Access Control and Intrusion Detection
5/6/20
(slides from Prof. Dooley)
CS 330 Intrusion 1 Administrivia
• HW 5 due tonight
– Chinese Remainder Theorem
– RSA
CS 330 Intrusion References
• Stallings, Chapter 6 • Bishop, “Computer Security: Art and Science,” Addison- Wesley, 2003, Chapters 12 and 25
CS 330 Intrusion 3 Intruders
• A significant issue for networked systems is hostile or unwanted access – either via network or local • We can identify classes of intruders: – masquerader – malfeasor (Stallings say misfeasor) – clandestine user • varying levels of competence among intruders – from script-kiddies – to expert crackers who know OS internals
CS 330 Intrusion 4 Intrusion Goals
• The intruders aim is two fold: – Gain access to a remote system, and – Increase their privileges on that system
CS 330 Intrusion 5 Access Control
• Front line of defense against intruders is initial access to the system – this is provided by identifying valid users – authenticating their right to use the system, – and establishing the rights they have on the system.
CS 330 Intrusion 6 Access Control - 2
• Second line of defense is the permission structure for – files and file systems • this limits where the intruder can go – processes • this limits what the intruder can execute – role • this limits who the intruder can be and what overall permissions they have
CS 330 Intrusion 7 Access Control Requirements
• Reliable Input – Access control systems assume users are authentic, so – an authentication system must be a front end to an Access control system (can you say user/password authentication?) • Fine and coarse specifications – file system level – record level
CS 330 Intrusion 8 Access control requirements
• Principle of least privilege – everyone gets the least amount of access that allows them to satisfy their role
• Separation of duty – divide privileges among several users
• Open and closed policies – closed - things not specifically approved are denied – open - things not specifically forbidden are allowed
CS 330 Intrusion 9 Access Control Policies
• Discretionary Access Control – access control based on identity of requestor – and on access rules that decide access restrictions – “discretionary” because user can enable others to access some resource
• Mandatory Access Control – controls access by comparing security labels with security clearances – mandatory because user cannot enable others to access some resources
CS 330 Intrusion 10 Access Control Policies
CS 330 Intrusion 11 Access control policies - 2
• Role-based access control – access based on the user’s role in the system – and on rules that state what access is granted to each role. • DAC is traditional • MAC is for the military • RBAC is newer and like DAC • policies are not mutually exclusive
CS 330 Intrusion 12 Discretionary Access Control
• Often provided using an access matrix – lists subjects in one dimension (rows) – lists objects in the other dimension (columns) – each entry specifies access rights of the specified subject to that object • Access matrix is often sparse • Can decompose by either row or column
CS 330 Intrusion 13 L/Unix Access control
• Linux uses a Discretionary Access Control model • Two types of users – the superuser (aka root) – everyone else
CS 330 Intrusion 14 Users and Groups
• A user-account (user) – represents someone capable of using files – associated both with humans and processes
• A group-account (group) – is a list of user-accounts – users have a main group – may also belong to other groups
• Users & groups are not files (the exception in *nix systems)
CS 330 Intrusion 15 Users and Groups
• User's details are kept in /etc/password maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash • Additional group details in /etc/group conductors:x:100:pianists:x:102:maestro,volodya • Use useradd, usermod, userdel to alter • Use groups to see what groups you belong to
CS 330 Intrusion 16 File Permissions
• Files have two owners: a user & a group • each with its own set of permissions • Also, a third set of permissions for everyone else • Permissions are to read/write/execute in order user/group/other, cf. -rw-rw-r-- maestro user 35414 Mar 25 01:38 baton.txt • Set using chmod command
CS 330 Intrusion 17 File System Security
• In Linux everything is a file – e.g. memory, device-drivers, named pipes, and other system resources – why filesystem security is so important • I/O to devices is via a “special” file – e.g. /dev/cdrom • Have other special files like named pipes – a conduit between processes / programs
CS 330 Intrusion 18 UNIX File Concepts
• UNIX files administered using inodes – control structure with key info on each file • attributes, permissions of a single file – may have several names for same inode (called links) – have inode table / list for all files on a file system • copied to memory when the file system is mounted • stored at the beginning of each file system
• Directories form a directed acyclic graph – each directory is a file of names and inode numbers
CS 330 Intrusion 19 Directory Permissions
• read = list contents • write = create, modify, or delete files in directory • execute = use anything in or change working directory to this directory • e.g. – $ chmod g+rx extreme_casseroles – $ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles
CS 330 Intrusion 20 UNIX File Access Control
CS 330 Intrusion 21 Sticky Bit
• Originally used to lock file in memory • Now used on directories to limit delete – if set must own file or dir to delete – other users cannot delete even if have write • Set using chmod command with +t flag, e.g. – chmod +t extreme_casseroles • Directory listing includes t or T flag drwxrwx--T 8 biff drummers 288 Mar 25 01:38 extreme_casseroles • Only apply to specific directory not child dirs
CS 330 Intrusion 22 UNIX File Access Control
• “set user ID”(SetUID) or “set group ID”(SetGID) – system temporarily uses rights of the file owner / group in addition to the real user’s rights when making access control decisions – enables privileged programs to access files / resources not generally accessible • superuser – is exempt from usual access control restrictions
CS 330 Intrusion 23 SetUID and SetGID
• setuid bit means program "runs as" owner – no matter who executes it • setgid bit means run as a member of the group which owns it – again regardless of who executes it
CS 330 Intrusion 24 setuid bit
• "run as" = "run with same privileges as” • Very dangerous if set on file owned by root or other privileged account or group – only used on executable files, not shell scripts – intruders will try to set the setuid bit for a program they create or modify that is owned by root. • To set the setuid bit do “chmod u+s
CS 330 Intrusion 25 SetGID and Directories
• setuid has no effect on directories
• setgid does and causes any file created in a directory to inherit the directory's group
• Useful if users belong to other groups and routinely create files to be shared with other members of those groups – instead of manually changing its group
• To set the setgid bit use “chmod g+s
CS 330 Intrusion 26 UNIX Access Control Lists
• Modern UNIX systems support ACLs • Can specify any number of additional users / groups and associated rwx permissions • ACLs are optional extensions to std permissions • Group perms also set max ACL permissions • When access is required – select most appropriate ACL • owner, named users, owning / named groups, others – check if have sufficient permissions for access
CS 330 Intrusion 27