sen-material: comparison slides/slides04.tex

equal deleted inserted replaced

-:59d3bf386a6d
+:a42bbdfe5dd9
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{The Bell/LaPadula Model}
-\mode<presentation>{
-\begin{frame}[c]
+\begin{itemize}
-\frametitle{Setuid and Setgid}
+\item Formal policy model for mandatory access control in a military multi-level security environment.
+All subjects (processes, users, terminals) and data objects (files, directories, windows, connections) are labeled with a confidentiality level, e.g.
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
-\item This enables users to create processes as root (or another user).\bigskip
-\item Essential for changing passwords, for example.
-\end{itemize}
 \begin{center}
-\texttt{chmod 4755 fobar\_file}
+unclassified < confidential < secret < top secret.
 \end{center}
+\item
+The system policy automatically prevents the flow of information from high-level objects to lower levels. A process that reads top secret data becomes tagged as top secret by the operating system, as will be all files into which it writes afterwards.
+%Each user has a maximum allowed confidentiality level specified and cannot receive data beyond that level. A selected set of trusted subjects is allowed to bypass the restrictions, in order to permit the declassification of information.
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Bell-LaPadula}
+\small
+\begin{itemize}
+\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+\bl{$P$}'s security level is at least as high as \bl{$O$}'s.
+\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+\bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
+\item Meta-Rule: All principals in a system should have a sufficiently high security level
+in order to access an object.
+\end{itemize}\bigskip
+This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
+Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{10cm}\raggedright
+A principal should have as few privileges as possible to access a resource.
+\end{minipage}};
+\end{tikzpicture}\bigskip\bigskip
+\small
+\begin{itemize}
+\item Bob ($T\!S$) and Alice ($S$) want to communicate
+\item[] $\Rightarrow$ Bob should lower his security level
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Biba Policy}
+\small
+Data Integrity (rather than data confidentiality)
+\begin{itemize}
+\item Biba: {\bf `no read down'} - {\bf `no write up'}
+\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+\bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
+\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+\bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
+\end{itemize}\bigskip\bigskip\pause
+E.g.~Generals write orders to officers; officers write oders to solidiers\\
+Firewall: you can read from inside the firewall, but not from outside\\
+Phishing: you can look at an approved PDF, but not one from a random email\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Shared Access Control}
+\begin{center}
+\includegraphics[scale=0.7]{pics/pointsplane.jpg}
+\end{center}
+\begin{textblock}{11}(10.5,10.5)
+\small
+To take an action you\\[-1mm]
+need at least either:
+\begin{itemize}
+\item 1 CEO\\[-5mm]
+\item 2 MDs, or\\[-5mm]
+\item 3 Ds
+\end{itemize}
+\end{textblock}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Lessons from Access Control}
+Not just restricted to Unix:
+\begin{itemize}
+\item if you have too many roles (i.e.~too finegrained AC), then
+	hierarchy is too complex\\
+	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
+\item you can still abuse the system\ldots
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Protocols}
+\mbox{}
+\begin{tabular}{l}
+{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
+\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
+\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
+\end{tabular}
+\begin{itemize}
+\item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
+but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
+\item<2-> indicates one ``protocol run'', or session,  which specifies some
+order in the communication
+\item<2-> there can be several sessions in parallel (think of wifi routers)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{A mutual authentication protocol}
+\begin{center}
+\begin{tabular}{ll}
+\bl{$A \rightarrow B$:} & \bl{$N_a$}\\
+\bl{$B \rightarrow A$:} & \bl{$\{N_a, N_b\}_{K_{ab}}$}\\
+\bl{$A \rightarrow B$:} & \bl{$N_b$}\\
+\end{tabular}
+\end{center}
+Explain how an attacker \bl{$B'$} can launch an impersonation attack by
+intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her own challenges.
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Nonces}
+\begin{enumerate}
+\item I generate a nonce (random number) and send it to you encrypted with a key we share
+\item you increase it by one, encrypt it under a key I know and send
+it back to me
+\end{enumerate}
+I can infer:
+\begin{itemize}
+\item you must have received my message
+\item you could only have generated your answer after I send you my initial
+message
+\item if only you and me know the key, the message must have come from you
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
+\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
+\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
+\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
+\end{tabular}
+\end{center}\pause
+\bl{$B$} believes it is following the correct protocol,
+intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
+talks to \bl{$B$} masquerading as \bl{$A$}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
 \frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
 \end{itemize}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-There are thing's you just cannot solve on the programming side:\bigskip
-\begin{itemize}
-\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\begin{itemize}
-\item attacker:\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item root:\\\texttt{rm /tmp/*/*}:
-\item attacker:\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
-\end{itemize}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
 \frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}

changeset 118	a42bbdfe5dd9
parent 117	59d3bf386a6d
child 119	0cea882f03c7