Académique Documents
Professionnel Documents
Culture Documents
Luca Vigan` o
Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg
Luca Vigan` o
AUDITING
12.12.02
Luca Vigan` o
An example of an attack
12.12.02
Luca Vigan` o
An example of an attack
12.12.02
Luca Vigan` o
An example of an attack
12.12.02
Luca Vigan` o
An example of an attack
12.12.02
Luca Vigan` o
An example of an attack
Masquerading (with replay). This is mainly a problem of authentication (cf. other classes). Authentication and access control are tightly connected. (Authentication prerequisite of AC.)
IT-Security: Theory and Practice (WS02) 12.12.02
Luca Vigan` o
Security Admin
AUDITING
Authentication establishes/veries identity of requester. Requester presents credentials: something he knows (password), possesses (smartcard) or is (biometric). Is the legitimate (authenticated) requester authorized to perform the action? AC/authorization decision made by agent(s) in charge. Auditing process gathers data to discover violations or diagnose their cause. Oine after the fact, or online in real time (intrusion detection).
IT-Security: Theory and Practice (WS02) 12.12.02
Luca Vigan` o
12.12.02
Luca Vigan` o
Luca Vigan` o
Access Matrix
Model by Harrison, Ruzzo & Ullman: in general, changes to the state of the system are modeled by commands of the form command c(x1, . . . , xk ) if r1 in M (xs1 , xo1 ) and r2 in M (xs2 , xo2 ) and . . rm in M (xsm , xom ) then op1; . . opn end where r1, . . . , rm are rights, s1, . . . , sm and o1, . . . , om are integers (m 0), and each opi is a primitive operation (n > 0).
IT-Security: Theory and Practice (WS02) 12.12.02
Luca Vigan` o
sS oO
12.12.02
Luca Vigan` o
Assumption: all subjects are objects, i.e. S O. Operation Conditions New State create subject s s O S = S {s } O = O {s } M (s, o) = M (s, o) for s S , o O M (s , o) = for o O M (s, s ) = for s S destroy subject s s S S = S \ {s } O = O \ {s } M (s, o) = M (s, o) for s S , o O S =S O = O {o } M (s, o) = M (s, o) for s S , o O M (s, o ) = for s S S =S O = O \ {o } M (s, o) = M (s, o) for s S , o O
12.12.02
create object o
o O
destroy object o
o O o S
Luca Vigan` o
Def: A state Q = (S, O, M ) yields a state Q = (S , O , M ) under command c(x1, . . . , xk ) if r1 in M (xs1 , xo1 ) and . . . rm in M (xsm , xom ) then op1; . . . opn end with arguments a1, . . . , ak , written Q (or Q c(a1,...,ak ) Q ), provided
c(a1,...,ak )
Q = Q if one of the conditions of c is not satised. Q = Qn otherwise, where there exist states Q0, Q1, . . . , Qn such that Q0 = Q and Qn = Q and for each i, with 0 i n, Qi
opi+1[aj /xj ]
Qi+1
where opi+1[aj /xj ] denotes the primitive operation opi+1, substituting a1, . . . , ak for the variables x1, . . . , xk .
IT-Security: Theory and Practice (WS02) 12.12.02
Some example commands: command confer.write(s1, s2, o) if Own M (s1, o) then enter W into M (s2, o) end
Luca Vigan` o
10
command revoke.read(s1, s2, o) if Own M (s1, o) then delete R from M (s2, o) end
Exercise: why is there no check R M (s1, o) or R M (s2, o) in revoke.read(s1, s2, o)? Exercise: specify the commands create.le, confer.execute and revoke.write, describing the dierent possibilities for create.le. (Hint: think of the primitive rights in Unix/Linux systems.) Exercise: compute the matrix that results from the following initial state by executing the sequence of commands
File 1 File 2 File 3 File 4 Account 1 Account 2 Alice Own R W R R W Own R W R W X W R Own R X Inquiry Credit Inquiry Debit Inquiry Credit Inquiry Debit
Bob
Charlie
Luca Vigan` o
11
Luca Vigan` o
12
public, {PERSONNEL}
public, {ENGINEERING}
public, {}
12.12.02
Luca Vigan` o
13
Exercises
Exercise: construct the lattice of security labels for the security levels public, condential and strictly condential, and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (condential,{STUDENTS}) in a need-to-know (i.e. least privilege, where users dont use their full privileges until they are actually needed) policy? How many labels can be constructed from n security levels and m categories (e.g. n = 16 and m = 64)? Exercise: Consider a security policy that uses the lattice of compartments (i.e. the sets of categories, like in the example) as security labels. Access is granted only when the subjects label is a subset of the objects label. With the categories ADMIN, LECTURES, and STUDENTS, which objects can be accessed by a subject with label {STUDENTS}? Why is a subject with label {ADMIN,STUDENTS} more constrained than a subject with label {STUDENTS}? Interpret the roles of the labels {} and {ADMIN,LECTURERS,STUDENTS} in this policy.
IT-Security: Theory and Practice (WS02) 12.12.02
Luca Vigan` o
14
Luca Vigan` o
15
Bibliography
Edward Amoroso. Fundamentals of Computer Security Technology. Prentice Hall, 1994. Dorothy Denning. Cryptography and Data Security. Addison-Wesley, 1982. Dieter Gollmann. Computer Security. Wiley, 2000. US Department of Defense. DoD Trusted Computer System Evaluation Criteria (The Orange Book), DOD 5200.28.STD, 1985. Various papers on RBAC by Ravi Sandhu and Pierangela Samarati. M. Abadi, M. Burrows, B. Lampson, G. Plotkin. A Calculus for Access Control in Distributed Systems. ACM Transaction on Programming Languages and Systems, 15(4):706-734, 1993. Fabio Massacci. Tableaux methods for formal verication in multi-agent distributed systems. Journal of Logic and Computation, 8(3):373-400, 1998.
IT-Security: Theory and Practice (WS02) 12.12.02