slides/slides04.tex
changeset 118 a42bbdfe5dd9
parent 117 59d3bf386a6d
child 119 0cea882f03c7
--- a/slides/slides04.tex	Mon Oct 21 23:28:03 2013 +0100
+++ b/slides/slides04.tex	Mon Oct 21 23:57:41 2013 +0100
@@ -300,30 +300,225 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{The Bell/LaPadula Model}
 
+\begin{itemize}
+\item Formal policy model for mandatory access control in a military multi-level security environment.
All subjects (processes, users, terminals) and data objects (files, directories, windows, connections) are labeled with a confidentiality level, e.g. 
+\begin{center}
+unclassified < confidential < secret < top secret.
+\end{center}
+
+\item 
The system policy automatically prevents the flow of information from high-level objects to lower levels. A process that reads top secret data becomes tagged as top secret by the operating system, as will be all files into which it writes afterwards. 
+%Each user has a maximum allowed confidentiality level specified and cannot receive data beyond that level. A selected set of trusted subjects is allowed to bypass the restrictions, in order to permit the declassification of information.
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+  \mode<presentation>{
+  \begin{frame}[c]
+  \frametitle{Bell-LaPadula}
+  \small
+  
+  \begin{itemize}
+  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+  \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
+  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+  \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
+
+  \item Meta-Rule: All principals in a system should have a sufficiently high security level
+  in order to access an object.
+  \end{itemize}\bigskip
+
+  This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
+
+  Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
+
+  \end{frame}}
+  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+  \mode<presentation>{
+  \begin{frame}[c]
+  \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
+  
+  \begin{tikzpicture}
+  \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+  {\normalsize\color{darkgray}
+  \begin{minipage}{10cm}\raggedright
+  A principal should have as few privileges as possible to access a resource.
+  \end{minipage}};
+  \end{tikzpicture}\bigskip\bigskip
+  \small
+
+  \begin{itemize}
+  \item Bob ($T\!S$) and Alice ($S$) want to communicate
+  \item[] $\Rightarrow$ Bob should lower his security level
+  \end{itemize}
+
+  \end{frame}}
+  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+  \mode<presentation>{
+  \begin{frame}[c]
+  \frametitle{Biba Policy}
+  \small
+  
+  Data Integrity (rather than data confidentiality)
+
+  \begin{itemize}
+  \item Biba: {\bf `no read down'} - {\bf `no write up'}
+  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+  \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
+  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+  \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
+  \end{itemize}\bigskip\bigskip\pause
+
+  E.g.~Generals write orders to officers; officers write oders to solidiers\\
+  Firewall: you can read from inside the firewall, but not from outside\\
+  Phishing: you can look at an approved PDF, but not one from a random email\\
+
+  \end{frame}}
+  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Shared Access Control}
+
+\begin{center}
+\includegraphics[scale=0.7]{pics/pointsplane.jpg}
+\end{center}
+
+\begin{textblock}{11}(10.5,10.5)
+\small
+To take an action you\\[-1mm] 
+need at least either:
+\begin{itemize}
+\item 1 CEO\\[-5mm]
+\item 2 MDs, or\\[-5mm]
+\item 3 Ds
+\end{itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Setuid and Setgid}
+\frametitle{Lessons from Access Control}
 
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
+Not just restricted to Unix:
 
 \begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 
-\item This enables users to create processes as root (or another user).\bigskip
+\item if you have too many roles (i.e.~too finegrained AC), then 
+	hierarchy is too complex\\
+	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
 
-\item Essential for changing passwords, for example.
+\item you can still abuse the system\ldots
+
 \end{itemize}
 
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+  \mode<presentation>{
+  \begin{frame}[t]
+  \frametitle{Protocols}
+ 
+\mbox{} 
+  
+\begin{tabular}{l}
+{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
+\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
+\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
+\end{tabular}  
+  
+ \begin{itemize}
+ \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
+ but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
+\item<2-> indicates one ``protocol run'', or session,  which specifies some 
+order in the communication
+\item<2-> there can be several sessions in parallel (think of wifi routers) 
+\end{itemize} 
+  
+  \end{frame}}
+  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+  
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{A mutual authentication protocol}
+
 \begin{center}
-\texttt{chmod 4755 fobar\_file}
+\begin{tabular}{ll}
+\bl{$A \rightarrow B$:} & \bl{$N_a$}\\  
+\bl{$B \rightarrow A$:} & \bl{$\{N_a, N_b\}_{K_{ab}}$}\\
+\bl{$A \rightarrow B$:} & \bl{$N_b$}\\
+\end{tabular}
 \end{center}
 
+Explain how an attacker \bl{$B'$} can launch an impersonation attack by 
+intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her own challenges.
+
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Nonces}
+
+\begin{enumerate}
+\item I generate a nonce (random number) and send it to you encrypted with a key we share
+\item you increase it by one, encrypt it under a key I know and send
+it back to me
+\end{enumerate}
+
+
+I can infer:
+
+\begin{itemize}
+\item you must have received my message
+\item you could only have generated your answer after I send you my initial
+message
+\item if only you and me know the key, the message must have come from you
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
+\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
+\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
+\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
+\end{tabular}
+\end{center}\pause
+
+\bl{$B$} believes it is following the correct protocol,
+intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
+talks to \bl{$B$} masquerading as \bl{$A$}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
@@ -391,27 +586,6 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-
-There are thing's you just cannot solve on the programming side:\bigskip
-
-\begin{itemize}
-\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\begin{itemize}
-\item attacker:\\ 
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item root:\\\texttt{rm /tmp/*/*}:
-\item attacker:\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
 \frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
 
 Unix essentially can only distinguish between two security levels (root and non-root).