cybr371/nwen438 system and network · cybr371/nwen438: system and network security special...

CYBR371/NWEN438: System and Network Security

CYBR371/NWEN438System and Network

School of Engineering and Computer ScienceTe Kura Mātai Pūkaha, Pūrorohiko

CYBR371/NWEN438: System and Network SecurityCYBR371/NWEN438: System and Network Security

Mandatory Access Policy• Access is based on the security level assigned to

objects and subjects

• The security level associated with object reflects– The sensitivity of the information contained in the object

• The security level associated with a subject (also called clearance) reflects– The user’s trustworthiness not to disclose sensitive information to

users not cleared to see it


MAC Confidentiality Policies• Bell-LaPadula Confidentiality Model (DoD multilevel

military security policy)• In this model, a subject’s (usually a user’s) access to an object

(usually a file) is allowed or disallowed by comparing the object’s security classification with the subject’s security clearance.– The three basic rules are as follows:

– The simple security condition – READ DOWN (No Read UP)

– The *-property (star property) – WRITE UP (No Write DOWN)

– The tranquillity property – No changes while processing


MAC Confidentiality Policies• Biba Integrity Model

– Sometimes called the Bell-LaPadula upside down model

– Based on “READ UP (no read down), WRITE DOWN (no write up)” principle

Example of usage?


Issues with MAC• Information tends to becomes over classified

• No protection against violations that produce illegal information flow through indirect means – Inference Channels - A user at a low security class uses the

low data to infer information about high security class. Ex. Sudden assignment of low level soldiers to region could be an indication of a top secret mission.

– Covert channels - Require two active agents, one at a low level and the other at a high level and an encoding scheme


Role Based Access Control• Neither DAC nor MAC approaches satisfy the needs of most

commercial enterprises

• Mandatory policies suitable for rigid environments such as military

• Discretionary policies come from cooperative yet autonomous environments, such as academia

• One alternative is Role-base Access Policies (RBAC)


Role-based Policies• A role is a set of actions, privileges and responsibilities

associated with a particular working activity

• Instead of specifying all the accesses each user is allowed to execute, access authorizations are specified for roles


Role-based Policies• Users are given authorization to adopt roles

• A user playing a role is allowed to execute all accesses for which the role is authorized.

• User may or may not be allowed to play multiple roles at the same time

• A user may take on different roles on different occasions

• Advantages?


RBAC Example – Oracle Database• Doctor Role•

• create role doctor identified by db;• grant connect to doctor;

• grant select on h.patient_personal_info to doctor;• grant select on h.patient_medical_history to doctor;• grant insert on h.patient_medical_history to doctor;• grant update on h.patient_medical_history to doctor;• commit;

• grant doctor to Emily, Sam;

• Nurse Role

• create role nurse identified by db;• grant connect to nurse;• grant select on h.patient_medical_history to nurse;• grant update (patient_medications) on h.patient_medical_history to nurse;• commit;

• grant nurse to Masood, Tom, Nancy, Bob, Michelle;


Auditing• Access control is not a complete solution for securing a system. What is the missing service?

• Auditing (remember access control components from the last lecture)?...• policy, mechanism, assurance


Auditing• Performs an analysis of all the requests and activities

of users in the system

• Requires logging all requests and activities

• How can auditing help? (example login)

• Acting as a deterrent

• Identifying attempted or actual violations

• Identifying flaws in the security system

• Preventing authorized users from misusing their privileges (accountability)


UNIX File Access Control


File and Directory Permissions• Three sections, based on the user(s) that

receive the permission:– User permissions: owner– Group permissions: group owner– Other permissions: everyone on system

• Three regular permissions may be assigned to each user:– Read– Write– Execute


Interpreting Permissions

Linux permissions


Changing Permissions• chmod (change mode) command: change

mode (permissions) of files or directories

– Two arguments at minimum

• Criteria used to change permissions

• Filenames to change

• Permissions stored in a file’s or a directory’s inode


Changing Permissions (continued)

Numeric representation of the mode


Special Permissions• Three more optional special permissions for

files and directories

– SUID (Set User ID)

– SGID (Set Group ID)

– Sticky bit


Special Permissions• SUID

– If set on a file, user who executes the file becomes owner of the file during execution

• e.g., ping command

– No functionality when set on a directory

– Only applicable to binary compiled programs

• Cannot be used on shell scripts


Special Permissions• SGID

– Applicable to files and directories

– If set on a file, user who executes the file becomes member of the file’s group during execution. It causesthe program to run with the file’s group, regardless of whether the user who runs it is in that group or not

– On directories, causes files created within the directory to have the same group as the directory, useful for directories shared by multiple users with different default groups


Special Permissions• Sticky bit

– Previously used to lock files in memory

– Currently only applicable to directories

– Ensures that a user can only delete his/her own files when given write permissions in a directory


Special Permissions• Properties:

– Mask the execute permission when displayed by the ls –l command

– May be set even if file or directory does not have execute permission

• Indicating letter in the mode will be capitalized

– Add special permissions via chmod command

• Add an extra digit at front of permissions argument


Special Permissions

Representing special permissions in the mode


Special Permissions

Representing special permissions in the absence of

the execute permissions

CYBR371/NWEN438: System and Network Security

Special Permissions

Numeric representation of regular and special

permissions


Access Control Lists (ACLs) in UNIX

Modern UNIX systems support ACLsModern UNIX systems support ACLs

• FreeBSD, OpenBSD, Linux, Solaris

FreeBSDFreeBSD

• Setfacl command assigns a list of UNIX user IDs and groups

• Any number of users and groups can be associated with a file

• Read, write, execute protection bits

• A file does not need to have an ACL

• Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps are performed:When a process requests access to a file system object two steps are performed:

• Step 1 selects the most appropriate ACL

• Step 2 checks if the matching entry contains sufficient permissions


Additional Reading• Please refer to the reading notes for more information

on Linux permission and ACLs

• Special Permissions: – http://www.linuxnix.com/suid-set-suid-linuxunix/

http://www.linuxnix.com/suid-set-suid-linuxunix/

cybr371/nwen438 system and network · cybr371/nwen438: system and network security special...

Documents