1、Access Control,school of computer mengbo ,Authorization,Authentication vs Authorization,Authentication Who goes there? Restrictions on who (or what) can access system Authorization Are you allowed to do that? Restrictions on actions of authenticated users Authorization is a form of access control Au
2、thorization enforced by Access Control Lists Capabilities,Lampsons Access Control Matrix,OS,Accounting program,Accounting data,Insurance data,Payroll data,Bob,Alice,Sam,Accounting program,Subjects (users) index the rows Objects (resources) index the columns,Are You Allowed to Do That?,Access control
3、 matrix has all relevant info But how to manage a large access control (AC) matrix? Could be 1000s of users, 1000s of resources Then AC matrix with 1,000,000s of entries Need to check this matrix before access to any resource is allowed Hopelessly inefficient,Access Control Lists (ACLs),ACL: store a
4、ccess control matrix by column Example: ACL for insurance data is in blue,OS,Accounting program,Accounting data,Insurance data,Payroll data,Bob,Alice,Sam,Accounting program,Capabilities (or C-Lists),Store access control matrix by row Example: Capability for Alice is in red,OS,Accounting program,Acco
5、unting data,Insurance data,Payroll data,Bob,Alice,Sam,Accounting program,ACLs vs Capabilities,Access Control List,Capability,Note that arrows point in opposite directions! With ACLs, still need to associate users to files,file1,file2,file3,file1,file2,file3,r - r,Alice,Bob,Fred,w r -,rw r r,Alice,Bo
6、b,Fred,r w rw,- r r,r - r,Confused Deputy,Two resources Compiler and BILL file (billing info) Compiler can write file BILL Alice can invoke compiler with a debug filename Alice not allowed to write to BILL,Access control matrix,Compiler,BILL,Alice,Compiler,ACLs and Confused Deputy,Compiler is deputy
7、 acting on behalf of Alice Compiler is confused Alice is not allowed to write BILL Compiler has confused its rights with Alices,Alice,BILL,Compiler,debug,filename BILL,BILL,Confused Deputy,Compiler acting for Alice is confused There has been a separation of authority from the purpose for which it is
8、 used With ACLs, difficult to avoid this problem With Capabilities, easier to prevent problem Must maintain association between authority and intended purpose Capabilities make it easy to delegate authority,ACLs vs Capabilities,ACLs Good when users manage their own files Protection is data-oriented
9、Easy to change rights to a resource Capabilities Easy to delegate Easy to add/delete users Easier to avoid the confused deputy More difficult to implement The “Zen of information security” Capabilities loved by academics Capability Myths Demolished,Security Models,Multilevel Security,Multilateral Se
10、curity,Multilevel Security (MLS) Models,Classifications and Clearances,Classifications apply to objects Clearances apply to subjects US Department of Defense uses 4 levels of classifications/clearancesTOP SECRETSECRETCONFIDENTIALUNCLASSIFIED,Clearances and Classification,To obtain a SECRET clearance
11、 requires a routine background check A TOP SECRET clearance requires extensive background check Practical classification problems Proper classification not always clear Level of granularity to apply classifications Aggregation flipside of granularity,Subjects and Objects,Let O be an object, S a subj
12、ectO has a classificationS has a clearanceSecurity level denoted L(O) and L(S) For DoD levels, we have TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED,Multilevel Security (MLS),MLS needed when subjects/objects at different levels use same system MLS is a form of Access Control Military/government intere
13、st in MLS for many decades Lots of funded research into MLS Strengths and weaknesses of MLS relatively well understood (theoretical and practical) Many possible uses of MLS outside military,MLS Applications,Classified government/military information Business example: info restricted to Senior manage
14、ment only All management Everyone in company General public Network firewall Keep intruders at low level to limit damage Confidential medical info, databases, etc.,MLS Security Models,MLS models explain what needs to be done Models do not tell you how to implement Models are descriptive, not prescri
15、ptive High level description, not an algorithm There are many MLS models Well discuss simplest MLS model Other models are more realistic Other models also more complex, more difficult to enforce, harder to verify, etc.,Bell-LaPadula,BLP security model designed to express essential requirements for M
16、LS BLP deals with confidentiality To prevent unauthorized reading Recall that O is an object, S a subject Object O has a classification Subject S has a clearance Security level denoted L(O) and L(S),Bell-LaPadula,BLP consists of Simple Security Condition: S can read O if and only if L(O) L(S) *-Prop
17、erty (Star Property): S can write O if and only if L(S) L(O) No read up, no write down,Vulnerability of No Read Up,McLeans Criticisms of BLP,McLean: BLP is “so trivial that it is hard to imagine a realistic security model for which it does not hold” McLeans “system Z” allowed administrator to reclas
18、sify object, then “write down” Is this fair? Violates spirit of BLP, but not expressly forbidden in statement of BLP Raises fundamental questions about the nature of (and limits of) modeling,Vulnerability of system Z,B and LPs Response,BLP enhanced with tranquility property Strong tranquility proper
19、ty: security labels never change Weak tranquility property: security label can only change if it does not violate “established security policy” Strong tranquility impractical in real world Often want to enforce “least privilege” Give users lowest privilege needed for current work Then upgrade privil
20、ege as needed (and allowed by policy) This is known as the high water mark principle Weak tranquility allows for least privilege (high water mark), but the property is vague,BLP: The Bottom Line,BLP is simple, but probably too simple BLP is one of the few security models that can be used to prove th
21、ings about systems BLP has inspired other security models Most other models try to be more realistic Other security models are more complex Other models difficult to analyze and/or apply in practice,Bibas Model,BLP for confidentiality, Biba for integrity Biba is to prevent unauthorized writing Biba
22、is (in a sense) the dual of BLP Integrity model Spse you trust the integrity of O but not O If object O includes O and O then you cannot trust the integrity of O Integrity level of O is minimum of the integrity of any object in O Low water mark principle for integrity,Biba,Let I(O) denote the integr
23、ity of object O and I(S) denote the integrity of subject S Biba can be stated as Write Access Rule: S can write O if and only if I(O) I(S)(if S writes O, the integrity of O that of S) Bibas Model: S can read O if and only if I(S) I(O)(if S reads O, the integrity of S that of O) Often, replace Bibas
24、Model with Low Water Mark Policy: If S reads O, then I(S) = min(I(S), I(O),Biba,Biba,BLP vs Biba,l e v e l,high,low,L(O),L(O),L(O),Confidentiality,BLP,I(O),I(O),I(O),Biba,l e v e l,high,low,Integrity,Multilateral Security (Compartments),Multilateral Security,Multilevel Security (MLS) enforces access
25、 control up and down Simple hierarchy of security labels may not be flexible enough Multilateral security enforces access control across by creating compartments Suppose TOP SECRET divided into TOP SECRET CAT and TOP SECRET DOG Both are TOP SECRET but information flow restricted across the TOP SECRE
26、T level,Multilateral Security,Why compartments? Why not create a new classification level? May not want either of TOP SECRET CAT TOP SECRET DOG TOP SECRET DOG TOP SECRET CAT Compartments allow us to enforce the need to know principle Regardless of your clearance, you only have access to info that yo
27、u need to know,Multilateral Security,Arrows indicate “” relationship,Not all classifications are comparable, e.g., TOP SECRET CAT vs SECRET CAT, DOG,TOP SECRET CAT, DOG,TOP SECRET CAT,TOP SECRET,SECRET CAT, DOG,SECRET DOG,SECRET,TOP SECRET DOG,SECRET CAT,MLS vs Multilateral Security,MLS can be used
28、without multilateral security or vice-versa But, MLS almost always includes multilateral Example MLS mandated for protecting medical records of British Medical Association (BMA) AIDS was TOP SECRET, prescriptions SECRET What is the classification of an AIDS drug? Everything tends toward TOP SECRET D
29、efeats the purpose of the system! Multilateral security was used instead,Covert Channel,Covert Channel,MLS designed to restrict legitimate channels of communication May be other ways for information to flow For example, resources shared at different levels may signal information Covert channel: “com
30、munication path not intended as such by systems designers”,Covert Channel Example,Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance Suppose the file space shared by all users Alice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0” Once each minute Bob lists the
31、files If file FileXYzW does not exist, Alice sent 0 If file FileXYzW exists, Alice sent 1 Alice can leak TOP SECRET info to Bob!,Covert Channel Example,Alice:,Time:,Create file,Delete file,Create file,Delete file,Bob:,Check file,Check file,Check file,Check file,Check file,Data:,1,0,1,0,1,Covert Chan
32、nel,Other examples of covert channels Print queue ACK messages Network traffic, etc., etc., etc. When does a covert channel exist? Sender and receiver have a shared resource Sender able to vary property of resource that receiver can observe Communication between sender and receiver can be synchroniz
33、ed,Covert Channel,Covert channels exist almost everywhere Easy to eliminate covert channels Provided you eliminate all shared resources and all communication Virtually impossible to eliminate all covert channels in any useful system DoD guidelines: goal is to reduce covert channel capacity to no mor
34、e than 1 bit/second Implication is that DoD has given up trying to eliminate covert channels!,Covert Channel,Consider 100MB TOP SECRET file Plaintext version stored in TOP SECRET place Encrypted with AES using 256-bit key, ciphertext stored in UNCLASSIFIED location Suppose we reduce covert channel c
35、apacity to 1 bit per second It would take more than 25 years to leak entire document thru a covert channel But it would take less than 5 minutes to leak 256-bit AES key thru covert channel!,Real-World Covert Channel,Hide data in TCP header “reserved” field Or use covert_TCP, tool to hide data in Seq
36、uence number ACK number,Real-World Covert Channel,Hide data in TCP sequence numbers Tool: covert_TCP Sequence number X contains covert info,A. Covert_TCP sender,C. Covert_TCP receiver,B. Innocentserver,SYN Spoofed source: C Destination: B SEQ: X,ACK (or RST) Source: B Destination: C ACK: X,Inference
37、 Control,Inference Control Example,Suppose we query a database Question: What is average salary of female CS professors at SJSU? Answer: $95,000 Question: How many female CS professors at SJSU? Answer: 1 Specific information has leaked from responses to general questions!,Inference Control and Resea
38、rch,For example, medical records are private but valuable for research How to make info available for research and protect privacy? How to allow access to such data without leaking specific information?,Nave Inference Control,Remove names from medical records? Still may be easy to get specific info
39、from such “anonymous” data Removing names is not enough As seen in previous example What more can be done?,Less-nave Inference Control,Query set size control Dont return an answer if set size is too small N-respondent, k% dominance rule Do not release statistic if k% or more contributed by N or fewe
40、r Example: Avg salary in Bill Gates neighborhood Used by the US Census Bureau Randomization Add small amount of random noise to data Many other methods none satisfactory,Inference Control: The Bottom Line,Robust inference control may be impossible Is weak inference control better than no inference c
41、ontrol? Yes: Reduces amount of information that leaks and thereby limits the damage Is weak crypto better than no crypto? Probably not: Encryption indicates important data May be easier to filter encrypted data,CAPTCHA,Turing Test,Proposed by Alan Turing in 1950 Human asks questions to one other hum
42、an and one computer (without seeing either) If human questioner cannot distinguish the human from the computer responder, the computer passes the test The gold standard in artificial intelligence No computer can pass this today,CAPTCHA,CAPTCHA Completely Automated Public Turing test to tell Computer
43、s and Humans Apart Automated test is generated and scored by a computer program Public program and data are public Turing test to tell humans can pass the test, but machines cannot pass the test Like an inverse Turing test (sort of),CAPTCHA Paradox,“CAPTCHA is a program that can generate and grade t
44、ests that it itself cannot pass” “much like some professors” Paradox computer creates and scores test that it cannot pass! CAPTCHA used to restrict access to resources to humans (no computers) CAPTCHA useful for access control,CAPTCHA Uses?,Original motivation: automated “bots” stuffed ballot box in
45、 vote for best CS school Free email services spammers used bots sign up for 1000s of email accounts CAPTCHA employed so only humans can get accts Sites that do not want to be automatically indexed by search engines HTML tag only says “please do not index me” CAPTCHA would force human intervention,CA
46、PTCHA: Rules of the Game,Must be easy for most humans to pass Must be difficult or impossible for machines to pass Even with access to CAPTCHA software The only unknown is some random number Desirable to have different CAPTCHAs in case some person cannot pass one type Blind person could not pass vis
47、ual test, etc.,Do CAPTCHAs Exist?,Test: Find 2 words in the following,Easy for most humans Difficult for computers (OCR problem),CAPTCHAs,Current types of CAPTCHAs Visual Like previous example Many others Audio Distorted words or music No text-based CAPTCHAs Maybe this is not possible,CAPTCHAs and A
48、I,Computer recognition of distorted text is a challenging AI problem But humans can solve this problem Same is true of distorted sound Humans also good at solving this Hackers who break such a CAPTCHA have solved a hard AI problem Putting hackers effort to good use! May be other ways to defeat CAPTC
49、HAs,Firewalls,Firewalls,Firewall must determine what to let in to internal network and/or what to let out Access control for the network,Internet,Internal network,Firewall,Firewall as Secretary,A firewall is like a secretary To meet with an executive First contact the secretary Secretary decides if meeting is reasonable Secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet President of US? Secretary does lots of filtering!,
