Computer System Security CSE 5339/7339
-
Upload
salvador-spencer -
Category
Documents
-
view
50 -
download
3
description
Transcript of Computer System Security CSE 5339/7339
Computer Science and Engineering
Computer System SecurityComputer System Security
CSE 5339/7339CSE 5339/7339
Session 16Session 16
October 14, 2004October 14, 2004
Computer Science and Engineering
ContentsContents
A4 A4 out out Midterm Key – Part-1 (Questions 5-8)Midterm Key – Part-1 (Questions 5-8) OS SecurityOS Security Access ControlAccess Control Krishan (Mehmet)’s presentationKrishan (Mehmet)’s presentation
Computer Science and Engineering
Midterm Question 5
By Fermat’s theorem, what is the multiplicative inverse of 2 in the field of integers mod 11?
The inverse of a is x such that
a*x mod p = 1 (Definition of inverse)
ap-1 mod p = 1 (Fermat’s Theorem)
a*x mod p = ap-1 mod p
x = ap-2 mod p
Computer Science and Engineering
Midterm Question 6
For each of the following pairs of numbers determine whether or not they are relatively prime:
89 and 934 712 and 183
Computer Science and Engineering
Midterm Question 7
Obtain the private and public keys in each of the following cases:
Merkle-Hellman scheme is used with the superincreasing knapsack = [2, 5, 8, 17]
RSA is used with P = 3 and q = 7
Computer Science and Engineering
Midterm Question 8
Using Merkle-Hellman scheme, decrypt the following ciphertext: 2 4 10 7 6
Assume the following:
Public key = [2, 4, 10, 7]
Private key = [1, 2, 5, 9]
w = 2, n = 11
Computer Science and Engineering
Trusted OS
Memory Protection.
File Protection
User Authentication
General Object Access Control
Computer Science and Engineering
Access Control Policies
Specification of how each user is authorized to use each resource.
In practice, no computer applies a single policy to manage all of its resources.
Scheduling algorithms for CPU SJF, RR Storage paging, segmentation
Computer Science and Engineering
ACCESS Control Matrix (Butler Lampson)
O1O2
O2 O4 O1O3
Domain 1
Domain 3Domain 2
Every objectobject to be protected is within one or more protection domainsdomains
Computer Science and Engineering
ACCESS Rights
<O2, {execute}>
<O1, {read,write}>Domain 1
Domain 3Domain 2
<O1, {execute}>
<O3, {read}><O4, {print}><O2, {write}>
Computer Science and Engineering
What does that mean?
O1 can be read and written in domain 1 and executed in domain 3, O2 can be executed in domain 1 and written in domain 2, O3 can be read in domain 3, and O4 can be printed in domains 2 and 3.
At any given time, the domain is which a user is operating determines what actions are and are not permitted.
If Matthew is in domain 1, he is permitted to: Read or write object 1 Execute object 2
Computer Science and Engineering
Accesses Control Matrix
Object 1 Object 2 Object 3 Object 4
Domain 1 {read,write} {execute}
Domain 2 {write} {print}
Domain 3 {execute} {read} {print}
Computer Science and Engineering
Access Control Matrix (cont.)
The matrix designates the protection policy. A mechanism is required to enforce the policy.
The OS stores the matrix in memory
Large and sparse matrix
Ordered triples instead
Computer Science and Engineering
List of Ordered Triples
(Domain 1, Object 1, {read,write})
(Domain 1, Object 2, {execute})
(Domain 2, Object 2, {write})
(Domain 2, Object 4, {print})
(Domain 3, Object 1, {execute})
(Domain 3, Object 3, {read})
(Domain 3, Object 4, {print})
Computer Science and Engineering
List of Ordered Triples (Cont.)
For each attempt by a user in Domain i to perform operation O on object j, the OS consults the list of triples. If it finds a triple (i,j,R) where O is a member of the access rights, R, the operation is allowed to proceed; otherwise it is not.
The list must be protected from tampering by usersCould be very largeSearch may become a problemDoes not take advantage of special grouping of objects
Computer Science and Engineering
Access lists
Object 1: (<Domain 1, {read,write}>, < Domain 3, {execute}>)Object 2: (< Domain 1, {execute} >, < Domain 2, {write} >)Object 3: (<Domain 3, {read}>)Object 4: (<Domain 2, {print}>, < Domain 3, {print} >)
An attempt by a user in Domain i to perform operation O on object j causes the OS to consult the entry of the access list for object j. Object j’s list is searched for Domain i’s entry, and the operation is permitted if there is an access right for O.
Computer Science and Engineering
Default
Object 2: (<Default, {read}>, < Domain 1, {execute} >, < Domain 2, {write} >)
Computer Science and Engineering
Capability List
(Object, rights) capability
Domain 1: (<Object 1, {read,write}>, < Object 2, {execute}>)
Domain 2: (< Object 2, {write} >, < Object 4, {print} >)
Domain 3: (<Object 1, {execute>, <Object 3, {read}> < Object 4, {print} >)
Users are given a copy of the capability list for the domain in which they are operating .
Computer Science and Engineering
How does it work?
Domain 1: (<Object 1, {read,write}>, < Object 2, {execute}>)
Domain 2: (< Object 2, {write} >, < Object 4, {print} >)
Domain 3: (<Object 1, {execute>, <Object 3, {read}> < Object 4, {print} >)
When a user wants to perform some operation O, on object j, it passes its capability for j as one of the parameters of O.
For example, a user might request to write to Object 2 and passes its copy of <object 2, {write}>. The OS verifies.
Computer Science and Engineering
Encrypting Capabilities
OS must ensure that users cannot create their own capabilities or alter capabilities they are given.
OS may encrypt capabilities using a secret key before giving them to users.
The OS decrypts and checks the capability each time it is used.
Computer Science and Engineering
Security Policy
A security policy is a statement of the security we expect the system to enforce.
A system can be trusted only in relation to its security policy, that is, to the security needs the system is expected to satisfy.
Computer Science and Engineering
Military Security policy
Unclassified
Restricted
Confidential
Secret
Top
Secret
Computer Science and Engineering
Access to Information
Information access is limited by the need-to-know rule.
Compartment: Each piece of classified information may be associated with one or more projects called compartments
Computer Science and Engineering
Compartments and Sensitivity Levels
Unclassified
Restricted
Confidential
Secret
Top SecretCompartment 1
Compartment 3Compartment 2
Computer Science and Engineering
Classification & Clearance
<rank; compartments> class of a piece of information
Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity.
<rank; compartments> clearance of a subject
Computer Science and Engineering
Dominance Relation
We say that s dominates o (or o is dominated by s) if o <= s.
For a subject s and an object o,o <= s if and only if
rank(o) <= rank(s) andcompartments(o) is subset of compartments(s)
A subject can read an object if the subject dominates the object.
Computer Science and Engineering
Example
Information classified as <secret; {Sweden}>
Which of the following subject clearances can read the above information?:
<top secret; {Sweden}> <secret; {Sweden, crypto}> <top secret; {crypto}><confidential; {Sweden}> <secret; {France}>
Computer Science and Engineering
Models of Security
Security models are used to Test a particular policy for completeness and
consistency Document a policy Help conceptualize and design an
implementation Check whether an implementation meets the
requirements
Computer Science and Engineering
Bell-La Padula Model
Formal description of the allowable paths of information flow in a secure system.
Set of subjects and another set of objects
Each subject s has a fixed security clearance C(s) Each object o has a fixed security class C(o)
Computer Science and Engineering
Bell-La Padula Model (Cont.)
Two properties characterize the secure flow of information: A subject s may have read access to an object
o only if C(o) <= C(s) A subject s who has read access to an object o
may have write access to an object p only if C(o) <= C(p).
Computer Science and Engineering
Harrison, Ruzzo, and Ullman (HRU) Model
S1 S2 S3 O1 O2 O3
S1 control Owner
read
S2 control Owner
Read
write
read Owner
execute
S3 control read read execute
Computer Science and Engineering
HRU Model (cont.)
HRU allows the state of the protraction system to be changed by a well defined set of commands:
Add subject s to M Add object o to M Delete subject s from M Delete object o from M Add right r to M[s,o] Delete right r from M[s,o]Owner can change rights of an object
Computer Science and Engineering
Take Grant Model
Unlimited number of subjects and objects
States and state transitions
Directed graph
Four primitive operations: take create grant revoke
Computer Science and Engineering
Take Grant Model (Cont.)
O2
O1O3
S1
S2
S3
read
read
read
execute
execute
Read, write