% beamer stuff 
APP 04, King's College London, 16 October 2012


Access Control and 
Privacy Policies (4) 
 






Email:  & christian.urban at

Slides: & KEATS (also homework is there)


+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+\frametitle{Unix-Style Access Control}
+\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have:
+administrators group\\ 
+\hspace{5mm}(has complete control over the machine)\\
+authenticated users\\
+server operators\\
+power users\\
+network configuration operators\\
+\item Modern versions of Windows have more fine-grained AC; they do not have a setuid bit, but
+have \texttt{runas} (asks for a password).\pause
+\item OS provided access control can \alert{add} to your
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+  \begin{tikzpicture}[scale=1]
+  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+  \draw (4.7,1) node {Internet};
+  \draw (0.6,1.7) node {\footnotesize Interface};
+  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+  \draw[white] (1.7,1) node (X) {};
+  \draw[white] (3.7,1) node (Y) {};
+  \draw[red, <->, line width = 2mm] (X) -- (Y);
+  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+  \end{tikzpicture}
+\item the idea is make the attack surface smaller and 
+mitigate the consequences of an attack
+\frametitle{Shared Access Control}
+To take an action you\\[-1mm] 
+need either:
+\item 1 CEO\\[-5mm]
+\item 2 MDs\\[-5mm]
+\item 3 Ds
+\frametitle{Lessons from Access Control}
+\item if you have too many roles (i.e.~too finegrained AC), then 
+	hierarchy is too complex\\
+	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
+\item you can still abuse the system\ldots
+\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+The idea is to trick a privileged person to do something on your behalf:
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+\textcolor{gray}{this takes time}
+\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 
+\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes  the real passwd file
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+To prevent this kind of attack, you need additional
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier Analysis\end{tabular}}
+\item What assets are you trying to protect?
+\item What are the risks to these assets?
+\item How well does the security solution mitigate those risks?
+\item What other risks does the security solution cause?
+\item What costs and trade-offs does the security solution impose?
+\textcolor{gray}{There is no absolutely secure system and security almost never comes for free.}
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Credit Cards\end{tabular}}
+You might have the policy of not typing in your credit card online. Worthwhile or not?
+\item<2->What assets are you trying to protect?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}your credit card number\end{tabular}}
+\item<3->What are the risks to these assets?\\
+With credit cards you loose a fixed amount \pounds{50}. Amazon \pounds{50}. \end{tabular}}
+\item<4->How well does the security solution mitigate those risks?\\
+Well, hackers steal credit cards from databases. They usually do not attack you individually.\end{tabular}}
+\item<5->What other risks does the security solution cause?
+\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright None (?)\end{tabular}}
+\item<6->What costs and trade-offs does the security solution impose?
+\only<6>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Internet shopping is convenient and sometimes cheaper.\end{tabular}}
+\item<7>[]{\bf\large No!}
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewall\end{tabular}}
+A firewall is a piece of software that controls incoming and outgoing traffic according to some rules. 
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewall\end{tabular}}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Whatever is behind the firewall 
+(credit cards, passwords, blueprints, \ldots)\end{tabular}}
+\item<2->What are the risks to these assets?\\
+With a small online shop you are already at risk. Pentagon, definitely.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+Well, at home so not much. Everywhere else, if properly configurated then it does.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright There might be backdoors or bugs in the firewall,
+but generally they are secure. You choose to prevent certain traffic.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+Minimal to modest. Firewalls are part of free software. You need a knowledgeable 
+person to set them up.\end{tabular}}
+\item<7>[]{\bf\large Yes!}
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
+Google uses nowadays two-factor authentication. But it is an old(er)
+idea. It is used for example in Germany and Netherlands for online transactions.
+Or nowadays by SMS (restricts the validity of the numbers) or with a secure generator
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Your bank account.\end{tabular}}
+\item<2->What are the risks to these assets?\\
+Nowadays pretty high risk.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+It prevents problems when passwords are stolen. Man-in-the-middle attacks 
+still possible.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Your mobile phone or creditcard/pin might 
+be stolen. SIM card become valuable.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+Banks need to establish an infrastructure. For you it might be inconvenient.\end{tabular}}
+\item<7>[]{\bf\large Yes!}
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals\end{tabular}}
+According to Ross Anderson: ``\ldots is a tamper-indicating device 
+designed to leave non-erasable, unambiguous evidence of unauthorized 
+entry or tampering.''
+They also need some quite sophisticated policies (seal regiment).
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals (2)\end{tabular}}
+\item at the Argonne National Laboratory they tested 244 different security seals (including 19\%
+that were used for safeguard of nuclear material)
+\item mean time to break the seals for a trained person: 100 s 
+\item Andrew Appel defeated all security seals which were supposed to keep 
+voting machines safe.
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+\item The tamper-indicating tape can be lifted using a heat gun.
+\item The security screw cap can be removed using a screwdriver, then the
+serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base.
+\item The wire seal can be defeated using a \#4 wood screw.
+\item The plastic strap seal can be picked using a jeweler's screwdriver.
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Security Seals\end{tabular}}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Voting machines, doors.\end{tabular}}
+\item<2->What are the risks to these assets?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Casual thiefs, insider attacks.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+Needs a quite complicated security regiment.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You might not notice tampering.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+The ``hardware'' is cheap, but indirect costs can be quite high.\end{tabular}}
+\item<7>[]{\bf\large No!} {\textcolor{gray}{Though in some areas they work: airport.}}
