Ch3 System Security
Ch3 System Security
Winfried E. Khnhauser
CSI
Ilmenau Technical University
www.tu-ilmenau.de
Systems Security, ST 2016 wk
-1-
Roadmap
Security Requirements
Security Policies
Modeling and Specification
Security Mechanisms
Security Architectures
-2-
-3-
security mechanisms
security architecture
Watch: Protection against collisions
The art of sailing, regulations (reefing, running before the wind, setting of drift
anchors): Protection against bad weather
coordinated use of mechanisms
security policies
Systems Security, ST 2016 wk
-4-
Dr. Bones
EPR
PatId
Anamn.
Sympt.
Sister Kathy
Apothecary
CT Lab
MR Lab
Diag
Medic.
Brother Tuck
Nursing
Diet
Paul Bocuse
Pathology
Citchen
Administration
Complete IF-Graph:
>> 10.000 legal (and necessary!) information flows
> 100 obvious conflicts (without transitiveness)
> 100 forgotten information flows
Systems Security, ST 2016 wk
-5-
ad-hoc-approaches fail
3.1 Security Policies
-6-
Security Policy:
A set of rules designed to meet a set of security objectives.
Security Objective:
A statement of intent to counter a given threat or to enforce a given
organizational security policy.
(Common Criteria for Information Technology Security Evaluation, seit 1996)
Policy Representations
Informal text
Formal model
Executable policy implementation
-7-
Example 1
Excerpt from the Unix OS Security Policy
There are subjects (humans, processes) and objects (files, sockets, ...)
For each object there are 3 subject classes, owner, group, others, for which
individual permissions can be granted
paper.pdf
Result
identity based, discretionary access control (IBAC + DAC)
high degree of individual freedom
global responsibility, limited horizon (see chapter 2.1.2)
Systems Security, ST 2016 wk
-8-
Example 2
Excerpt from a CSCW Policy
Internet
Authentication:
1. Each user must be identified based on
key certificates issued by EADS
Authorization:
2. Access to ProjectX files is granted only to the project staff (role-based access
control)
3. Changes to files are allowed only if both, the responsible engineer as well as the
project leader approve (second set of eyes principle, and role-based access
control)
4. No information must flow from ProjectX to Sales department (IF)
Communication:
5. For protecting integrity, confidentiality and authenticity, every communication is
encrypted
Systems Security, ST 2016 wk
-9-
Operating Systems
Middleware platforms
- 10 -
Application
Application
Application
Application
Process
Process
Process
Process
File System
Policy Server
OS
S={s1,s2,s3}, O={o1,o2,so3}
...
command read(s,o)
if readm(s,o)
enter (s,o) in h;
oiO, (oi,o)C: delete read from m(s,oi);
oiO, oio: delete write in m(s,oi);
end if
end
...
- 11 -
Application Process
Application Process
Application Process
Process
Process
Management
Management
Filesystems
Filesystems
Sockets
...
Sockets
Security
Server
Policy
Memory
Resources
Communication
Resources
Components
- 12 -
allow sysadm_t
allow sysadm_t
allow insmod_t
allow insmod_t
allow insmod_t
insmod_exec_t:file !x_file_perms;!
insmod_t:process
!transition;!
insmod_exec_t:process
{entrypoint execute};!
sysadm_t:fd
!inherit_fd_perms;!
sysadm_t:process
!sigchld;!
Binary
Policy Compiler
Process
Prozesse
Mgmt
Filesystems
Dateisysteme
Sockets
Sockets
...
Sec. Server
Memory
Resources
Communication
Resources
- 13 -
Secure
Application
Legacy
Legacy
Application
Legacy
Application
Application
Paravirtualized Legacy OS
Trusted
Loader
Trusted
Name Server
Trusted
GUI
Security
Policy
Microkernel
- 14 -
Policy-controlled Applications
Embedded Policy
Application
Application
Application
Process
Process
Process
S={s1,s2,s3}, O={o1,o2,so3}
...
command read(s,o)
if readm(s,o)
enter (s,o) in h;
oiO, (oi,o)C: delete read from m(s,oi);
oiO, oio: delete write in m(s,oi);
end if
end
...
OS
- 15 -
Policy-controlled Applications
Application-level Policy Servers
Application
Application
Application
Process
Process
Process
Policy Server
S={s1,s2,s3}, O={o1,o2,so3}
...
command read(s,o)
if readm(s,o)
enter (s,o) in h;
oiO, (oi,o)C: delete read from m(s,oi);
oiO, oio: delete write in m(s,oi);
end if
end
...
OS
- 16 -
Application
Application
Process
Process
File Server
Policy Server
S={s1,s2,s3}, O={o1,o2,so3}
...
command read(s,o)
if readm(s,o)
enter (s,o) in h;
oiO, (oi,o)C: delete read from m(s,oi);
oiO, oio: delete write in m(s,oi);
end if
end
...
Middleware
OS
- 17 -
SOAP Request
Handler
1
Handler
2
Client
Handler
n
out flow
instanciates
Stub
MCreq
SOAP Reply
MCresp
Coordinator
OutInAxisOperation
instanciates
MCresp
instanciates
Handler
m
Handler
2
Handler
1
in flow
AxisEngine
- 18 -
AxisEngine
SOAP Request
MCreq
Handler
1
Handler
2
SOAP Reply
Handler
n
MCreq
Message
Receiver
MCresp
Transport
Sender
Handler
m
Handler
2
Handler
1
Web Service
HTTP/JMS
Transport Utilities
AxisServlet
in flow
MCresp
out flow
AxisEngine
- 19 -
Messages 3.1
The Part of Security Policies
Requirements
Engineering
Security
Requirements
Policy
Engineering
Security
Policy
Model
Engineering
Security
Model
Architecture
Engineering
- 20 -
Security
Architecture
- 21 -
The Linda-Test
Linda is a bright and active student, ... , lobbying in the students council,
... , participating in demonstrations, ...
o
o
o
X
o
- 22 -
- 23 -
Methods
- 24 -
Definition
A security model is a precise, in general formal representation of a
security policy.
The ambition is to analyze the behavior of a security policy and to be able
to prove essential properties
- 25 -
Model Spectrum
Going by the book, there are
Noninterference (NI)
Hybrid models
- 26 -
Reading files
Issuing payments
Executing Web services
- 27 -
Model Spectrum
Discretionary or mandatory
- 28 -
- 29 -
Competent
Responsible
No responsibility of individuals
- 30 -
- 31 -
Subject
Operation
Object
Access rights
- 32 -
- 33 -
Example
Modeling access rights for Web Services
Model: (S,O,A,f) where
S = {Bosch, VDO, Siemens} as set of subjects
O = {deliveryTime_WS} as set of objects
A = {see, execute, update} as set of operations
f: S x O x A {granted, denied} as access control function where e.g.
f(Bosch, deliveryTime_WS, see) = granted
f(Bosch, deliveryTime_WS, execute) = granted
f(Bosch, deliveryTime_WS, update) = denied
f(VDO, ...
- 34 -
Example
Access control model of the Unix OS (extremely simplified)
Model: (S,O,A,f) where
S: set of users
O: set of system objects (files, directories, sockets, )
A: set of system calls
f: implemented in system calls e.g. for accessing files:
{ s=caller.euid;
if (s==o.inode.owner and a_mode in o.inode.ownerRWX) then
return OK
else {
g=caller.egid;
if (g==o.inode.group and a_mode in o.inode.groupRWX) then
return OK
else
Systems Security, ST 2016 wk
- 35 -
- 36 -
Example
S = {s1...sn }
O = {o1...om }
A = {read,write}
2A =
{{ },{read },{write},{read,write}}
s3
o1
o2
{read }
o3
...
om
{read ,
write }
...
sn
m
s1
s2
- 37 -
Notes
Implementations of ACMs in many
OSes
Databases
Middleware platforms (CORBA, Web Services)
Distributed security architectures (Kerberos)
by 2 security mechanisms:
Capability Lists
rows of ACMs
- 38 -
Dr. Bones
EPR
PatId
Anamn.
Sympt.
Sister Kathy
Apothecary
CT Lab
Diag
Medic.
Brother Tuck
MR Lab
Diet
Paul Bocuse
Pathology
- 39 -
Nursing
Citchen
Administration
EPR.PatId
Dr.Brains
{r,w }
{r,w }
{r,w }
{r,w }
Dr.Bones
{r }
{r }
{r }
{}
BrotherTuck
{r }
{}
{r,w }
{r }
Paul Bocuse
{r }
{}
{}
{}
...
...
- 40 -
EP.PatId EP.Diag
EP.Medic
Dr. Brains
{r}
{r,w}
{r,w}
{r}
{r,w}
{r,w}
Dr. Bones
{r}
{r}
{r}
{r}
{r}
{r}
BrotherTuck
{r}
{}
{r,w}
{r}
{}
{r,w}
{r,w}
Behavior prediction
- 41 -
proliferation of rights
HRU Safety
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Goal
Statements about
Idea
A security model combining
Lampsons ACMs
for modeling single protection states (snapshots)
Deterministic automata
for modeling runtime changes of protection state
Approach
- 42 -
- 43 -
Interpretation
- 44 -
Example
Modeling a simple system with
p users
q files
m0: e.g. all users have rights r und w for all objects
s So, o Oo: mo(s,o)={r, w}
mo
s1
o1
o2
o3
o4
{r , w } {r , w } {r , w } {r , w }
- 45 -
Authorization Scheme
: Q x Q
- 46 -
Authorization Scheme
: Q x Q is defined by a set of specifications in the normalized form
(q,,x ) = if
r1 mq x s1 , x o1
...
rm mq x sm , x om
then
p1; ... ; pn
fi
where
- 47 -
command ( x ) =
if
r1 mq x s1 , x o1
...
r m mq x s m , x o m
then
p1; ... ; pn
fi
- 48 -
6 HRU Primitives:
create object xo
destroy subject xs
destroy object xo with the obvious meanings
- 49 -
or alternatively
authorization scheme =
command create(s,o) = if <condition> then <action> fi
command fork(s,o) = if <condition> then <action> fi
- 50 -
Model Making
Steps when Designing an HRU Security Model
1. Model Sets
Subjects, objects, operations, rights
definition of sets S, O, A, R, resulting in
M = {m| m: S x O 2R }
Q = 2S x 2O x M
= A x (S O)k
2. Authorization Scheme
Description of semantics of operations that modify the model state
definition of transition function (using normalized form)
3. Initialization
definition of initial state q0 =(S0, O0, m0)
Systems Security, ST 2016 wk
- 51 -
Security
Policy
student
Assignments
Server
student
student
assignment
assignment
assignment
solution
writeAssignment
readSolution
Model Making
1. Sets
Subjects, objects, actions, and rights
- 53 -
2. Authorization Scheme
Effects of actions A on model state
2.1 writeAssignment
State Change:
The sample solution can be accessed only after filing the assignment
IOW: If the automaton gets some input (writeAssignment,s,o) and the conditions are met,
then it changes to a state where access to the solution is granted to s:
(q,writeAssignment,s,o) ::=
if write m(s,o)
then
enter read into m(s,o)
fi
- 54 -
2.2 readSolution
State Change:
Assignments can be filed only prior to reading the solution
IOW: If the automaton gets some input (readSolution,s,o) and the conditions are met, then
it changes to a state where filing assignments is denied to s:
(q,readSolution,s,o) ::=
if read m(s,o)
then
delete write from m(s,o)
fi
- 55 -
3. Initialization
q0 =(S0, O0, m0); e.g. for a course with 3 students:
S0={s1, s2, s3}
O0={o1, o2, o3}
i,1 i 3: m0(si, oi) = write
Interpretation:
- 56 -
The Works
Initial ACM State
m0
o1
s1
write
s2
o2
write
s3
o3
write
- 57 -
The Works
Initial ACM State
ACM State after writeAssignment(s3, o3)
m0
o1
s1
write
s2
o2
write
write
s3
o3
read
- 58 -
The Works
Initial ACM State
ACM State after writeAssignment(s3, o3)
ACM State after readSolution(s3, o3)
m0
o1
s1
write
s2
o2
write
s3
o3
read
- 59 -
Example Summary
The Works
- 60 -
Security
Policy
student
Assignments
Server
student
assignment
assignment
assignment
solution
student
writeAssignment
readSolution
An application scenario
An informal security policy
1. The sample solution can be accessed only ...
2. Assignments can be filed only ...
Model implementation
- 61 -
Dr. Bones
EPR
PatId
Anamn.
Sympt.
Sister Kathy
Apothecary
CT Lab
Diag
Medic.
Brother Tuck
MR Lab
Nursing
Diet
Paul Bocuse
Pathology
Citchen
Administration
For a given security model, is it possible that a specific subject ever may
get a specific permission with respect to a specific object?
Systems Security, ST 2016 wk
- 62 -
EP.Diag
EP.Medic
Dr.Brains
{r}
{r,w}
{r,w}
Dr.Bones
{r}
{r}
{r}
BrotherTuck
{r}
{}
{r,w}
{r}
{r,w}
{r,w}
{r}
{r}
{r}
{r}
{}
{r,w}
{r,w}
- 63 -
Input Sequences
What is the effect of an input in a given state?
* (q, ) = q
* (q, ! a) = * ( (q, ), a).
Systems Security, ST 2016 wk
- 64 -
Definition HRU-Safety
A state q=(Sq,Oq,mq) of a given HRU model is called HRU-safe with
respect to a right r R iff beginning with q there is no sequence of
commands that enters r in a matrix cell where it did not exist in q.
Formally:
q is safe wrt. r
- 65 -
Safety-Decidability
Theorem 1 (HRU, 1976):
For general HRU models, HRU-Safety is not decidable
q,(a,x ) := if
r1 m x s ,xo
1
...
rm m x s ,xo
m
then
p1; ... ;pn
fi
Systems Security, ST 2016 wk
- 66 -
Proof Theorem 2
(Decidability of safety for mono-operational HRU models)
Interesting, because
Insights into the operational principles of HRU models
Demonstrates a method to prove safety properties for a given model
- 67 -
safety decidable
- 68 -
- 69 -
Example
create subject x2
create object x5
enter r1 into m(x2 ,x5)
enter r2 into m(x2 ,x5)
create subject x7
delete r1 from m(x2 ,x5)
destroy subject x2
enter r1 into m(x7 ,x5)
...
create subject x2
create object x5
enter r1 into m(x2 ,x5)
enter r2 into m(x2 ,x5)
create subject x7
delete r1 from m(x2 ,x5)
destroy subject x2
enter r1 into m(x7 ,x5)
...
- 70 -
Example
create subject x2
create object x5
enter r1 into m(x2 ,x5)
enter r2 into m(x2 ,x5)
create subject x7
delete r1 from m(x2 ,x5)
destroy subject x2
enter r1 into m(x7 ,x5)
...
- 71 -
Example
create subject sinit
create subject x2
create object x5
enter r1 into m(x2 ,x5)
enter r2 into m(x2 ,x5)
create subject x7
delete r1 from m(x2 ,x5)
destroy subject x2
enter r1 into m(x7 ,x5)
...
- 72 -
- 73 -
Example
create subject sinit
create subject x2
create object x5
enter r1 into m(sinit ,x5)
enter r2 into m(sinit ,x5)
create subject x7
delete r1 from m(sinit ,x5)
destroy subject x2
enter r1 into m(sinit ,x5)
...
Example
create subject sinit
create object oinit
create subject x2
create object x5
enter r1 into m(sinit , oinit)
enter r2 into m(sinit , oinit)
create subject x7
delete r1 from m(sinit ,x5)
destroy subject x2
enter r1 into m(sinit , oinit)
...
Systems Security, ST 2016 wk
Sketch
Computational power of general HRU model equivalent to Turing
machine
- 76 -
Assessment of Theorems
Results show Dilemma
Consequences
- 77 -
Application domain
Archiving systems (documents never are deleted)
MLS systems with static classification function (see below)
Scant practical relevance: rights can never be revoked
- 78 -
HRU + strong typing: Typed Access Matrix Model (TAM, see below)
- 79 -
- 80 -
Why Heuristics?
|A| |S O|k
Example: A small file server
(AS with 10 actions, 1.000.000 files, actions max. 5 parameters)
- 81 -
Heuristics
The art of solving problems with limited knowledge and limited time
Term often used as synonym for heuristic methods
General way of solving a problem
To find solution that is hoped to be close to the best possible answer
By means of educated guess, common sense, rule of thumb
- 82 -
q
qi
q i
- 83 -
Heuristic-based Decisions
Simulation step: (qi,e), e=(,x)
choice of state qi
choice of action
choice of parameters x
q
q
qi
(qi,e)
q i
- 84 -
- 85 -
- 86 -
input sequences for the model simulation are paths in the CDG
- 87 -
Messages
- 88 -
Method
Results
Safety not decidable in general
HRU model family, domain-specific calculus fragments
heuristic based analysis methods
- 89 -
Goals
Method
- 90 -
How it works:
s1
s2 o1 o2 o3
s1
s2
T = {subject, object}
- 91 -
- 92 -
r1 mq x s1 , x o1
...
rm mq x sm , x om
then
p1; ... ; pn
fi
where
q =(Sq,Oq,mq) Q, A
x(Sq Oq)k
r1 ... rm R
- 93 -
t ( x1 ) = t x1
...
t ( x k ) = t xk
r1 mq x s1 , x o1
...
rm mq x sm , x om
then
p1; ... ; pn
fi
- 94 -
r1 mq (x s1 , x o1 )
...
rm mq (x sm , x om )
then
p1; ... ; pn
fi
where
q Q implicit
- 95 -
TAM Primitives
destroy subject xs
destroy object xo
- 96 -
The Works
Example: The ORCON Policy
(ORCON = ORiginator CONtrolled access rights)
- 97 -
The Problem
R&D
ProjectX
Files
Ann
grants
read right
Bob
grants
read right
no information flow
Sales
Sales
Flyer
Chris
may not forward information
obtained by that right
- 98 -
Model Sets
- 99 -
owns
R&D
The Works
ProjectX
Files
Sales
m
Ann: s
Ann: s
Bob: s
ProjectXFile: co
Ann
Bob
no information flow
Sales
Flyer
Chris
Bob: s
Step 1:
Ann creates ORCON object ProjectXFile
(protection scheme command createOrconObject, see below)
- 100 -
owns
R&D
ProjectX
Files
Sales
Ann: s
Bob: s
ProjectXFile: co
Ann: s
Bob: s
cread
Ann
Bob
no information flow
Sales
Flyer
Chris
Step 2:
Ann grants confined read right for ProjectXFiles to Bob
(protection scheme command grantCRead)
- 101 -
owns
R&D
ProjectX
Files
Sales
Ann: s
Bob: s
ProjectXFile: co
Ann: s
Bob: s
cread
Chris: cs
read
Chris: cs
Ann
Bob
no information flow
Sales
Flyer
Chris
parent
Step 3:
Bob uses cread right to create confined subject Chris with permission to
read ProjectXFiles
(protection scheme command useCRead)
- 102 -
- 103 -
- 104 -
if ownm(s1,o) then
destroy object o;
fi
end
owns
R&D
Ann
ProjectX
Files
Bob
Sales
no information flow
Sales
Flyer
- 105 -
Chris
if parentm(s2,s3) then
destroy subject s3;
fi
end
owns
R&D
Ann
ProjectX
Files
Bob
Sales
no information flow
Sales
Flyer
- 106 -
Chris
TAM models
safety still not decidable (obviously)
- 107 -
- 108 -
Expressive Power
ORCON example
- 109 -
- 110 -
IBAC Summary
We Now Can
Model identity-based AC policies
Analyze them wrt. basic security properties (right proliferation)
Infer implementations
in order to minimize
Specification errors
Implementation errors
Approach
- 111 -
Model Spectrum
Static models:
f : S x O x A {granted, denied}
m: S x O 2A
ACM
Plus automaton
Plus type system
- 112 -
However
- 113 -
Level of abstraction
Scalability
Manageability
Application-oriented: roles functions in organizations
- 114 -
Application Domains
Financial organizations
roles: client, consultant, analyst, product developer ...
Operating systems
roles: SysAdmin, WebAdmin, UserAdmin, User ...
- 115 -
Idea
Dr. Brains
Dr. Bones
read EPRs
Ward
Phys.
Nurse Kathy
read medications
Nurse
Brother Tuck
write EPRs
role-to-right relation
- 116 -
IBACRBAC
IBAC
O
S
Subject
Object
Operation
Systems Security, ST 2016 wk
- 117 -
IBACRBAC
RBAC
User
Role
Right
Subject
Object
Operation
Systems Security, ST 2016 wk
- 118 -
S is a set of sessions,
UA U x R is a users-to-roles relation,
PA P x R is a permissions-to-roles relation,
user: S U is a function mapping sessions to users,
roles: S 2R is a function mapping sessions to sets of roles where
s S, r R: r roles(s) (user(s),r) UA
- 119 -
Interpretation
Users
Roles
- 120 -
Permissions
Users
UA
Roles
- 121 -
PA
Permissions
Users
user
Subject
UA
Session
Roles
PA
Permissions
roles
static
dynamic
Object
Operation
Systems Security, ST 2016 wk
- 122 -
Permission
Session
Role
Permission
Session
Role
roles
user
User
Permission
Session
Systems Security, ST 2016 wk
- 123 -
RBAC Family
Sandhu 1996
RBAC0
RBAC1
RBAC2
RBAC3
- 124 -
Goal
To eliminate redundancy
Approach
Role hierarchy: Permission inheritance between roles
- 125 -
Examples
Nursing staff
Project staff
Tester
Apprentice physician
Programmer
Physician
Project manager
Head physician
Systems Security, ST 2016 wk
- 126 -
Hierarchy Modeling:
Partial ordering
Properties
Reflexive:
Anti-symmetric:
Transitive:
c C: c c
c,d C: c d and d c c = d
c,d,e C: c d and d e c e
Examples
(, )
- 127 -
Interpretation
Transitivity:
r1, r2, r3 R: r1 r2 and r2 r3 r1 r3
- 128 -
Example
Project staff
passes
permissions
Tester
Programmer
passes
permissions
Project manager
- 129 -
- 130 -
Interpretation
Role
User
user
Session
Role
roles
Role
- 131 -
Role
Role
RBAC2: Constraints
Observation
Goal
Representation of constraints
Approach
- 132 -
Separation of duty
e.g. mutual exclusion of roles
Quantitative restrictions
e.g. to avoid accumulation of offices
Maximum number of users per role (e.g. head of department)
Maximum number of permissions per role (e.g. critical permissions)
Factual restrictions
Model
(U, R, P, S, UA, PA, user, roles, RE) where RE models restrictions on other
model components such as UA, PA, user, or roles
Systems Security, ST 2016 wk
- 133 -
RBAC Summary
Pros
Scalability
Application-oriented model abstractions
Standardized
tool support (e.g. for role engineering)
Cons
- 134 -