Documente Academic
Documente Profesional
Documente Cultură
* Thanks to Dr. James Walden, NKU and Russ Wakeeld, CSU for contents of these slides
Topics
1. Access
control
principles
2.
3.
4.
5.
6.
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Authentication
Authorization
who should be allowed to
access which protected
resources?
Access Control
Architectures
Enforcement
how does the system
enforce the specied
authorization?
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
File A
X : r, w
Y:
File B
X:w
Y : r, w
read
Program
Goodies
Trojan Horse
write
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
High
Two security levels
High, Low
Low < High
L(X) = High
L(Y) = Low
L(A) = High
L(B) = Low
File A
read
X : r, w
Y:
Program
Goodies
Trojan Horse
X
write
Low
File B
X:w
Y : r, w
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
USERS
User-Role
Assignment
User-Session
Assignment
ROLES
PermissionRole
Assignment
Objects
Actions
Session-Role
Assignment
.....
SESSIONS
CONSTRAINTS
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Ownership
of
Files
Files
have
an
owner
Owner
is
a
single
user
Iden8ed
by
the
UID
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
UID
(GID)
Every
user
(group)
has
unique
UID
Mapped
to
user
(group)
in
/etc/passwd
(/etc/
group)
le
Specic
to
the
system
dened
Text
names
not
used
by
system
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Process
Ownership
Processes
are
les
in
execu8on
Processes
can
be
executed
by
the
owner
of
the
le
or
can
run
as
another
user
real
UID
(used
for
accoun8ng
purposes)
eec8ve
UID
(used
for
determina8on
of
access
permissions)
setUID
(setGID)
bit
for
le
If
set,
allows
le
to
be
executed
with
elevated
permissions
typically
that
of
another
user
or
the
the
root
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Superuser
or
Root
A
special
root
account
exists
that
represents
the
omnipotent
administra8ve
user,
oien
called
the
superuser
account,
that
has
all
rights
or
permissions
to
all
les
and
programs
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Superuser
or
Root
UID
of
zero
(0)
Performs
privileged
opera8ons
Crea8ng
device
les
Sejng
system
clock
Raising
resource
levels
Sejng
systems
hostname
Conguring
network
interfaces
Opening
privileged
network
ports
(below
1024)
Shujng
down
the
system
Change
its
own
UID/GID
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Passwords
Commonly
used
method
for
authen8ca8on
For
each
user,
system
stores
in
a
password
le
the
tuple
<User
name,
F(password)>
F
is
some
one-way
transforma8on
F(password)
is
easy
to
compute
From
F(password),
password
is
dicult
to
compute
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Choice
of
Passwords
Suppose
passwords
can
be
from
1
to
8
characters
in
length
Lower
case
English
alphabets
used
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Probable
Passwords
In
a
Bell
Labs
study
(Morris
&
Thompson
1979),
3,289
passwords
were
examined
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Password
Salt
Salt
is
used
to
make
the
previous
asacks
a
lisle
bit
more
dicult
Salt
is
a
12
bit
number
between
0
and
4095
It
is
derived
form
the
system
clock
and
the
process
iden8er
Rather
than
compu8ng
f(password),
system
computes
f(password
+
salt)
which
is
stored
in
password
le
With
salt,
the
same
password
can
result
in
4096
dierent
stored
password
values
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Linux
Passwords
Linux
uses
more
secure
cryptographic
techniques
to
encrypt
the
users
password
MD5,
Blowsh,
Eksblowsh,
SHA-256,
SHA-512
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Password
Management
Educate
users
to
make
beser
choices
Dicult
if
user
popula8on
is
large
or
novice
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Password
Management
Force
users
to
use
machine
generated
random
passwords
Random
passwords
are
dicult
to
memorize
Password
generator
may
become
known
to
the
asacker
through
analysis
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Root
password
Choose
wisely
(imagine
drinking
from
the
wrong
chalice).
Guidelines:
At
least
eight
characters
in
length
Not
easily
guessed
Boil
down
a
phrase
of
shocking
nonsense
Transform
a
phrase
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Becoming
root
su
command
Subs8tute
User
iden8ty
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014
Pseudo-users
bin
owner
of
system
commands
daemon
owner
of
unprivileged
system
soiware
nobody
generic
NFS
user
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems Administra8on, Fall 2014