ACCESS CONTROL University of Maryland, Baltimore County William Newton wnewto1@umbc.edu May 2, 2007 What is access control?  “Access control includes authentication, authorization and audit It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems.” Wikipedia What is access control?  Something you know  Passwords   Something you are   “Perfect Passwords” by M Burnett & D Kleiman Fingerprint, Iris, Face Something you have  Token, RFID, Key Something you know  Passwords  Most passwords can be guessed or cracked  Password policies frustrate users  Administrators give users a default password  U2n*9kh!  Passwords that follow company procedures are hard to remember….or are they? Be creative!  Categorize your passwords  Consider a policy that requires a 15 character password with a character from each character set:  FF.1baDfirEkilleR@water.bucket Something you are   Biometrics  False positives – bad guy positively identified as a good guy  False negatives – good guy is not recognized at all Fingerprint technology becoming a standard feature Something you have  Physical      Token Radio Frequency Identification (RFID) RFID Implants Problem: Physical security and Replay Attacks Shmoocon 2006 – Adam Laurie: “RFIDiots” Access Control Approaches      Discretionary Access Control (DAC) Mandatory Access Control (MAC) Context-Based Access Control (CBAC) Role-Based Access Control (RBAC) Lattice-Based Access Control (LBAC) Discretionary Access Control  Restrict access to objects based on the owner of the objects    Bob owner of money.txt Bob can grant read privileges to Alice to money.txt Security Concern – Buffer Overflow attack to spawn a shell with root privileges Mandatory Access Control  Restrict access to an object based on the classification of the object   Policy restricts access Various levels of control     Disallow programs to open sockets Render “root” useless Associate a role to every subject Buffer Overflow attack for root (or any other user) Context-Based Access Control     Filters traffic through a network interface (Firewall) Analyze information at the network, transport, and application layers Ex: TCP use multiple channels to handle connection setup and communications Provides: DoS, alerts, auditing, blocking Lattice-Based Access Control  Partial ordering over a set of element  Notation:    b dominates a System High – One element dominates all the elements in the set System Low – One element that is dominated by all the elements in the set Lattice-Based Access Control Image borrowed from “Computer Security” by Dieter Gollmann Lattice-Based Access Control Image borrowed from “Computer Security” by Dieter Gollmann Bell LaPadula Model     Simple Security property (SS) – (No read up): The classification of the object must be no higher than the classification of the subject for reading operations *-property – (No write down): The classification of the object must be no lower than the classification of the subject for writing operations Discretionary Security property (DS) – An access matrix is used for DAC A state is secure if all three properties are satisfied Biba (Integrity) Model   Simple integrity property – (No write up): The classification of the subject must be at most the classification of the object for writing operations *-property – (No read down): The classification of the subject must be at least the classification of the object for read operations Other Security Models  Harrison-Ruzzo-Ullman Model   Chinese Wall Model    Authorization system that allows changing of access rights in a matrix and the creation/deletion of subjects/objects Used in consulting firms Restricts information across channels that causes a conflict of interest Clark-Wilson Model  Models data integrity and concurrency control in commercial applications Access Control Structures    Definitions:  S  set of subjects  O  set of objects  A  set of access operations Access Control Matrix (ACM)  M = (M ) so s in S, o in O with Mso Capabilities   By Subject Access Control List (ACL)  By Object Intermediate Controls  Used to implement the ACM in large complex systems    Groups & Negative Permissions Protections Rings Abilities (Partial Ordering)    Data structure that starts with a “.” followed by a list of integers separated by “.”s Ex: 5.4.3, 4.3.2.1, 2.1 Privileges Unix Access Controls   DAC rwxrwxrwx     File: r – read, w – write, x – execute Directory: r – ls, w – modify, x - search owner, group, everyone Groups are slightly different than roles  Simpler Approach Windows    Pre-XP  All users had super user rights  Some legacy programs require super user privileges XP – Four levels of access Vista    Security related actions require an administrator password before executing A token is create upon logging on that holds all the basic privileges (Prevents user from making any security changes to the system.) Administrators obtain two tokens Security Enhanced Linux   RBAC/MAC/DAC system Security Context   Logical set of resources grouped together Ex: software development team   Users can create/modify/define objects and subjects for this effort Type Enforcement  Object access is granted based on rules defined by a security context Security Enhanced Linux    Modes of operation: Disabled, permissive, enforcing Fedora Core installs SELinux by default in enforcing mode Policy File       Several text files define the rules, roles, domain transformations, etc One compiled policy file contains roughly 20,000 lines of rules Once the policy file is load during boot up, it can not be circumvented Limited GUI applications NSA – main contributor (government) Tresys – Policy development (commercial) Recent Development   Access Control development is not DEAD! SACMAT – Symposium on Access Control Models and Technologies (2006)   “Trust Management with Delegation in Grouped Peer-to-Peer Communities” by Ravichandran & Yoon “TrustBAC – Integrating Trust Relationships into the RBAC Model” by Chakraborty & Ray Your mission… if you choose to accept it  Keep security vendors/companies honest  Stay involved in the security community  At a minimum – practice secure computing! (Safe passwords) Thank you! Questions? William Newton wnewto1@umbc.edu ... “RFIDiots” Access Control Approaches      Discretionary Access Control (DAC) Mandatory Access Control (MAC) Context-Based Access Control (CBAC) Role-Based Access Control (RBAC) Lattice-Based Access. .. and concurrency control in commercial applications Access Control Structures    Definitions:  S  set of subjects  O  set of objects  A  set of access operations Access Control Matrix... Lattice-Based Access Control   Information flow is controlled from one security class to another Based around a security model (Bell LaPadula Model, Biba Model) Lattice-Based Access Control  Partial