ソフトウェアエンジニアの技術ブログ：Software engineer tech blog

Example of labels/MAC in a DoD Environment
1. Label = (Sensitivity lavel, compartment)
2. Lets us consider highly sensitive documents that have information about various arms stockpiles.
L1 = (TS,{nuclear, chemical})
L2 = (S,{nuclear, conventional})
1.Providing confidential access to documents(Bell and La Padula or BLP Model)

Comparing Labels
– Assume sensitivity levels are totally ordered(TS > S > C > U)
– Compartments are sets which can only be partially ordered
How do we order labels?

Comparing Labels
L1 = (X1, Comp1), L2 = (X2, Comp2)
L1 dominates L2 : L1 > L2 and Comp1 >= Comp2
or L1 is dominated by L2 : l1 < l2 and Comp1 <= Comp2 or L1 = L2 : l1 = :2 and Comp1 = Comp2 or L1 and L2 are not comparable : L1 > L2 and L1 < L2 and L1 = L2 Ordering Among Labels ordering among labels defines a structure called a lattice: Partial Order L1 = (TS,{A,B,C}) L1 > L2?
L2 = (S, {A,B}) L2 < L1? L3 = (S, {B,C,C}) L1 and L3 are not compared Using labels for MAC:confidentiality Bell and La Padua or BLP Model(Developed by DoD) - Assumes classification of data(TS, S,C,U) and clearances for subjects Read/Write rules - User with Label L1 can read document with label L2 only when L1 dominates L2 read-down rule(simple security property) - User with label L1 can write document with label L2 when L1 dominated by L2 Write-up rule(star property) Preventing Information Flow with BLP

Discretionary Access Control
– In discretionary access control(DCA), owner of resource decides how it can be shared
– Owner can choose to give read or write access to other users

Discretionary Access Control
Two problems with DAC:
You cannot control if someone you share a file with will no further share the data contained in it
Cannot control “information flow”
In many organizations, a user does not get to decide how certain type of data can be shared
Typically the employer may mandate how to share various types of sensitive data
Mandatory Access Control(MAC) helps address these problems

Mandatory Access Control(MAC) Models
User works in a company and the company decides how data should be shared
Hospital owns patient records and limits their sharing
Regulatory requirements may limit sharing
HIPAA for health information

Military and intelligence agencies:
Data has associated classification level and users are cleared at various levels
– top secret, secret, confidential etc.
– Limits on who can access data at a certain level
User cleared only at secret level should not be able to access top secret data
– Also called multilevel security(MLS)

Where should an ACL be stored?
– In trusted part of the system
– Consists of access control entries, or, ACEs
– Along with other object meta-data
– For example, file meta-data has a bunch of information where this can go as well
– Checking requires traversal of the ACL

Where do C-list go?
– A capability is an unforgeable reference/handle for a resource
– User catalogue of capabilities defines what a certain user can access
– Can be stored in objects/resources themselves(Hydra)
– Sharing requires propagation of capabilities

Efficieny, Accountability, Revocation

Access Control Implementation
How is Access Control Implemented in Unix-like Systems?
– In Unix, each resource looks like a file
– Each file has an owner(UID) and access is possible for owner, group and everyone(world).
– Permissions are read, write and execute
– Original ACL implementation had a compact fixed size representation(9 bits)
– Now full ACL support is available in many variants(Linux, BSD, MacOS,..)
– Few other things(sticky bit, setuid,…)

Access Control Implementation
How are files used(system calls for accessing files?)
– Create(filename)/* several ways to do it */
– fd = open(filename, mode)
– read (fd, buf, sizeof(buf))
– write(fd, buf, sizeof(buf))
– close(fd)

List all processes and subjects in a matrix
A11 A12 A13 … A1n
A21 A22 A23 … A2n
A31 A32 A33 … A3n
.
.
Am1 Am2 Am3 … Amn
List each object in a column and row

Access control matrix is large
How do we represent it in the system?
Column for object Oi is [(ul1, right1),(ui2, right2),…]
called access control list or ACL
Associated with each resource
For user ui, a row in the matrix is [(oil1, righ1),(oi2,righs2)…]
Called a capability-list or C-list
such a C-list stored for each user

ACLs
x->[(A,rwx)]
y->[(A,r)(B,rw)(c,rw)]
z->[(B,rx)(C,rx)]

C-lists
A->[(X,rwx)(y,r)]
B->[(y,rw)(Z,rx)]
C->[(y,rw)(Z,rx)]

Controlling Accesses to Resources
– TCB(reference monitor) sees a request for a resource, how does it decide whether it should be granted?
– Example: Should John’s process making a request to read a certain file be allowed to do so?

– Authentication establishes the source of a request
– Authorization or access control answers the question if a certain source of request(User ID) is allowed to read the file
– Subject who owns a resource(creates it) should be able to control access to it

Access Control
Basically, it is about who is allowed to access what.
Two parts
– Decide who should have access to certain resources
– Enforcement – only accesses defined by the access control policy are granted
Complete mediation is essential for successful enforcement

An access control matrix(ACM) abstracts the state relevant to access control.
Rows of ACM correspond to users/subjects/groups
Columns correspond to resources that need to be protected.
ACM defines who can access what

Hardware/OS must provide a trusted path
– Windows CNTL-ALT-DEL
– keyboard and display must have trusted paths to OS
– Special kind of display under OS control

popular password:
123456, password, qwerty, 123456789, baseball, football

publicly available software can do
10^8 MD5 hashes/sec on a GPU

Six random upper case/lower case/ digit then 62^6 possible password, about 10 minutes

-As password length and complexity increases, usability suffers
-Phishing and social engineering – users do not authenticate who is asking for a password
-Once a password is stolen, it can be used many times
-> This is why there are policies that say passwords be changed frequenty
-Humans have a hard time remembering lots of passwords. Usable passwords are easy to guess.

Sys Administrators:
– Never store passwords in the clear
– Store only hashed values generated with a random salt and limit acess to them
– Avoid general purpose fast hash functions

Users:
– Use password managers

Other Authentication Methods
– you must have them
– May require additional hardware (e.g., readers)
– How does it implement authentication (challenge/response)
– Cost and misplaced trust(RSA SecureID master key breach)

Various biometrics
– Fingerprints(finger swipes)
– Keystroke dynamics
– Voice
– Retina scans

Password -> H(password) -> A string of fixed length

Hash Functions & Threads
– We assume a one-way property for hash functions
– If we know common passwords, we can determine their hash
– For dictionary and offline attacks, we have hash values and plenty of time to test for matches

Brute Force Guessing of Passwords
– Publicly available software can do 10^8 MD5 hashes/sec on a GPU
– Six random upper case/lower case/digits then 62^6 possible passwords, about 10 minutes
– Eight random characters increases it to about six days

Passwords are not really random
To reduce the work required for a brute force attack:
– Try the popular passwords first
– Create a rainbow table

– Add a random salt before hashing
– Store the salt with the hashed value
– Check by using the salt with the typed password

Brute Force Guessing of Passwords
User ID, Salt, Hash code

A number of online banking systems send a limited lifetime PIN to your smartphone for you to be able to authenticate yourself to the bank.

Thread modeling of the password method
– guessing the password for a given user allows impersonation
– impersonating a real login program
– Keylogging to steal a passdword

Importance of a Trusted Path
Hardware/OS must provide a trusted path:
– Windows CNTL-ALT-DEL
– Keyboard and display must have trusted paths to OS
– Special kind of display under OS control
– Do users pay attention?

Store a list of passwords, one for each user in the system file.
– The file is readable only by the root/admin account
– What if the permissions are set incorrectly?
– Why shold admin know passwords?
– if security is breached, the passwords are exposed to attacker.

Use a one-way hash function and store the result
The password file is readable only for root/admin