Access Control and Intrusion Detection 5/6/20 (slides from Prof. Dooley) CS 330 Intrusion 1 Administrivia • HW 5 due tonight – Chinese Remainder Theorem – RSA CS 330 Intrusion References • Stallings, Chapter 6 • Bishop, “Computer Security: Art and Science,” Addison- Wesley, 2003, Chapters 12 and 25 CS 330 Intrusion 3 Intruders • A significant issue for networked systems is hostile or unwanted access – either via network or local • We can identify classes of intruders: – masquerader – malfeasor (Stallings say misfeasor) – clandestine user • varying levels of competence among intruders – from script-kiddies – to expert crackers who know OS internals CS 330 Intrusion 4 Intrusion Goals • The intruders aim is two fold: – Gain access to a remote system, and – Increase their privileges on that system CS 330 Intrusion 5 Access Control • Front line of defense against intruders is initial access to the system – this is provided by identifying valid users – authenticating their right to use the system, – and establishing the rights they have on the system. CS 330 Intrusion 6 Access Control - 2 • Second line of defense is the permission structure for – files and file systems • this limits where the intruder can go – processes • this limits what the intruder can execute – role • this limits who the intruder can be and what overall permissions they have CS 330 Intrusion 7 Access Control Requirements • Reliable Input – Access control systems assume users are authentic, so – an authentication system must be a front end to an Access control system (can you say user/password authentication?) • Fine and coarse specifications – file system level – record level CS 330 Intrusion 8 Access control requirements • Principle of least privilege – everyone gets the least amount of access that allows them to satisfy their role • Separation of duty – divide privileges among several users • Open and closed policies – closed - things not specifically approved are denied – open - things not specifically forBidden are allowed CS 330 Intrusion 9 Access Control Policies • Discretionary Access Control – access control based on identity of requestor – and on access rules that decide access restrictions – “discretionary” because user can enable others to access some resource • Mandatory Access Control – controls access by comparing security labels with security clearances – mandatory because user cannot enable others to access some resources CS 330 Intrusion 10 Access Control Policies CS 330 Intrusion 11 Access control policies - 2 • Role-based access control – access based on the user’s role in the system – and on rules that state what access is granted to each role. • DAC is traditional • MAC is for the military • RBAC is newer and like DAC • policies are not mutually exclusive CS 330 Intrusion 12 Discretionary Access Control • Often provided using an access matrix – lists subjects in one dimension (rows) – lists objects in the other dimension (columns) – each entry specifies access rights of the specified subject to that object • Access matrix is often sparse • Can decompose by either row or column CS 330 Intrusion 13 L/Unix Access control • Linux uses a Discretionary Access Control model • Two types of users – the superuser (aka root) – everyone else CS 330 Intrusion 14 Users and Groups • A user-account (user) – represents someone capable of using files – associated both with humans and processes • A group-account (group) – is a list of user-accounts – users have a main group – may also belong to other groups • Users & groups are not files (the exception in *nix systems) CS 330 Intrusion 15 Users and Groups • User's details are kept in /etc/password maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash • Additional group details in /etc/group conductors:x:100:pianists:x:102:maestro,volodya • Use useradd, usermod, userdel to alter • Use groups to see what groups you belong to CS 330 Intrusion 16 File Permissions • Files have two owners: a user & a group • each with its own set of permissions • Also, a third set of permissions for everyone else • Permissions are to read/write/execute in order user/group/other, cf. -rw-rw-r-- maestro user 35414 Mar 25 01:38 baton.txt • Set using chmod command CS 330 Intrusion 17 File System Security • In Linux everything is a file – e.g. memory, device-drivers, named pipes, and other system resources – why filesystem security is so important • I/O to devices is via a “special” file – e.g. /dev/cdrom • Have other special files like named pipes – a conduit between processes / programs CS 330 Intrusion 18 UNIX File Concepts • UNIX files administered using inodes – control structure with key info on each file • attributes, permissions of a single file – may have several names for same inode (called links) – have inode table / list for all files on a file system • copied to memory when the file system is mounted • stored at the beginning of each file system • Directories form a directed acyclic graph – each directory is a file of names and inode numbers CS 330 Intrusion 19 Directory Permissions • read = list contents • write = create, modify, or delete files in directory • execute = use anything in or change working directory to this directory • e.g. – $ chmod g+rx extreme_casseroles – $ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles CS 330 Intrusion 20 UNIX File Access Control CS 330 Intrusion 21 Sticky Bit • Originally used to lock file in memory • Now used on directories to limit delete – if set must own file or dir to delete – other users cannot delete even if have write • Set using chmod command with +t flag, e.g. – chmod +t extreme_casseroles • Directory listing includes t or T flag drwxrwx--T 8 biff drummers 288 Mar 25 01:38 extreme_casseroles • Only apply to specific directory not child dirs CS 330 Intrusion 22 UNIX File Access Control • “set user ID”(SetUID) or “set group ID”(SetGID) – system temporarily uses rights of the file owner / group in addition to the real user’s rights when making access control decisions – enables privileged programs to access files / resources not generally accessible • superuser – is exempt from usual access control restrictions CS 330 Intrusion 23 SetUID and SetGID • setuid bit means program "runs as" owner – no matter who executes it • setgid bit means run as a member of the group which owns it – again regardless of who executes it CS 330 Intrusion 24 setuid bit • "run as" = "run with same privileges as” • Very dangerous if set on file owned by root or other privileged account or group – only used on executable files, not shell scripts – intruders will try to set the setuid bit for a program they create or modify that is owned by root. • To set the setuid bit do “chmod u+s <filename>” or “chmod 4711 <filename>” CS 330 Intrusion 25 SetGID and Directories • setuid has no effect on directories • setgid does and causes any file created in a directory to inherit the directory's group • Useful if users belong to other groups and routinely create files to be shared with other members of those groups – instead of manually changing its group • To set the setgid bit use “chmod g+s <dirname>” or “chmod 2711 <dirname>” CS 330 Intrusion 26 UNIX Access Control Lists • Modern UNIX systems support ACLs • Can specify any number of additional users / groups and associated rwx permissions • ACLs are optional extensions to std permissions • Group perms also set max ACL permissions • When access is required – select most appropriate ACL • owner, named users, owning / named groups, others – check if have sufficient permissions for access CS 330 Intrusion 27.