# HG changeset patch # User Christian Urban # Date 1382396261 -3600 # Node ID a42bbdfe5dd99591ea96ab5a02fecebb3b6f68a1 # Parent 59d3bf386a6d9296dcf388278d4f96086c13fcbf more slides diff -r 59d3bf386a6d -r a42bbdfe5dd9 slides/slides04.pdf Binary file slides/slides04.pdf has changed diff -r 59d3bf386a6d -r a42bbdfe5dd9 slides/slides04.tex --- a/slides/slides04.tex Mon Oct 21 23:28:03 2013 +0100 +++ b/slides/slides04.tex Mon Oct 21 23:57:41 2013 +0100 @@ -300,30 +300,225 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{The Bell/LaPadula Model} +\begin{itemize} +\item Formal policy model for mandatory access control in a military multi-level security environment. All subjects (processes, users, terminals) and data objects (files, directories, windows, connections) are labeled with a confidentiality level, e.g. +\begin{center} +unclassified < confidential < secret < top secret. +\end{center} + +\item The system policy automatically prevents the flow of information from high-level objects to lower levels. A process that reads top secret data becomes tagged as top secret by the operating system, as will be all files into which it writes afterwards. +%Each user has a maximum allowed confidentiality level specified and cannot receive data beyond that level. A selected set of trusted subjects is allowed to bypass the restrictions, in order to permit the declassification of information. +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Bell-LaPadula} + \small + + \begin{itemize} + \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if + \bl{$P$}'s security level is at least as high as \bl{$O$}'s. + \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if + \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip + + \item Meta-Rule: All principals in a system should have a sufficiently high security level + in order to access an object. + \end{itemize}\bigskip + + This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause + + Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'} + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}} + + \begin{tikzpicture} + \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] + {\normalsize\color{darkgray} + \begin{minipage}{10cm}\raggedright + A principal should have as few privileges as possible to access a resource. + \end{minipage}}; + \end{tikzpicture}\bigskip\bigskip + \small + + \begin{itemize} + \item Bob ($T\!S$) and Alice ($S$) want to communicate + \item[] $\Rightarrow$ Bob should lower his security level + \end{itemize} + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Biba Policy} + \small + + Data Integrity (rather than data confidentiality) + + \begin{itemize} + \item Biba: {\bf `no read down'} - {\bf `no write up'} + \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if + \bl{$P$}'s security level is lower or equal than \bl{$O$}'s. + \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if + \bl{$O$}'s security level is lower or equal than \bl{$P$}'s. + \end{itemize}\bigskip\bigskip\pause + + E.g.~Generals write orders to officers; officers write oders to solidiers\\ + Firewall: you can read from inside the firewall, but not from outside\\ + Phishing: you can look at an approved PDF, but not one from a random email\\ + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Shared Access Control} + +\begin{center} +\includegraphics[scale=0.7]{pics/pointsplane.jpg} +\end{center} + +\begin{textblock}{11}(10.5,10.5) +\small +To take an action you\\[-1mm] +need at least either: +\begin{itemize} +\item 1 CEO\\[-5mm] +\item 2 MDs, or\\[-5mm] +\item 3 Ds +\end{itemize} +\end{textblock} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{Setuid and Setgid} +\frametitle{Lessons from Access Control} -The solution is that unix file permissions are 9 + \underline{2 Bits}: -\alert{Setuid} and \alert{Setgid} Bits +Not just restricted to Unix: \begin{itemize} -\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. -\item This enables users to create processes as root (or another user).\bigskip +\item if you have too many roles (i.e.~too finegrained AC), then + hierarchy is too complex\\ + \textcolor{gray}{you invite situations like\ldots let's be root}\bigskip -\item Essential for changing passwords, for example. +\item you can still abuse the system\ldots + \end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[t] + \frametitle{Protocols} + +\mbox{} + +\begin{tabular}{l} +{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\ +\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\ +\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip +\end{tabular} + + \begin{itemize} + \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\ + but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip +\item<2-> indicates one ``protocol run'', or session, which specifies some +order in the communication +\item<2-> there can be several sessions in parallel (think of wifi routers) +\end{itemize} + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{A mutual authentication protocol} + \begin{center} -\texttt{chmod 4755 fobar\_file} +\begin{tabular}{ll} +\bl{$A \rightarrow B$:} & \bl{$N_a$}\\ +\bl{$B \rightarrow A$:} & \bl{$\{N_a, N_b\}_{K_{ab}}$}\\ +\bl{$A \rightarrow B$:} & \bl{$N_b$}\\ +\end{tabular} \end{center} +Explain how an attacker \bl{$B'$} can launch an impersonation attack by +intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her own challenges. + \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Nonces} + +\begin{enumerate} +\item I generate a nonce (random number) and send it to you encrypted with a key we share +\item you increase it by one, encrypt it under a key I know and send +it back to me +\end{enumerate} + + +I can infer: + +\begin{itemize} +\item you must have received my message +\item you could only have generated your answer after I send you my initial +message +\item if only you and me know the key, the message must have come from you +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ +\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ +\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ +\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ +\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ +\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ +\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ +\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ +\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ +\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ +\end{tabular} +\end{center}\pause + +\bl{$B$} believes it is following the correct protocol, +intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and +talks to \bl{$B$} masquerading as \bl{$A$} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ @@ -391,27 +586,6 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}} - -There are thing's you just cannot solve on the programming side:\bigskip - -\begin{itemize} -\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip -\begin{itemize} -\item attacker:\\ -\texttt{mkdir /tmp/a; cat > /tmp/a/passwd} -\item root:\\\texttt{rm /tmp/*/*}: -\item attacker:\\ -\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a} -\end{itemize} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] \frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}} Unix essentially can only distinguish between two security levels (root and non-root).