37 \end{frame} |
37 \end{frame} |
38 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
38 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
39 |
39 |
40 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
40 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
41 \begin{frame}[c] |
41 \begin{frame}[c] |
|
42 \frametitle{Survey: Thanks!} |
|
43 \small |
|
44 |
|
45 \begin{itemize} |
|
46 \item ``Would be good, if you provide more detailed explanations. I feel |
|
47 your slides are not as structured as they could be.'' |
|
48 \item Please consider reference book chapters to cover core subject |
|
49 areas.''\pause |
|
50 \item ``The homework questions don't come directly from the |
|
51 slides. So must go look things up.'' |
|
52 \item ``Could you please put the homework answers online, perhaps |
|
53 just before the exam. That's late enough where we should have done |
|
54 it and if not, we're screwed already then.'' |
|
55 \item ``Could you provide a brief basic answers to sheets for reference |
|
56 and not to be relied on.'' |
|
57 \end{itemize} |
|
58 |
|
59 \end{frame} |
|
60 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
61 |
|
62 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
63 \begin{frame}[c] |
42 |
64 |
43 \begin{center} |
65 \begin{center} |
44 \includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ |
66 \includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ |
45 last week: buffer overflow attacks |
67 last week: buffer overflow attacks |
46 \end{center} |
68 \end{center} |
140 \begin{frame}[c] |
162 \begin{frame}[c] |
141 \frametitle{Access Control in Unix} |
163 \frametitle{Access Control in Unix} |
142 |
164 |
143 \begin{itemize} |
165 \begin{itemize} |
144 \item access control provided by the OS |
166 \item access control provided by the OS |
145 \item authenticate principals (login) |
167 \item authenticate principals |
146 \item mediate access to files, ports, processes according to \alert{roles} (user ids)\\ |
168 \item mediate access to files, ports, processes etc according to |
147 \item roles get attached with privileges\bigskip\\% |
169 \alert{roles} (user ids)\\ |
|
170 \item roles get attached with privileges\bigskip\\ |
|
171 |
148 \hspace{8mm} |
172 \hspace{8mm} |
149 \begin{bubble}[8cm] |
173 \begin{bubble}[8cm] |
150 \alert{principle of least privilege:}\\ |
174 \alert{principle of least privilege:}\\ |
151 users and programs should only have as much privilege as they need |
175 users and programs should only have as much privilege as they need to |
|
176 accomplish a task |
152 \end{bubble} |
177 \end{bubble} |
153 \end{itemize} |
178 \end{itemize} |
154 |
179 |
155 \end{frame} |
180 \end{frame} |
156 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
181 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
192 \texttt{id cu} |
217 \texttt{id cu} |
193 \end{center}\medskip\pause |
218 \end{center}\medskip\pause |
194 |
219 |
195 \item non-root users are not allowed to change the UID --- would break |
220 \item non-root users are not allowed to change the UID --- would break |
196 access control |
221 access control |
197 \item but needed for example for \texttt{passwd} |
222 \item but needed for example for accessing \texttt{passwd} |
198 \end{itemize} |
223 \end{itemize} |
199 |
224 |
200 \end{frame} |
225 \end{frame} |
201 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
202 |
227 |
203 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
228 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
204 \begin{frame}[c] |
229 \begin{frame}[c] |
205 \frametitle{Setuid and Setgid} |
230 \frametitle{Setuid and Setgid} |
206 |
231 |
207 The solution is that Unix file permissions are 9 + \underline{2 Bits}: |
232 The solution is that Unix file permissions are 9 + \underline{2 Bits}: |
208 \alert{Setuid} and \alert{Setgid} Bits |
233 \alert{Setuid} and \alert{Setgid} bits |
209 |
234 |
210 \begin{itemize} |
235 \begin{itemize} |
211 \item When a file with setuid is executed, the resulting process will |
236 \item When a file with setuid is executed, the resulting process will |
212 assume the UID given to the owner of the file. |
237 assume the UID given to the \underline{owner} of the file. |
213 \item This enables users to create processes as root (or another |
238 \item This enables users to create processes as root (or another |
214 user).\bigskip |
239 user).\bigskip |
215 |
240 |
216 \item Essential for changing passwords, for example. |
241 \item Essential for changing passwords, for example. |
217 \end{itemize} |
242 \end{itemize} |
223 \end{frame} |
248 \end{frame} |
224 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
249 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
225 |
250 |
226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
251 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
227 \begin{frame}[c] |
252 \begin{frame}[c] |
228 \frametitle{Access Control} |
|
229 |
|
230 \begin{itemize} |
|
231 \item \bl{Discretionary Access Control:}\mbox{}\medskip\\ |
|
232 |
|
233 \small Access to objects (files, directories, devices, etc.) is permitted |
|
234 based on user identity. Each object is owned by a user. Owners can |
|
235 specify freely (at their discretion) how they want to share their objects |
|
236 with other users, by specifying which other users can have which |
|
237 form of access to their objects.\medskip |
|
238 |
|
239 Discretionary access control is implemented on any multi-user OS |
|
240 (Unix, Windows NT, etc.). |
|
241 \end{itemize} |
|
242 |
|
243 \end{frame} |
|
244 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
245 |
|
246 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
247 \begin{frame}[c] |
|
248 \frametitle{Access Control} |
|
249 |
|
250 \begin{itemize} |
|
251 \item \bl{Mandatory Access Control:}\mbox{}\medskip\\ |
|
252 |
|
253 \small Access to objects is controlled by a system-wide policy, for example |
|
254 to prevent certain flows of information. In some forms, the system maintains |
|
255 security labels for both objects and subjects (processes, users), based on |
|
256 which access is granted or denied. Labels can change as the result of an |
|
257 access. Security policies are enforced without the cooperation of users or |
|
258 application programs.\medskip |
|
259 |
|
260 This is implemented today in special military operating system versions |
|
261 (SELinux). |
|
262 \end{itemize} |
|
263 |
|
264 \end{frame} |
|
265 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
266 |
|
267 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
268 \begin{frame}[c] |
|
269 \frametitle{\Large Discretionary Access Control} |
253 \frametitle{\Large Discretionary Access Control} |
270 |
254 |
271 In its most generic form usually given by an Access Control Matrix |
255 \begin{itemize} |
272 of the form |
256 \item Access to objects (files, directories, devices, etc.) is |
|
257 permitted based on user identity. Each object is owned by a |
|
258 user. Owners can specify freely (at their discretion) how they want to |
|
259 share their objects with other users, by specifying which other users |
|
260 can have which form of access to their objects.\medskip |
|
261 |
|
262 \item Discretionary access control is implemented on any modern multi-user |
|
263 OS (Unix, Windows NT, etc.). |
|
264 \end{itemize} |
|
265 |
|
266 \end{frame} |
|
267 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
268 |
|
269 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
270 \begin{frame}[c] |
|
271 \frametitle{\Large Mandatory Access Control} |
|
272 |
|
273 \begin{itemize} |
|
274 \item Access to objects is controlled by a system-wide policy, for |
|
275 example to prevent certain flows of information. In some forms, the |
|
276 system maintains security labels for both objects and subjects |
|
277 (processes, users) based on which access is granted or |
|
278 denied. Labels can change as the result of an access. Security |
|
279 policies are enforced without the cooperation of users or |
|
280 programs.\medskip |
|
281 |
|
282 \item This is implemented in banking or military operating system |
|
283 versions (SELinux). |
|
284 \end{itemize} |
|
285 |
|
286 \end{frame} |
|
287 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
288 |
|
289 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
290 \begin{frame}[c] |
|
291 \frametitle{\Large Discretionary Access Control} |
|
292 |
|
293 In its most generic form usually given by an \alert{Access Control |
|
294 Matrix} of the form |
273 |
295 |
274 \begin{center} |
296 \begin{center} |
275 \begin{tabular}{r|c|c|c} |
297 \begin{tabular}{r|c|c|c} |
276 & /mail/jane & edit.exe & sendmail \\\hline |
298 & /mail/jane & edit.exe & postfix \\\hline |
277 jane & r, w & r, x & r, x\\\hline |
299 jane & r, w & r, x & r, x\\\hline |
278 john & $\varnothing$ & r, w, x& r, x\\\hline |
300 john & $\varnothing$ & r, w, x& r, x\\\hline |
279 sendmail & a & $\varnothing$ & r, x\\ |
301 postfix & a & $\varnothing$ & r, x\\ |
280 \end{tabular} |
302 \end{tabular} |
281 \end{center} |
303 \end{center} |
282 |
304 |
283 access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend |
305 access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend |
284 \end{frame} |
306 \end{frame} |
319 \item Restrictions to allowed information flows are not decided at the |
341 \item Restrictions to allowed information flows are not decided at the |
320 user's discretion (as with Unix \pcode{chmod}), but instead enforced |
342 user's discretion (as with Unix \pcode{chmod}), but instead enforced |
321 by system policies. |
343 by system policies. |
322 |
344 |
323 \item Mandatory access control mechanisms are aimed in particular at |
345 \item Mandatory access control mechanisms are aimed in particular at |
324 preventing policy violations by untrusted application software, |
346 preventing policy violations by untrusted programs, which typically |
325 which typically have at least the same access privileges as the |
347 have at least the same access privileges as the invoking |
326 invoking user.\medskip |
348 user.\medskip\pause |
327 |
349 |
328 Simple example: Air Gap Security. Uses completely separate network |
350 Simple example: Air Gap Security. Uses a completely separate network |
329 and computer hardware for different application classes. |
351 and computer hardware for different application classes. |
330 \end{itemize} |
352 \end{itemize} |
331 |
353 |
332 \end{frame} |
354 \end{frame} |
333 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
355 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
334 |
356 |
335 |
357 |
336 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
358 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
337 \begin{frame}[c] |
359 \begin{frame}[c] |
338 \frametitle{The Bell/LaPadula Model} |
360 \frametitle{The Bell-LaPadula Model} |
|
361 \small |
339 |
362 |
340 \begin{itemize} |
363 \begin{itemize} |
341 \item Formal policy model for mandatory access control in a military |
364 \item Formal policy model for mandatory access control in a military |
342 multi-level security environment. All subjects (processes, users, |
365 multi-level security environment. All subjects (processes, users, |
343 terminals, files, windows, connections) are labeled |
366 terminals, files, windows, connections) are labeled |
615 |
638 |
616 \end{frame} |
639 \end{frame} |
617 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
640 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
618 |
641 |
619 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
642 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
643 \begin{frame}[c] |
|
644 \frametitle{\Large Cryptographic Protocol Failures} |
|
645 |
|
646 Ross Anderson and Roger Needham wrote:\bigskip |
|
647 |
|
648 \begin{quote}\rm |
|
649 A lot of the recorded frauds were the result of this kind of blunder, |
|
650 or from management negligence pure and simple. \alert{However, there |
|
651 have been a significant number of cases where the designers |
|
652 protected the right things, used cryptographic algorithms which were |
|
653 not broken, and yet found that their systems were still successfully |
|
654 attacked.} |
|
655 \end{quote} |
|
656 |
|
657 \end{frame} |
|
658 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
659 |
|
660 |
|
661 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
620 \mode<presentation>{ |
662 \mode<presentation>{ |
621 \begin{frame}[c] |
663 \begin{frame}[c] |
622 \frametitle{Authentication Protocols} |
664 \frametitle{Authentication Protocols} |
623 |
665 |
624 |
666 |