Access Control Mechanisms and Security Models

How does the computer enforce access policy?

Readings
EROS essays on capabilities (instead of access
lists) http://www.eros-os.org/essays/00Essays.html Computer Security paper by Kemmerer

Access Control: Mechanisms and Models

Dual mode operation Access Matrix ACLs and Capabilities Multilevel and Multilateral Security Access Models
Bell-LaPadula Biba

Operating System Protection

Sharing system resources requires operating system to ensure that an incorrect program cannot interfere with other programs. Most computers provide hardware support to differentiate between at least two modes of operations (dual mode).
1. User mode execution done on behalf of a user. 2. Monitor mode (also kernel mode or system mode) execution done on behalf of operating system.

O.S. Protection
All I/O instructions are privileged instructions. Must ensure that a user program could never gain control of the computer in monitor mode (i.e., a user program cannot alter OS program instructions). Must provide memory protection for the OS kernel and one user program from accessing memory allocated to another.

 Associate with every process, two registers that determine the range of legal addresses: Base register holds the smallest legal physical memory address. Limit register contains the size of the range Memory outside the defined range cannot be accessed. In monitor mode, the operating system has unrestricted access to both monitor and users memory. The load instructions for the base and limit registers are privileged instructions.

Protecting Other Objects

Operating system consists of a collection of objects (hardware and software): buffers, registers, memory regions, PCBs, files, directories, etc.

Each object has a unique name and can be accessed through a well-defined set of operations. For files those operations are: read, write, execute.
Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so.

Subjects and Objects

Subject
Active entity in a computer system
User, process, thread

We will assume that a subject is synonymous with a user

Object
Passive entity or resource in a computer system
Files, directories, printers

Assign Subjects to Domains

Domains are entities that might want to access the objects: processes, programs, users, roles.
Domain granularity
There may be just 2 domains in the system: users and the superuser There may be a domain for each user There may be several domains per user: user surfing web, user compiling programs, user changing his password, etc.

Access Operations
An access is an interaction between an object and a subject A subject may observe (read) an object
Information flows from object to subject

A subject may alter (write to) an object

Information flows from subject to object

Read and Write Access

In a multi-user OS users open files to get access
Files are opened for read or for write access so that the OS can avoid conflicts like two users simultaneously writing to the same file

Write access mode is usually implemented as read/write mode

A user editing a file should not be asked to open it twice

The append (or blind write or write-only) access mode allows users to alter an object without observing its contents
Rarely useful (audit log files being the main exception) Implemented in Multics

Execute Access
Sometimes an object can be used without opening it in read or write mode
Directories Binary executable files Cryptographic keys

UNIX includes the execute access operation

This may mean different things in different contexts and in different systems

Access Operations in Unix

File access
Read (r) Write (w) Execute (x)

Directory access
Read (list directory contents) Write (create or rename files in directory) Execute (search directory)

Unix ls command
Operations drwxr-xr-x -rw-------rwxr-xr-x -rw-r----Owner Group jason jason jason jason Research research research research Size 512 127092 7632 0 Updated Jul 3 15:51 Aug 28 15:01 Name Research Trash

May 20 18:16 a.out Nov 25 1998 allfiles.txt

Access Matrix
The protection problem can be viewed as a matrix (access matrix)
Rows represent domains Columns represent objects

Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

Access Matrix

Access Matrix
Access matrix is the mechanism for enforcing security policy. Policy
Who can access what object and in what mode.

Mechanism
Operating system provides access-matrix + rules. It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.

Access Control Mechanism

A request can be regarded as a triple (s,o,a)
s is a subject o is an object a is an access operation

A request is granted if
a belongs to the access matrix entry corresponding to subject s and object o

Implementation of Access Matrix

Sparse matrix (list of access right/domain pairs) or Access control lists or Capability lists Each column = Access-control list for one object. Defines who can perform what operation.
Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read

Each Row = Capability List (like a key). For each domain, what operations allowed on what objects.
Object 1 Read Object 4 Read, Write, Execute Object 5 Read, Write, Delete, Copy

Access Control Lists (ACL)

Access control lists focus on the objects
Typically implemented at operating system level Windows NT uses ACLs

Disadvantage
How can we check the access rights of a particular subject efficiently (before-the-act per-subject review)?

Capability Lists
Capability lists focus on the subjects
Typically implemented in services and application software Database applications often use capability lists to implement fine-grained access to tables and queries Renewed interest in capability-based access control for distributed systems

Disdavantage
How can we check which subjects can access a given object (before-the-act per-object review)?

Administrative Tasks
Tasks include
Creation of new objects and subjects Deletion of objects and subjects Changing entries in access control matrix (changing entries in ACLs and capability lists)

The administration of access control structures is extremely time-consuming, complicated and error-prone

Administering Access Control

Access control structures that aggregate subjects and objects are used to simplify the administrative burden User groups and roles aggregate subjects (student, faculty, staff) Data types aggregate objects (account files, binary executables)

Example
Objects are bank accounts Subjects are bank employees The set of bank accounts forms a data type We define roles
Teller Clerk Administrator

We define procedures for

Crediting accounts (CA) Debiting accounts (DA) Transferring funds between accounts (TF) Creating new accounts (NA) Authorising overdrafts (AO)

ACLs or Capability Lists?

Theoretically these implementations are the same: any protection state that can be represented in one can be represented in the other. In practice, some actions are just impractical in one implementation or the other. Removing a user (because he left the company) is more efficient in capability lists.

Changing a file to read-only for everyone (february-sales is made read-only when February is over) is easier in ACLs.

Implementation Considerations
In a given implementation, new lists can be created or changed easily, whereas the items in the lists must be welldefined and unchanging. Creating a new domain or splitting a current one is easy in capability lists. domainB as manager and domainB as payroll person. The result is that capability list systems create fine-grained domains. This makes it easy to enforce the principle of least privilege a fundamental principle in computer security.

Example: ACL Systems

In ACL systems, the password program and many system utilities, like compilers, run as root since the available domains are limited.
Suppose you discover that the password file is kept in /x/y/z (or the IDS logs showing that you tried to break into the system). You invoke the compiler and specify that it should write the output to /x/y/z !!! This (and many other problems) can be patched in ACL systems, but it never exists as a problem in capability list systems.

Example: Capability Lists

Capability lists
Password-program: /x/y/z, read, write Compiler: /usr/bin/prog, read Jholliday: /usrs/faculty/jholliday, read, write, owner

A new domain is created:

Compiler-jholliday: /user/bin/prog, read; /usrs/faculty/jholliday, write

Note: this domain does not have the capability to write to /x/y/z UNIX, an ACL system, handles this type of problem with the setuid bit but this has lead to many security problems.
Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.

Multilevel and Multilateral Security

Multilevel: Security levels are like user and superuser or secret and top-secret. The higher level (super-user, top-secret) includes all of the privileges of the lower level(s). Multilateral security is concerned with security between domains at the same level (different user accounts should not interfere with each other).

Where to Place Security Mechanisms?

applications services (middleware) operating system OS kernel hardware

Security Mechanisms: Security Layers are Best

Visualize security mechanisms as concentric protection rings, with hardware mechanisms in the center and application mechanisms at the outside. Mechanisms towards the center tend to be more generic while mechanisms at the outside are more likely to address individual user requirements.
O.S. Hardware/ physical

application

Protection Rings
Often, the location of a security mechanism on the protection ring is related to its complexity. Generic mechanisms (inner rings) are simple, applications (outer rings) clamour for feature-rich security functions. Do you prefer simplicity - and higher assurance to a feature-rich security environment? Fundamental dilemma: simple generic mechanisms may not match specific security requirements. To choose the right features from a rich menu, you have to be a security expert. Security unaware users are in a no-win situation.

Blocking Access to the Layer Below

Attackers try to bypass protection mechanisms. The parts of the system that can disable the mechanism lie within the current layer or the layer below (or within). The parts of the system that can malfunction without compromising the mechanism lie outside.
How do you stop an attacker from getting access to a layer below your protection mechanism?

The Layer Below: Examples

Recovery tools, like Norton Utilities, restore the data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk containing read protected files, then an attacker can read the disk contents and reconstruct the files.

Examples
Backup: whoever has access to a backup tape has access to all the data on it. Logical access control is of no help and backup tapes have to be locked away safely to protect the data.

Security Models
A security model is a formal description of a security policy Models are used in high assurance security evaluations Models are important historic milestones in computer security (e.g. Bell-LaPadula) The models presented today are not recipes for security but can be a starting point when you have to define a model yourself.

Basic Security Theorem

To design a secure system with the help of state machine models, define state set so that it captures security check that all state transitions starting in a secure state yield a secure state check that initial state of the system is secure Security is then preserved by all state transitions. The system will always be secure.

Bell LaPadula (BLP) Model

Early state machine approach
an access operation is described by a tuple

(s,o,a), s S, o O, a A
E.g.: (Alice, fun.com, read)

Well studied and formalized. Used in government Orange Book and Common Criteria Considers only multi-level security needs, thus describes confidentiality requirements.

Bell LaPadula (BLP) Model

Subjects and objects are labeled with security levels that form a partial ordering The policy: No information flow from high security levels down to low security level (confidentiality) BLP only considers information flows that occur when a subject observes or alters an object

BLP: Information Flow

Read down

Top Secret Secret Confidential Write up

Prevents subjects from acting as channels by reading one memory object and transferring information to another memory object

BLP Model
C(s) is the confidentiality level of subject s. C(o) is the level of object o. Subject s can read object o if C(s) C(o) Subject s can write to object o if C(o) C(s) * property that prevents information leakage: if s has read o, then he can write to p only if C(p) C(o)

Biba Model
BLP applies to secrecy of information (confidentiality), but not integrity. Biba model identifies inappropriate modification of data. State machine model similar to BLP for integrity policies that regulate modification of objects Integrity levels (such as trustworthy, untrusted or corrupted) are assigned to subjects and objects The Biba model has policies for an invoke operation whereby one subject can access (invoke) another subject The policies for static integrity levels are the dual of the BLP confidentiality levels

Biba Model
Subjects and objects are ordered by integrity levels
I(s) is the integrity of subject s I(o) is the integrity of object o

Subject s can modify o only if I(s) I(o) Integrity * property: If s has read access to object o with integrity level I(o), then s can have write access to p only if I(o) I(p) (anti-pollution property)

Biba: Dynamic Integrity Levels

Subject Low Watermark Policy: Subject s can read (observe) an object o at any integrity level. The new integrity level of s is g.l.b.(IS(s),IO(o))
Object Low Watermark Policy: Subject s can modify (alter) an object o at any integrity level. The new integrity level of o is g.l.b.(IS(s),IO(o))

For Further Study

Other security models
Changing access rights: Harrison-RuzoUllman, Chinese Wall Integrity: Clark-Wilson

Computer Security, Dieter Gollmann, Wiley, 1999