Basic Security

White Paper Levels of Linux Operating System Security

Weighted Total Mark. Weighted Exam Mark

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Security and Integrity of a Distributed File Storage in a Virtual Environment

Secure to the Core: The Next Generation Secure Operating System from CyberGuard

Network Security Management

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Transcription:

CIS/CSE 643: Computer Security (Syracuse University) MAC: 1 1 Why need MAC DAC: Discretionary Access Control Mandatory Access Control Definition: An individual user can set an access control mechanism to allow or deny access to an object. Relies on the object owner to control access. DAC is widely implemented in most operating systems, and we are quite familiar with it. Strength of DAC: Flexibility: a key reason why it is widely known and implemented in mainstream operating systems. Limitation of DAC: Global policy: DAC let users to decide the access control policies on their data, regardless of whether those policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure consistency. Information flow: information can be copied from one object to another, so access to a copy is possible even if the owner of the original does not provide access to the original copy. This has been a major concern for military. Malicious software: DAC policies can be easily changed by owner, so a malicious program (e.g., a downloaded untrustworthy program) running by the owner can change DAC policies on behalf of the owner. Flawed software: Similarly to the previous item, flawed software can be instructed by attackers to change its DAC policies. MAC: Mandatory Access Control Definition: A system-wide policy decrees who is allowed to have access; individual user cannot alter that access. Relies on the system to control access. Examples: The law allows a court to access driving records without the owners permission. Traditional MAC mechanisms have been tightly coupled to a few security models. Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.) Security Policy Model A security policy model is a succinct statement of the protection properties that a system, or generic type of system, must have.

CIS/CSE 643: Computer Security (Syracuse University) MAC: 2 2 Multilevel Security 2.1 Security Levels People and information are classified into different levels of trust and sensitivity. These levels represent the well-known security classifications: Unclassified = Confidential = Secret = Top Secret. Clearance level indicates the level of trust given to a person with a security clearance, or a computer that processes classified information, or an area that has been physically secured for storing classified information. The level indicates the highest level of classified information to be stored or handled by the person, device, or location. Classification level indicates the level of sensitivity associated with some information, like that in a document or a computer file. The level is supposed to indicate the degree of damage the country could suffer if the information is disclosed to an enemy. Security level is a generic term for either a clearance level or a classification level. 2.2 The Bell-LaPadula Security Policy Model Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems. This model is the most widely recognized MLS model. The model deal with confidentiality only. Two properties: No read up and No write down. Simple security property: Subject A is allowed to read object O only if class(o) class(a). *-property: Subject A is allowed to write object O only if class(a) class(o). The *-property was Bell and LaPadula s critical innovation. It was driven by the fear that a user with Secret clearance might be tricked by attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the information to a Unclassified area where the attackers can read. 2.3 The Biba Model Due to Ken Biba. Deal with integrity alone and ignores confidentiality entirely. Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula Integrity levels cover inappropriate modification of data Prevents unauthorized users from making modifications (1st goal of integrity) Two properties:

CIS/CSE 643: Computer Security (Syracuse University) MAC: 3 Simple Integrity Property: A low integrity subject will not write or modify high integrity data. *-Property: The high integrity subject will not read low integrity data. Read Up, Write Down - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity 3 Multilateral Security Instead of the information flow-control boundaries being horizontal, as in the MLS model, we instead need the boundaries to be the mostly vertical. Examples: In a consultant company, a person who consult for BankOne should not have access to the data of JPMC-Chase. An intelligence organization wants to keep the names of agents working in one foreign country secret from the department responsible for spying on another. Also known as compartmentation. Multilateral security models: The Chinese Wall Model The BMA Model (British Medical Association) The Chinese Wall Model Proposed by Brewer and Nash to model access rules in a consultancy business where analysts have to make sure that no conflicts of interest arise when they are dealing with different clients. Informally, conflicts arise because clients are direct competitors in the same market or because of the ownership of companies. Analysts have to adhere to the following security policy: Rule: There must be no information flow that causes a conflict of interest. Conflict of Interest (CoI) classes: indicate which companies are in competition. Read Rule: A subject S can read an object O if: O is in the same Dataset as an object already accessed by S, or O belongs to a CoI class from which S has not yet accessed any information. Write Rule: A subject S can write an object O if: S can read O according to the Read Rule, and No object in a different company dataset (i.e., not O s company dataset) can be read. In the write rule, the flow of information is comfined to its own company dataset. Without this rule, a person who can access both A and B can read the information from A and write to B; this way, another person who can access B can also access the information in A indirectly. If this person can also access C, which is in the same CoI class as A, we have a violation. The access restriction for both read and write can be lifted for sanitized information.

CIS/CSE 643: Computer Security (Syracuse University) MAC: 4 4 Reference Monitor A good design of security system should separate the policy enforcement from the rest of the system. Since its 1972 introduction in the Anderson Report, the Reference Monitor (RM) concept has proved itself to be a useful tool for computer security practitioners. It has been the only effective tool we know of for describing the abstract requirements of secure system design and implementation. A Reference Monitor should have the following properties It must be always invoked, i.e., every access is mediated. It must be tamperproof. It is impossible for a penetrator to attack the access mediation mechanism such that the required access checks are not performed and authorizations not enforced. It must be small enough to be subject to analysis and test, the completeness of which can be assured. 5 MAC Implementation in Windows Vista It is called Mandatory Integrity Control (MIC) in Windows Vista. MIC implements a form of the Biba model, which ensures integrity by controlling writes and deletions. Label on Subjects: When a user logs on, Windows Vista assigns an integrity SID to the users access token. Included in the SID is an integrity label that determines the level of access the token (and thus the user) can achieve. Label on Objects: Objects, such as files, pipes, processes, threads, registry keys, services, printers, etc., are also assigned an integrity SID, which is stored in the system access control list (SACL) of the objects security descriptor. The label in the SID specifies the integrity level of the object. Access Control Policy: To write to or delete an object, the integrity level of subject must be equal to or greater than the object s level. Relationship to DAC: Vista checks MAC first, if passed, it then checks DAC (e.g. access control list). Therefore, MAC provides a layer of access control in addition to DAC; it does not overwrite DAC. Integrity levels: Windows Vista defines six integrity levels (IL): Low, Medium, High, and System. Untrusted. Low: everyone (i.e. world). Medium: standard users, authenticated users. High: local service, network serice, elevated users. System: system services. Trusted Installer. Usually, child processes inherit the integrity level of their parents, unless the executable program running in the child process has a lower integrity level. For example, all the downloaded executables will run with Low integrity level because the labels of the executable programs are marked as Low when they are downloaded from the Internet.

CIS/CSE 643: Computer Security (Syracuse University) MAC: 5 The integrity level can also be customized on a per-process basis. For example, Internet Explorer 7 runs has an Low integrity level only. This means that IE has limited opportunities to be able to alter files on the machine without triggering an elevation prompt that the user must agree to. Objects created by processes inherit the IL of the process. So files downloaded by IE still have an IL of Low this explains why downloaded executables will only run with Low integrity level. Default levels: Objects that lack an integrity label are treated as medium by the operating system. This prevents low integrity code from modifying unlabeled objects Viewing and Modifying ILs of Objects: use icacls. 6 SELinux in Linux Primarily developed by the US National Security Agency, SELinux has been integrated into version 2.6 series of the Linux kernel. SELinux can enforce mandatory access controls (MAC). Type Enforcement (TE) Implements Domain Type Enforcement. Labeling subjects and objects: Domains for processes and Types for files and other objects Rules enforce how domains can access types. Key concepts: Domains: Classification of a subject. Types: Classification of an object (really the same thing as a domain but applied to objects). Users: Identifier for a single user or an equivalence class of users. Class: Type of an object, e.g., file or process. Two basic security enforcement decisions Access control: Can subject access object? Labeling: What label should a new object have? Access rules: Syntax: (allow auditallow dontaudit) src type target type:classes permissions; Example: allow sshd t shell exec t:file execute; Meaning: when a subject of sshd t accesses an object of shell exec t, it has the execute permissions if the object is the file class. Rules for the type of a new object: Example: type transition sshd t tmp t: devfile class set cardmsg dev t; Meaning: When sshd daemon creates a device file in the tmp directory, the new file is labeled with cardmsg dev t.

CIS/CSE 643: Computer Security (Syracuse University) MAC: 6 7 AppArmor in Linux AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files, posix 1003.1e draft capabilities, and network accesses. Rules in AppArmor policies. Policy on file/directory access: AppArmor give an application explicit read, write, or execute access to files and directories. The following rule allows the read of /etc/ntp.conf. /etc/ntp.conf r, AppArmor enables the mediation of POSIX capabilities. For example, the following rule allows the use of sys chroot capability. capability sys_chroot AppArmor allows mediation of network access based on the address type and family. For example, rule A in the following allows the general use of IPv4 network; rule B allows the use of IPv4 TCP networking. A: network inet B: network inet tcp An example of AppArmor policy: /usr/sbin/ntpd { capability sys_chroot, capability setuid, /etc/ntp.conf r, /var/log/ntp w, /tmp/ntp* rwl, } Comparing with SELinux: SELinux and AppArmor are competing products, and they both implement Mandatory Access Control. AppArmor s design is name-based and does not require re-labeling of the file system. The AppArmor profiles refer directly to programs and files by name, while the SELinux policies refer only to labels, and the user must label their files and programs in a separate step.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information