diff --git a/Systemsicherheit - Cheatsheet.tex b/Systemsicherheit - Cheatsheet.tex index b3efb20..9ee7f66 100644 --- a/Systemsicherheit - Cheatsheet.tex +++ b/Systemsicherheit - Cheatsheet.tex @@ -24,11 +24,11 @@ \renewcommand{\footrulewidth}{0pt} %untere Trennlinie \pdfinfo{ - /Title (Systemsicherheit - Cheatsheet) - /Creator (TeX) - /Producer (pdfTeX 1.40.0) - /Author (Robert Jeutter) - /Subject () + /Title (Systemsicherheit - Cheatsheet) + /Creator (TeX) + /Producer (pdfTeX 1.40.0) + /Author (Robert Jeutter) + /Subject () } %%% Code Listings @@ -37,33 +37,33 @@ \definecolor{codepurple}{rgb}{0.58,0,0.82} \definecolor{backcolour}{rgb}{0.95,0.95,0.92} \lstdefinestyle{mystyle}{ - backgroundcolor=\color{backcolour}, - commentstyle=\color{codegreen}, - keywordstyle=\color{magenta}, - numberstyle=\tiny\color{codegray}, - stringstyle=\color{codepurple}, - basicstyle=\ttfamily, - breakatwhitespace=false, + backgroundcolor=\color{backcolour}, + commentstyle=\color{codegreen}, + keywordstyle=\color{magenta}, + numberstyle=\tiny\color{codegray}, + stringstyle=\color{codepurple}, + basicstyle=\ttfamily, + breakatwhitespace=false, } \lstset{style=mystyle, upquote=true} %textmarker style from colorbox doc \tcbset{textmarker/.style={% - enhanced, - parbox=false,boxrule=0mm,boxsep=0mm,arc=0mm, - outer arc=0mm,left=2mm,right=2mm,top=3pt,bottom=3pt, - toptitle=1mm,bottomtitle=1mm,oversize}} + enhanced, + parbox=false,boxrule=0mm,boxsep=0mm,arc=0mm, + outer arc=0mm,left=2mm,right=2mm,top=3pt,bottom=3pt, + toptitle=1mm,bottomtitle=1mm,oversize}} % define new colorboxes \newtcolorbox{hintBox}{textmarker, - borderline west={6pt}{0pt}{yellow}, - colback=yellow!10!white} + borderline west={6pt}{0pt}{yellow}, + colback=yellow!10!white} \newtcolorbox{importantBox}{textmarker, - borderline west={6pt}{0pt}{red}, - colback=red!10!white} + borderline west={6pt}{0pt}{red}, + colback=red!10!white} \newtcolorbox{noteBox}{textmarker, - borderline west={3pt}{0pt}{green}, - colback=green!10!white} + borderline west={3pt}{0pt}{green}, + colback=green!10!white} % define commands for easy access \renewcommand{\note}[2]{\begin{noteBox} \textbf{#1} #2 \end{noteBox}} @@ -75,33 +75,33 @@ % if using A4 paper. (This probably isn't strictly necessary.) % If using another size paper, use default 1cm margins. \ifthenelse{\lengthtest { \paperwidth = 11in}} - { \geometry{top=.5in,left=.5in,right=.5in,bottom=.5in} } - {\ifthenelse{ \lengthtest{ \paperwidth = 297mm}} - {\geometry{top=1.3cm,left=1cm,right=1cm,bottom=1.2cm} } - {\geometry{top=1.3cm,left=1cm,right=1cm,bottom=1.2cm} } - } + { \geometry{top=.5in,left=.5in,right=.5in,bottom=.5in} } + {\ifthenelse{ \lengthtest{ \paperwidth = 297mm}} + {\geometry{top=1.3cm,left=1cm,right=1cm,bottom=1.2cm} } + {\geometry{top=1.3cm,left=1cm,right=1cm,bottom=1.2cm} } + } % Redefine section commands to use less space \makeatletter \renewcommand{\section}{\@startsection{section}{1}{0mm}% - {-1ex plus -.5ex minus -.2ex}% - {0.5ex plus .2ex}%x - {\normalfont\large\bfseries}} + {-1ex plus -.5ex minus -.2ex}% + {0.5ex plus .2ex}%x + {\normalfont\large\bfseries}} \renewcommand{\subsection}{\@startsection{subsection}{2}{0mm}% - {-1explus -.5ex minus -.2ex}% - {0.5ex plus .2ex}% - {\normalfont\normalsize\bfseries}} + {-1explus -.5ex minus -.2ex}% + {0.5ex plus .2ex}% + {\normalfont\normalsize\bfseries}} \renewcommand{\subsubsection}{\@startsection{subsubsection}{3}{0mm}% - {-1ex plus -.5ex minus -.2ex}% - {1ex plus .2ex}% - {\normalfont\small\bfseries}} + {-1ex plus -.5ex minus -.2ex}% + {1ex plus .2ex}% + {\normalfont\small\bfseries}} \makeatother % Don't print section numbers \setcounter{secnumdepth}{0} \setlength{\parindent}{0pt} -\setlength{\parskip}{0pt plus 0.5ex} +\setlength{\parskip}{0pt plus 0.5ex} % compress space \setlength\abovedisplayskip{0pt} \setlength{\parskip}{0pt} @@ -132,7 +132,7 @@ \item Real Time \& Scalability \item Openness \item Conditio sine qua non: Provability of information properties - \item non-repudiability ("nicht-abstreitbar") + \item non-repudiability (,,nicht-abstreitbar'') \end{itemize*} Specific Security Goals (Terms) @@ -267,16 +267,16 @@ \item Limited knowledge of users \begin{itemize*} \item limited horizon: knowledge about the rest of a system - \item limited problem awareness: see "lack of knowledge" + \item limited problem awareness: see ,,lack of knowledge'' \item limited skills \end{itemize*} - \item Problem complexity $\rightarrow$ effects of individual permission assignments by users to system-wide security properties + \item Problem complexity $\rightarrow$ effects of individual permission assignments by users to system-wide security properties \item Limited configuration options and granularity: archaic and inapt security mechanisms in system and application software \begin{itemize*} \item no isolation of non-trusted software \item no enforcement of global security policies \end{itemize*} - \item $\rightarrow$ Effectiveness of discretionary access control (DAC) + \item[$\rightarrow$] Effectiveness of discretionary access control (DAC) \end{itemize*} \subsubsection{Organizational Vulnerabilities} @@ -295,8 +295,8 @@ The Problem: Complexity of IT Systems \begin{itemize*} \item ... will in foreseeable time not be - \item Completely, consistently, unambiguously, correctly specified $\rightarrow$ contain specification errors - \item Correctly implemented $\rightarrow$ contain programming errors + \item Completely, consistently, unambiguously, correctly specified $\rightarrow$ contain specification errors + \item Correctly implemented $\rightarrow$ contain programming errors \item Re-designed on a daily basis $\rightarrow$ contain conceptual weaknesses and vulnerabilities \end{itemize*} @@ -304,8 +304,8 @@ Privileged software can be tricked into executing attacker’s code. Approach: Cleverly forged parameters overwrite procedure activation frames in memory \begin{itemize*} - \item $\rightarrow$ exploitation of missing length checks on input buffers - \item $\rightarrow$ buffer overflow + \item[$\rightarrow$] exploitation of missing length checks on input buffers + \item[$\rightarrow$] buffer overflow \end{itemize*} What an Attacker Needs to Know \begin{itemize*} @@ -328,7 +328,7 @@ \item Attacker makes victim program overwrite runtime-critical parts of its stack \begin{itemize*} \item by counting up to the length of msg - \item at the same time writing back over previously save runtime information $\rightarrow$ ReturnIP + \item at the same time writing back over previously save runtime information $\rightarrow$ ReturnIP \end{itemize*} \item After finish: victim program executes code at address of ReturnIP (=address of a forged call to execute arbitrary programs) \item Additional parameter: file system location of a shell @@ -361,7 +361,7 @@ \begin{itemize*} \item Attack objectives and attackers \item Attack methods and practices (Tactics, Techniques) - \item $\rightarrow$ know your enemy + \item[$\rightarrow$] know your enemy \end{itemize*} Approach: Compilation of a threat catalog, content: @@ -386,7 +386,7 @@ \item often indirect $\rightarrow$ social engineering \item statistical profile: age 30-40, executive function \item weapons: technical and organisational insider knowledge - \item damage potential: Loss of control over critical knowledge $\rightarrow$ loss of economical or political power + \item damage potential: Loss of control over critical knowledge $\rightarrow$ loss of economical or political power \end{itemize*} \item Personal Profit \begin{itemize*} @@ -402,7 +402,7 @@ \item Terrorists: motivated by faith and philosophy, paid by organisations and governments \item Avengers: see insiders \item Psychos: all ages, all types, personality disorder - \item $\rightarrow$ No regular access to IT systems, no insider knowledge, but skills and tools. + \item[$\rightarrow$] No regular access to IT systems, no insider knowledge, but skills and tools. \end{itemize*} \item damage potential: Loss of critical infrastructures \end{itemize*} @@ -536,9 +536,9 @@ Identification and Classification of scenario-specific risks \begin{itemize*} \item Risks $\subseteq$ Vulnerabilities $\times$ Threats - \item Correlation of vulnerabilities and threats $\rightarrow$ Risk catalogue + \item Correlation of vulnerabilities and threats $\rightarrow$ Risk catalogue \item Classification of risks $\rightarrow$ Complexity reduction - \item $\rightarrow$ Risk matrix + \item[$\rightarrow$] Risk matrix \item n Vulnerabilities, m Threats $\rightarrow$ x Risks \item Correlation of Vulnerabilities and Threats $\rightarrow$ Risk catalogue $n:m$ correlation \item $max(n,m)<< x \leq nm$ $\rightarrow$ quite large risk catalogue! @@ -551,21 +551,21 @@ Damage Potential Assessment \begin{itemize*} \item Cloud computing $\rightarrow$ loss of confidence/reputation - \item Industrial plant control $\rightarrow$ damage or destruction of facility - \item Critical public infrastructure $\rightarrow$ interrupted services, possible impact on public safety + \item Industrial plant control $\rightarrow$ damage or destruction of facility + \item Critical public infrastructure $\rightarrow$ interrupted services, possible impact on public safety \item Traffic management $\rightarrow$ maximum credible accident \end{itemize*} Occurrence Probability Assessment \begin{itemize*} - \item Cloud computing $\rightarrow$ depending on client data sensitivity - \item Industrial plant control $\rightarrow$ depending on plant sensitivity - \item Critical public infrastructure $\rightarrow$ depending on terroristic threat level - \item Traffic management $\rightarrow$ depending on terroristic threat level + \item Cloud computing $\rightarrow$ depending on client data sensitivity + \item Industrial plant control $\rightarrow$ depending on plant sensitivity + \item Critical public infrastructure $\rightarrow$ depending on terroristic threat level + \item Traffic management $\rightarrow$ depending on terroristic threat level \end{itemize*} \note{Damage potential \& Occurrence probability}{is highly scenario-specific} - Depends on diverse, mostly non-technical side conditions $\rightarrow$ advisory board needed for assessment + Depends on diverse, mostly non-technical side conditions $\rightarrow$ advisory board needed for assessment \paragraph{Advisory Board Output Example} \begin{tabular}{ l | l | p{.6cm} | p{4cm} } @@ -610,19 +610,19 @@ \item Expenses for human resources and IT \item Feasibility from organizational and technological viewpoints \end{itemize*} - \item $\rightarrow$ Cost-benefit ratio:management and business experts involved + \item[$\rightarrow$] Cost-benefit ratio:management and business experts involved \end{itemize*} \section{Security Policies and Models} \begin{itemize*} \item protect against collisions $\rightarrow$ Security Mechanisms - \item $\rightarrow$ Competent \& coordinated operation of mechanisms $\rightarrow$ Security Policies - \item $\rightarrow$ Effectiveness of mechanisms and enforcement of security policies $\rightarrow$ Security Architecture + \item[$\rightarrow$] Competent \& coordinated operation of mechanisms $\rightarrow$ Security Policies + \item[$\rightarrow$] Effectiveness of mechanisms and enforcement of security policies $\rightarrow$ Security Architecture \end{itemize*} Security Policies: a preliminary Definition \begin{itemize*} - \item We have risks: Malware attack $\rightarrow$ violation of confidentiality and integrity of patient’s medical records + \item We have risks: Malware attack $\rightarrow$ violation of confidentiality and integrity of patient’s medical records \item We infer security requirements: Valid information flows \item We design a security policy: Rules for controlling information flows \end{itemize*} @@ -646,7 +646,7 @@ \end{itemize*} \subsubsection{Implementation Alternative A} - The security policy is handled an OS abstractionon its own $\rightarrow$ implemented inside the kernel + The security policy is handled an OS abstractionon its own $\rightarrow$ implemented inside the kernel \includegraphics[width=.5\linewidth]{Assets/Systemsicherheit-pos.png} Policy Enforcement in SELinux @@ -787,7 +787,7 @@ \note{Access Control Matrix (ACM)}{An ACM is a matrix $m:S\times O \rightarrow 2^{OP}$, such that $\forall s\in S,\forall o\in O:op\in m(s,o)\Leftrightarrow f(s,o,op)$.} - An ACM is a rewriting of the definition of an ACF: nothing is added, nothing is left out ("$\Leftrightarrow$"). Despite a purely theoretical model: paved the way for practically implementing AC meta-information as tables, 2-dimensional lists, distributed arrays and lists. + An ACM is a rewriting of the definition of an ACF: nothing is added, nothing is left out (,,$\Leftrightarrow$''). Despite a purely theoretical model: paved the way for practically implementing AC meta-information as tables, 2-dimensional lists, distributed arrays and lists. Example \begin{itemize*} @@ -823,12 +823,12 @@ \paragraph{The Harrison-Ruzzo-Ullman Model (HRU)} - Privilege escalation question: "Can it ever happen that in a given state, some specific subject obtains a specific permission?" + Privilege escalation question: ,,Can it ever happen that in a given state, some specific subject obtains a specific permission?'' $\varnothing \Rightarrow \{r,w\}$ \begin{itemize*} \item ACM models a single state $\langle S,O,OP,m\rangle$ \item ACM does not tell anything about what might happen in future - \item Behavior prediction $\rightarrow$ proliferation of rights $\rightarrow$ HRU safety + \item Behavior prediction $\rightarrow$ proliferation of rights $\rightarrow$ HRU safety \end{itemize*} We need a model which allows statements about @@ -839,8 +839,8 @@ Idea [Harrison et al., 1976]: A (more complex) security model combining \begin{itemize*} - \item Lampson’s ACM $\rightarrow$ for modeling single protection state (snapshots) of an AC system - \item Deterministic automata (state machines) $\rightarrow$ for modeling runtime changes of a protection state + \item Lampson’s ACM $\rightarrow$ for modeling single protection state (snapshots) of an AC system + \item Deterministic automata (state machines) $\rightarrow$ for modeling runtime changes of a protection state \end{itemize*} This idea was pretty awesome. We need to understand automata, since from then on they were used for most security models. @@ -863,12 +863,12 @@ \item Snapshot of an ACM is the automaton’s state \item Changes of the ACM during system usage are modeled by state transitions of the automaton \item Effects of operations that cause such transitions are described by the state transition function - \item Analyses of right proliferation ($\rightarrow$ privilege escalation) are enabled by state reachability analysis methods + \item Analyses of right proliferation ($\rightarrow$ privilege escalation) are enabled by state reachability analysis methods \end{itemize*} An HRU model is a deterministic automaton $\langle Q,\sum,\delta,q_0 ,R\rangle$ where \begin{itemize*} - \item $Q= 2^S\times 2^O\times M$ is the state space where + \item $Q= 2^S\times 2^O\times M$ is the state space where \begin{itemize*} \item S is a (not necessarily finite) set of subjects, \item O is a (not necessarily finite) set of objects, @@ -899,8 +899,8 @@ \item may modify $S_q$ (create a user $x_i$), \item may modify $O_q$ (create/delete a file $x_i$), \item may modify the contents of a matrix cell $m_q(x_i,x_j)$ (enter or remove rights) where $1\leq i,j\leq k$. - \item $\rightarrow$ We also call $\delta$ the state transition scheme (STS) of a model. - \item Historically: "authorization scheme" [Harrison et al., 1976]. + \item[$\rightarrow$] We also call $\delta$ the state transition scheme (STS) of a model. + \item Historically: ,,authorization scheme'' [Harrison et al., 1976]. \end{itemize*} \end{itemize*} @@ -915,7 +915,7 @@ \item $\circ$ is the function composition operator: $(f\circ g)(x)=g(f(x))$ \end{itemize*} - Conditions: Expressions that need to evaluate "true" for state q as a necessary precondition for command $op$ to be executable (= can be successfully called). + Conditions: Expressions that need to evaluate ,,true'' for state q as a necessary precondition for command $op$ to be executable (= can be successfully called). Primitives: Short, formal macros that describe differences between $q$ and $a$ successor state $q'=\sigma(q,\langle op,(x_1 ,...,x_k)\rangle )$ that result from a complete execution of op: \begin{itemize*} @@ -932,8 +932,8 @@ How to Design an HRU Security Model: \begin{enumerate*} - \item Model Sets: Subjects, objects, operations, rights $\rightarrow$ define the basic sets $S,O,OP,R$ - \item STS: Semantics of operations (e. g. the future API of the system to model) that modify the protection state $\rightarrow$ define $\sigma$ using the normalized form/programming syntax of the STS + \item Model Sets: Subjects, objects, operations, rights $\rightarrow$ define the basic sets $S,O,OP,R$ + \item STS: Semantics of operations (e. g. the future API of the system to model) that modify the protection state $\rightarrow$ define $\sigma$ using the normalized form/programming syntax of the STS \item Initialization: Define a well-known initial stateq $0 =\langle S_0 ,O_0 ,m_0 \rangle$ of the system to model \end{enumerate*} @@ -957,15 +957,15 @@ \end{itemize*} 2. State Transition Scheme: Effects of operations on protection state \begin{lstlisting}[language=Bash,showspaces=false] - command writeSolution(s,o) ::= if write in m(s,o) - then - enter read into m(s,o); - fi - command readSample(s,o) ::= if read in m(s,o) - then - delete write from m(s,o); - fi - \end{lstlisting} + command writeSolution(s,o) ::= if write in m(s,o) + then + enter read into m(s,o); + fi + command readSample(s,o) ::= if read in m(s,o) + then + delete write from m(s,o); + fi + \end{lstlisting} 3. Initialization \begin{itemize*} \item By model definition: $q_0 =\langle S_0 ,O_0 ,m_0 \rangle$ @@ -980,7 +980,7 @@ \item $m_0(sChris,oChris)=\{write\}$ \item $m_0(s,o)=\varnothing \Leftrightarrow s\not= o$ \end{itemize*} - \item Interpretation: "There is a course with three students, each of whom has their own workspace to which she is allowed to submit (write) a solution." + \item Interpretation: ,,There is a course with three students, each of whom has their own workspace to which she is allowed to submit (write) a solution.'' \end{itemize*} \end{itemize*} @@ -1022,12 +1022,12 @@ \end{itemize*} \paragraph{HRU Model Analysis} - Analysis of Right Proliferation $\rightarrow$ The HRU safety problem. + Analysis of Right Proliferation $\rightarrow$ The HRU safety problem. InputSequences \begin{itemize*} - \item ,,What is the effect of an input in a given state?'' $\rightarrow$ a single state transition as defined by $\delta$ - \item ,,What is the effect of an input sequence in a given state?'' $\rightarrow$ a composition of sequential state transitions as defined by $\delta*$ + \item ,,What is the effect of an input in a given state?'' $\rightarrow$ a single state transition as defined by $\delta$ + \item ,,What is the effect of an input sequence in a given state?'' $\rightarrow$ a composition of sequential state transitions as defined by $\delta*$ \end{itemize*} \note{Transitive State Transition Function $\delta^*$:}{Let $\sigma\sigma\in\sum^*$ be a sequence of inputs consisting of a single input $\sigma\in\sum\cup\{\epsilon\}$ followed by a sequence $\sigma\in\sum^*$, where $\epsilon$ denotes an empty input sequence. Then, $\delta^*:Q\times\sum^*\rightarrow Q$ is defined by @@ -1083,10 +1083,10 @@ \begin{itemize*} \item Insights into the operational principles modeled by HRU models \item Demonstrates a method to prove safety property for a particular, given model - \item $\rightarrow$ ,,Proofs teach us how to build things so nothing more needs to be proven.'' (W. E. Kühnhauser) + \item[$\rightarrow$] ,,Proofs teach us how to build things so nothing more needs to be proven.'' (W. E. Kühnhauser) \end{itemize*} - a mono-operational HRU model $\rightarrow$ exactly one primitive for each operation in the STS + a mono-operational HRU model $\rightarrow$ exactly one primitive for each operation in the STS \paragraph{Proof of Theorem - Proof Sketch} \begin{enumerate*} @@ -1097,7 +1097,7 @@ \item each input sequence is finite \item there is only a finite number of relevant sequences \end{itemize*} - \item $\rightarrow$ safety is decidable + \item[$\rightarrow$] safety is decidable \end{enumerate*} Proof: @@ -1131,15 +1131,15 @@ \begin{itemize*} \item General (unrestricted) HRU models \begin{itemize*} - \item have strong expressiveness $\rightarrow$ can model a broad range of AC policies + \item have strong expressiveness $\rightarrow$ can model a broad range of AC policies \item are hard to analyze: algorithms and tools for safety analysis \end{itemize*} \item Mono-operational HRU models \begin{itemize*} \item have weak expressiveness $\rightarrow$ goes as far as uselessness (only create files) \item are efficient to analyze: algorithms and tools for safety analysis - \item $\rightarrow$ are always guaranteed to terminate - \item $\rightarrow$ are straight-forward to design + \item[$\rightarrow$] are always guaranteed to terminate + \item[$\rightarrow$] are straight-forward to design \end{itemize*} \end{itemize*} @@ -1168,7 +1168,7 @@ Fixed STS \begin{itemize*} - \item All STS commands are fixed, match particular application domain (e.g. OS access control) $\rightarrow$ no model reusability + \item All STS commands are fixed, match particular application domain (e.g. OS access control) $\rightarrow$ no model reusability \item For Lipton and Snyder [1977]: $safe(q,r)$ decidable in linear time \end{itemize*} @@ -1183,7 +1183,7 @@ \begin{itemize*} \item Restricted model variants often too weak for real-world apps \item General HRU models: safety property cannot be guaranteed - \item $\rightarrow$ get a piece from both: Heuristically guided safety estimation + \item[$\rightarrow$] get a piece from both: Heuristically guided safety estimation \end{itemize*} Idea: @@ -1195,13 +1195,13 @@ Outline: Two-phase-algorithm to analyze $safe(q_0,r)$: \begin{enumerate*} - \item Static phase: knowledge from model to make "good" decisions + \item Static phase: knowledge from model to make ,,good'' decisions \begin{itemize*} - \item $\rightarrow$ Runtime: polynomial in model size ($q_0 + STS$) + \item[$\rightarrow$] Runtime: polynomial in model size ($q_0 + STS$) \end{itemize*} \item Simulation phase: The automaton is implemented and, starting with $q_0$, fed with inputs $\sigma=$ \begin{itemize*} - \item $\rightarrow$ For each $\sigma$, the heuristic has to decide: + \item[$\rightarrow$] For each $\sigma$, the heuristic has to decide: \item which operation $op$ to use \item which vector of arguments $x$ to pass \item which $q_i$ to use from the states in $Q$ known so far @@ -1238,14 +1238,14 @@ Conclusions \begin{itemize*} \item Potential right proliferation: Generally undecidable problem - \item $\rightarrow$ HRU model family, consisting of application-tailored, safety-decidable variants - \item $\rightarrow$ Heuristic analysis methods for practical error-finding + \item[$\rightarrow$] HRU model family, consisting of application-tailored, safety-decidable variants + \item[$\rightarrow$] Heuristic analysis methods for practical error-finding \end{itemize*} \paragraph{The Typed-Access-Matrix Model (TAM)} \begin{itemize*} \item AC model, similar expressiveness to HRU - \item $\rightarrow$ directly mapped to implementations of an ACM (DB table) + \item[$\rightarrow$] directly mapped to implementations of an ACM (DB table) \item Better suited for safety analyses: precisely statemodel properties for decidable safety \end{itemize*} @@ -1253,7 +1253,7 @@ \begin{itemize*} \item Adopted from HRU: subjects, objects, ACM, automaton \item New: leverage the principle of strong typing (like programming) - \item $\rightarrow$ safety decidability properties relate to type-based restrictions + \item[$\rightarrow$] safety decidability properties relate to type-based restrictions \end{itemize*} How it Works: @@ -1373,7 +1373,7 @@ \includegraphics[width=.5\linewidth]{Assets/Systemsicherheit-acyclic-tam-example.png} - Note: In bar,u is both a parent type (because of $s_1$) and a child type (because of $s_2$) $\rightarrow$ hence the loop edge. + Note: In bar,u is both a parent type (because of $s_1$) and a child type (because of $s_2$) $\rightarrow$ hence the loop edge. Safety Decidability: We call a TAM model acyclic, iff its TCG is acyclic. @@ -1390,8 +1390,8 @@ \begin{itemize*} \item MTAM: obviously same expressive power as monotonic HRU \begin{itemize*} - \item no transfer of rights: "take r ... in turn grant r to ..." - \item no countdown rights: "r can only be used n times" + \item no transfer of rights: ,,take r ... in turn grant r to ...'' + \item no countdown rights: ,,r can only be used n times'' \end{itemize*} \item ORCON: allow to ignore non-monotonic command $s$ from STS since they only remove rights and are reversible \item AMTAM: most MTAM STS may be re-written as acyclic @@ -1405,8 +1405,8 @@ \begin{itemize*} \item Model identity-based AC policies (IBAC) \item Analyze them w.r.t. basic security properties (right proliferation) - \item $\rightarrow$ Minimize specification errors - \item $\rightarrow$ Minimize implementation errors + \item[$\rightarrow$] Minimize specification errors + \item[$\rightarrow$] Minimize implementation errors \item Approach \begin{itemize*} \item Unambiguous policy representation through formal notation @@ -1473,7 +1473,7 @@ \item $UA$ and $PA$ describe static policy rules: Roles available to a user are not considered to possibly change, same with permissions associated with a role. \item Sessions $S$ describe dynamic assignments of roles $\rightarrow$ a session $s\in S$ models when a user is logged in(where she may use some role(s) available to her as per $UA$): \begin{itemize*} - \item The session-user-mapping user: $S\rightarrow U$ associates a session with its ("owning") user + \item The session-user-mapping user: $S\rightarrow U$ associates a session with its (,,owning'') user \item The session-roles-mapping roles: $S\rightarrow 2^R$ associates a session with the set of roles currently assumed by that user (active roles) \end{itemize*} \end{itemize*} @@ -1494,7 +1494,7 @@ \note{$RBAC_0$ ACF}{ $f_{RBAC_0}:U \times O\times OP\rightarrow\{true,false\}$ where - $f_{RBAC_0} (u,o,op)= \begin{cases} true, \quad \exists r\in R,s\in S:u=user(s)\wedge r\in roles(s)\wedge \langle \langle o,op\rangle ,r\rangle \in PA \\ false, \quad\text{ otherwise } \end{cases}$ + $f_{RBAC_0} (u,o,op)= \begin{cases} true, \quad \exists r\in R,s\in S:u=user(s)\wedge r\in roles(s)\wedge \langle \langle o,op\rangle ,r\rangle \in PA \\ false, \quad\text{ otherwise } \end{cases}$ } \paragraph{RBAC96 Model Family} @@ -1521,7 +1521,7 @@ \item Hierarchy expressed through dominance relation: $r_1\leq r_2 \Leftrightarrow r_2$ inherits any permissions from $r_1$ \item Interpretation \begin{itemize*} - \item Reflexivity: any role consists of ("inherits") its own permissions + \item Reflexivity: any role consists of (,,inherits'') its own permissions \item Antisymmetry: no two different roles may mutually inherit their respective permissions \item Transitivity: permissions may be inherited indirectly \end{itemize*} @@ -1540,7 +1540,7 @@ \begin{itemize*} \item Certain roles may not be active at the same time (same session) for any user \item Certain roles may not be together assigned to any user - \item $\rightarrow$ separation of duty (SoD) + \item[$\rightarrow$] separation of duty (SoD) \item While SoD constraints are a more fine-grained type of security requirements to avoid mission-critical risks, there are other types represented by RBAC constraints. \end{itemize*} Constraint Types @@ -1569,8 +1569,8 @@ \end{itemize*} \item Still weak OS-support \begin{itemize*} - \item $\rightarrow$ application-level integrations - \item $\rightarrow$ middleware integrations + \item[$\rightarrow$] application-level integrations + \item[$\rightarrow$] middleware integrations \end{itemize*} \item Limited dynamic analyses w.r.t. automaton-based models \end{itemize*} @@ -1584,7 +1584,7 @@ \item user IDs, INode IDs, ... only available locally \item roles limited to specific organizational structure; only assignable to users \end{itemize*} - \item $\rightarrow$ Consider application-specific context of an access: attributes of subjects and objects(e. g. age, location, trust level, ...) + \item[$\rightarrow$] Consider application-specific context of an access: attributes of subjects and objects(e. g. age, location, trust level, ...) \end{itemize*} Idea: Generalizing the principle of indirection already known from RBAC @@ -1605,7 +1605,7 @@ \item $f_{IBAC}:S\times O\times OP\rightarrow\{true,false\}$ \item $f_{RBAC}:U\times O\times OP\rightarrow\{true,false\}$ \item $f_{ABAC}:S\times O\times OP\rightarrow\{true,false\}$ - \item $\rightarrow$ Evaluates attribute values for $\langle s,o,op\rangle$ + \item[$\rightarrow$] Evaluates attribute values for $\langle s,o,op\rangle$ \end{itemize*} \paragraph{ABAC Security Model} @@ -1678,7 +1678,7 @@ \item s has read permission o $\Leftrightarrow$ information may flow from o to s \item s has write permission o $\Leftrightarrow$ information may flow from s to o \end{itemize*} - \item $\rightarrow$ Implementation by standard AC mechanisms! + \item[$\rightarrow$] Implementation by standard AC mechanisms! \end{itemize*} Analysis of Information Flow Models @@ -1753,7 +1753,7 @@ \item Modeling dynamic behavior: state machine and STS \item Model implementation: ACM \end{itemize*} - \item $\rightarrow$ application-oriented model engineering by composition of known abstractions + \item[$\rightarrow$] application-oriented model engineering by composition of known abstractions \end{itemize*} Idea: @@ -1816,7 +1816,7 @@ \begin{itemize*} \item Supports convenient for model specification \item Supports easy model correctness analysis - \item $\rightarrow$ easy to specify and to analyze + \item[$\rightarrow$] easy to specify and to analyze \end{itemize*} \item m can be directly implemented by standard OS/DBIS access control mechanisms (ACLs, Capabilities) $\rightarrow$ easy to implement \item m is determined (= restricted) by L and cl, not vice-versa @@ -1998,7 +1998,7 @@ \item Different services, different providers, different levels of trust \item Shared resources \item Needed: isolation of services, restricted cross-domain interactions - \item $\rightarrow$ Guarantee of total/limited non-interference between domains + \item[$\rightarrow$] Guarantee of total/limited non-interference between domains \end{itemize*} \paragraph{NI Security Policies} @@ -2190,7 +2190,7 @@ \begin{itemize*} \item Write Command: s is allowed to write $o\Leftrightarrow write\in m(s,o)\wedge\forall o'\in O:o'\not=o\Rightarrow\langle s,o'\rangle \not\in H$ \item Why so restrictive? $\rightarrow$ No transitive information flow! - \item $\rightarrow$ s must never have previously consulted any other client! + \item[$\rightarrow$] s must never have previously consulted any other client! \item any consultant is stuck with her client on first read access \end{itemize*} @@ -2221,7 +2221,7 @@ \item ACM (DAC) \item Relations (company conflicts, consultants history) \item Simple ,,read'' and ,,write'' rule - \item $\rightarrow$ easy to implement + \item[$\rightarrow$] easy to implement \end{itemize*} \item Analysis goals \begin{itemize*} @@ -2238,8 +2238,8 @@ \item Consultants are assumed to be trusted \item Systems (processes, sessions, ...) may fail \end{itemize*} - \item $\rightarrow$ Write-rule applied not to humans, but to software agents - \item $\rightarrow$ Subject set S models consultant’s subjects (e.g. processes) in a group model + \item[$\rightarrow$] Write-rule applied not to humans, but to software agents + \item[$\rightarrow$] Subject set S models consultant’s subjects (e.g. processes) in a group model \begin{itemize*} \item All processes of one consultant form a group \item Group members @@ -2263,7 +2263,7 @@ Idea LR-CW: Include time as a model abstraction! \begin{itemize*} \item $\forall s\in S,o\in O$: remember, which information has flown to entity - \item $\rightarrow$ subject-/object-specific history, $\approx$attributes (,,lables'') + \item[$\rightarrow$] subject-/object-specific history, $\approx$attributes (,,lables'') \end{itemize*} \note{LR-CW Model}{The Least-Restrictive model of the CW policy is a deterministic $automaton \langle S,O,F,\zeta,Q,\sigma,\delta,q_0\rangle$ where @@ -2319,7 +2319,7 @@ \begin{itemize*} \item Class of an entity (subject or object) reflects information it carries \item Consultant reclassified whenever a company data object is read - \item $\rightarrow$ Classes and labels: + \item[$\rightarrow$] Classes and labels: \item Class set of a lattice $C=\{DB,Citi,Shell,Esso\}$ \item Entity label: vector of information already present in each business branch \item In example, a vector consists of 2 elements $\in C$ resulting in labels as: @@ -2370,33 +2370,33 @@ Core Model (Common Model Core) \begin{itemize*} - \item HRU: $\langle Q, \sum , \delta, q_0 , \not R \rangle$ - \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , \not R, \not P, \not PA \rangle$ - \item DABAC: $\langle \not A , Q ,\sum , \delta, q_0 \rangle$ - \item TAM: $\langle Q , \sum , \delta, q_0 , \not T, \not R \rangle$ - \item BLP: $\langle \not S, \not O, \not L, Q , \sum , \delta, q_0 , \not R \rangle$ - \item NI: $\langle Q , \sum , \delta, \not \lambda ,q_0 , \not D, \not A, \not dom, \not =_{NI} , \not Out \rangle$ - \item $\rightarrow \langle Q ,\sum , \delta, q_0 \rangle$ + \item HRU: $\langle Q, \sum , \delta, q_0 , \not R \rangle$ + \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , \not R, \not P, \not PA \rangle$ + \item DABAC: $\langle \not A , Q ,\sum , \delta, q_0 \rangle$ + \item TAM: $\langle Q , \sum , \delta, q_0 , \not T, \not R \rangle$ + \item BLP: $\langle \not S, \not O, \not L, Q , \sum , \delta, q_0 , \not R \rangle$ + \item NI: $\langle Q , \sum , \delta, \not \lambda ,q_0 , \not D, \not A, \not dom, \not =_{NI} , \not Out \rangle$ + \item $\rightarrow \langle Q ,\sum , \delta, q_0 \rangle$ \end{itemize*} Core Specialization \begin{itemize*} - \item HRU: $\langle Q, \sum , \delta, q_0 , R \rangle \Rightarrow Q = 2^S \times 2^O \times M$ - \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , R, P, PA \rangle \Rightarrow Q = 2^U\times 2^{UA}\times 2^S \times USER \times ROLES$ - \item DABAC: $\langle A , Q ,\sum , \delta, q_0 \rangle \Rightarrow Q = 2^S\times 2^O \times M\times ATT$ - \item TAM: $\langle Q , \sum , \delta, q_0 , T, R \rangle \Rightarrow Q = 2^S\times 2^O\times TYPE \times M$ - \item BLP: $\langle S, O, L, Q , \sum , \delta, q_0 , R \rangle \Rightarrow Q = M \times CL$ - \item NI: $\langle Q , \sum , \delta, \lambda ,q_0 , D, A, dom, =_{NI} , Out \rangle$ + \item HRU: $\langle Q, \sum , \delta, q_0 , R \rangle \Rightarrow Q = 2^S \times 2^O \times M$ + \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , R, P, PA \rangle \Rightarrow Q = 2^U\times 2^{UA}\times 2^S \times USER \times ROLES$ + \item DABAC: $\langle A , Q ,\sum , \delta, q_0 \rangle \Rightarrow Q = 2^S\times 2^O \times M\times ATT$ + \item TAM: $\langle Q , \sum , \delta, q_0 , T, R \rangle \Rightarrow Q = 2^S\times 2^O\times TYPE \times M$ + \item BLP: $\langle S, O, L, Q , \sum , \delta, q_0 , R \rangle \Rightarrow Q = M \times CL$ + \item NI: $\langle Q , \sum , \delta, \lambda ,q_0 , D, A, dom, =_{NI} , Out \rangle$ \end{itemize*} Core Extensions \begin{itemize*} - \item HRU: $\langle Q, \sum , \delta, q_0 , R \rangle \Rightarrow R$ - \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , R, P, PA \rangle \Rightarrow R,P,PA$ - \item DABAC: $\langle A , Q ,\sum , \delta, q_0 \rangle \Rightarrow A$ - \item TAM: $\langle Q , \sum , \delta, q_0 , T, R \rangle \Rightarrow T,R$ - \item BLP: $\langle S, O, L, Q , \sum , \delta, q_0 , R \rangle \Rightarrow S,O,L,R$ - \item NI: $\langle Q , \sum , \delta, \lambda ,q_0 , D, A, dom, =_{NI} , Out \rangle \Rightarrow \lambda,D,A,dom,=_{NI},Out$ + \item HRU: $\langle Q, \sum , \delta, q_0 , R \rangle \Rightarrow R$ + \item $DRBAC_0$ : $\langle Q, \sum , \delta, q_0 , R, P, PA \rangle \Rightarrow R,P,PA$ + \item DABAC: $\langle A , Q ,\sum , \delta, q_0 \rangle \Rightarrow A$ + \item TAM: $\langle Q , \sum , \delta, q_0 , T, R \rangle \Rightarrow T,R$ + \item BLP: $\langle S, O, L, Q , \sum , \delta, q_0 , R \rangle \Rightarrow S,O,L,R$ + \item NI: $\langle Q , \sum , \delta, \lambda ,q_0 , D, A, dom, =_{NI} , Out \rangle \Rightarrow \lambda,D,A,dom,=_{NI},Out$ \item $\rightarrow R, P, PA, A , T , S , O , L , D , dom , =_{NI} , ...$ \end{itemize*} @@ -2435,11 +2435,11 @@ Approach \begin{itemize*} \item Abstraction level: Step stone between model and security mechanisms - \item $\rightarrow$ More concrete than models - \item $\rightarrow$ More abstract than programming languages (,,what'' instead of ,,how'') + \item[$\rightarrow$] More concrete than models + \item[$\rightarrow$] More abstract than programming languages (,,what'' instead of ,,how'') \item Expressive power: Domain-specific, for representing security models only - \item $\rightarrow$ Necessary: adequate language paradigms - \item $\rightarrow$ Sufficient: not more than necessary (no dead weight) + \item[$\rightarrow$] Necessary: adequate language paradigms + \item[$\rightarrow$] Sufficient: not more than necessary (no dead weight) \end{itemize*} Domains @@ -2448,42 +2448,1449 @@ \item Implementation domain (OS, Middleware, Applications) \end{itemize*} + \subsubsection{DYNAMO: A Dynamic-Model-Specification Language} + formerly known as ,,CorPS: Core-based Policy Specification Language'' + + Language Domain: RBAC models ($RBAC_{0-3},DRBAC_{0-3}, DABAC$ (with restrictions)) + + Language Paradigms: Abstractions of (D)RBAC models + \begin{itemize*} + \item Users, roles, permissions, sessions + \item State transition scheme (STS) + \end{itemize*} + + Language Features: Re-usability and inheritance + \begin{itemize*} + \item Base Classes: Model family (e.g. $DRBAC_0 , DRBAC_1 , ...$) + \item Policy Classes: Inherit definitions from Base Classes + \end{itemize*} + + DYNAMO compiler(,,corps2cpp''): Translates specification into + \begin{itemize*} + \item XML $\rightarrow$ analysis by WORSE algorithms + \item C++ classes $\rightarrow$ integration into TCB + \end{itemize*} + + Example: Specification of a $DRBAC_0$ Model + \begin{itemize*} + \item $DRBAC_0 = RBAC_0 + Automaton \rightarrow$ + \item $RBAC_0 = ⟨ U , R , P , S , UA , PA , user , roles ⟩$ + \item $DRBAC_0 = ⟨ Q , \sum, \delta, q_0 , R , P , PA ⟩$ + \item $Q = 2^U \times 2^S \times 2^{UA}\times ...$ + \end{itemize*} - \subsection{Model Specification } - \subsubsection{CorPS} \subsubsection{SELinux Policy Language} - \subsection{Summary} + Language Domain I/R/A-BAC models, IF(NI) models + + Model Domain: BAC, MLS, NI + + Application Domain: OS-level security policies + + Implementation Domain: Operating systems access control + + Language paradigms + \begin{itemize*} + \item OS Abstractions: Users, processes, files, directories, sockets, pipes, ... + \item model paradigms: Users, rights, roles, types, attributes, ... + \end{itemize*} + + Tools + \begin{itemize*} + \item Specification: Policy creating and validation + \item Policy compiler: Translates policy specifications + \item Security server: Policy runtime environment (RTE) in OS kernel’s security architecture + \item LSM hooks: Support policy enforcement in OS kernel’s security architecture + \end{itemize*} + + Technology + \begin{itemize*} + \item Policy compiler $\rightarrow$ translates specifications into loadable binaries + \item Security architecture $\rightarrow$ implementation of Flask architecture + \end{itemize*} + + %Fundamental Flask Security Architecture as found in SELinux: + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-fundamental-flask.png) + + Basic Language Concepts + \begin{itemize*} + \item Definition of types (a.k.a. ,,domains'') + \item Labeling of subjects (e.g. processes) with ,,domains'' $\rightarrow passwd_t$ + \item Labeling of objects (e.g. files, sockets) with ,,types'' $\rightarrow shadow_t$ + \item AC: defined by permissions between pairs of types + \item Dynamic interactions: transitions between domains + \end{itemize*} + + Policy Rules + \begin{itemize*} + \item Grant permissions: allow rules + \item Typical domains: $user_t$, $bin_t$, $passwd_t$, $insmod_t$, $tomCat_t$, ... + \item Classes: OS abstractions (process, file, socket, ...) + \item Permissions: read, write, execute, getattr, signal, transition, ... + \end{itemize*} + + The Model Behind: 3 Mappings + \begin{itemize*} + \item Classification $cl : S\cup O \rightarrow$ C where C $=\{process, file, dir, ...\}$ + \item Types $type: S\cup O \rightarrow$ T where T $=\{ user_t , passwd_t , bin_t , ...\}$ + \item Access Control Function ( Type Enforcement) $te : T\times T \times C \rightarrow 2^R$ + \item $\rightarrow ACM : T\times( T \times C ) \rightarrow 2^R$ + \end{itemize*} + + \paragraph{Idea only: SELinux RBAC} + Users and Roles + \begin{itemize*} + \item User ID assigned on login + \item RBAC rules confine type associations ,,Only users in role $doctor_r$ may transit to domain $edit-epr_t$'' + \item[$\rightarrow$] fine-grained domain transitions + \item[$\rightarrow$] Attributes in SELinux-style RBAC: User ID, Role ID + \item Specification $\rightarrow$ Tool $\rightarrow$ Binary $\rightarrow$ Security Server + \end{itemize*} + + Model abstractions + \begin{itemize*} + \item TE: MAC rules based on types + \item ABAC:MAC rules based on attributes + \item RBAC: MAC rules based on roles + \item Additionally: BLP-style MLS + \end{itemize*} + + Other Policy Specification Languages + \begin{itemize*} + \item XACML ( eXtensibleAccess Control Markup Language ) + \item NGAC ( Next Generation Access Control Language ) + \item SEAL (Label-based AC policies) + \item Ponder (Event-based condition/action rules) + \item GrapPS (Graphical Policy Specification Language) + \item GemRBAC (Role-based AC models) + \item PTaCL (Policy re-use by composition) + \end{itemize*} + + \subsubsection{Summary} + Security Models in Practice + \begin{itemize*} + \item Model abstractions + \begin{itemize*} + \item Subjects, objects, rights + \item ACMs and state transition schemes + \item Types, roles, attributes + \item Information flow, non-interference domains + \end{itemize*} + \item Model languages + \begin{itemize*} + \item Sets, functions, relations, lattices/IFGs + \item Deterministic automata + \end{itemize*} + \item Model engineering + \begin{itemize*} + \item Generic model core + \item Core specialization and extension + \end{itemize*} + \end{itemize*} \section{Security Mechanisms} + Security Models Implicitly Assume + \begin{itemize*} + \item Integrity of model implementation + \begin{itemize*} + \item Model state + \item Authorization scheme + \end{itemize*} + \item Integrity of model operations call + \begin{itemize*} + \item Parameters of authorization scheme ops + \item Completeness and total mediation of their invocation + \end{itemize*} + \item AC, IF: no covert chanels + \item NI: Rigorous domain isolation + \item ... $\rightarrow$ job of the ,,Trusted Computing Base'' (TCB) of an IT system + \end{itemize*} + + \note{Trusted Computing Base (TCB)}{The set of functions of an IT system that are necessary and sufficient for implementing its security properties $\rightarrow$ Isolation, Policy Enforcement, Authentication ...} + + \note{Security Architecture}{The part of a system’s architecture that implement its TCB $\rightarrow$ Security policies, Security Server (PDP) and PEPs, authentication components, ...} + + \note{Security Mechanisms}{Algorithms and data structures for implementing functions of a TCB $\rightarrow$ Isolation mechanisms, communication mechanisms, authentication mechanisms, ...} + + $\rightarrow$ TCB - runtime environment for security policies + + \begin{itemize*} + \item (some) TCB functions are integrated in today's commodity OSes + \begin{itemize*} + \item Isolation + \item Subject/object authentication + \end{itemize*} + \item Complex models additionally require implementation of + \begin{itemize*} + \item Authorization schemes + \item Roles, lattices, attributes + \item[$\rightarrow$] stronger concepts and mechanisms + \item OS level: Security Server (SELinux, OpenSolaris) + \item Middleware level: Policy Objects (CORBA, DBMSs) + \item Application level: user level reference monitors (Flume), user level policy servers (SELinux) + \end{itemize*} + \end{itemize*} + + Security mechanisms: A Visit in the Zoo: ... + \begin{itemize*} + \item In OSes + \begin{itemize*} + \item Authenticity + \begin{itemize*} + \item Of subjects: login + \item Of objects: object management, e.g. file systems + \end{itemize*} + \item Confidentiality and integrity: Access control lists + \end{itemize*} + \item In middleware layer (DBMSs, distributed systems) + \begin{itemize*} + \item Authentication server (e.g. Kerberos AS) or protocols (e.g. LDAP) + \item Authorization: Ticket server (e.g. Kerberos TGS) + \end{itemize*} + \item In libraries and utilities + \begin{itemize*} + \item Confidentiality, integrity, authenticity + \begin{itemize*} + \item Cryptographic algorithms + \item Certificate management for PKIs + \item Isolation (Sandboxing) + \end{itemize*} + \end{itemize*} + \end{itemize*} + \subsection{Authorization} - \subsubsection{Access Control Lists} - \subsubsection{Capability Lists} + Lampson, HRU, RBAC, ABAC, BLP, CW $\rightarrow$ ACMs + + \subsubsection{Access Control Lists und Capability Lists} + Lampson’s ACM: Sets $S$, $O$, $R$ and ACM $m: S\times O\rightarrow 2^R$ + % | m | o_1 | o_2 | o_3 | ... | o_m | + % | --- | --- | ----- | ----- | --- | --- | + % | s_1 | + % | s_2 | | | {r,w} | + % | s_3 | | {r,w} | + % | ... | | | | | {w} | + % | s_n | + + Properties of an ACM + \begin{itemize*} + \item Large (e.g. ,,normal'' file server: $|m| >> 1$ TByte) + \item Sparsely populated + \item Subject and object identifications in OSes generally are + \begin{itemize*} + \item Not numerical + \item Not consecutive + \end{itemize*} + \item Rows and columns are created and destroyed dynamically + \end{itemize*} + + Idea: Distributed ACM Implementation + \begin{enumerate*} + \item Split matrix into vectors; Column/Row vectors + \item Attach vectors to subjects resp. objects + \end{enumerate*} + \begin{itemize*} + \item Column vectors + \begin{itemize*} + \item Describe every existing right wrt. an object + \item vector associated to object, part of object‘s metadata + \item[$\rightarrow$] Access control lists (ACLs) + \end{itemize*} + \item Row vectors + \begin{itemize*} + \item Describe every existing right wrt. a subject + \item Associated to its subject, part of subject‘s metadata + \item[$\rightarrow$] capability lists + \end{itemize*} + \end{itemize*} + + ACLs + \begin{itemize*} + \item Associated to exactly one object + \item Describes every existing right wrt. object by a set of tuples (object identification, right set) + \item Implemented e.g. as list, table, bitmap + \item Part of object‘s metadata (generally located in inode) + \end{itemize*} + + \paragraph{Operations on ACLs} + Create and Delete an ACL + \begin{itemize*} + \item Together with creation and deletion of an object + \item Options for initialization + \begin{itemize*} + \item Initial rights are create operation parameters $\rightarrow$ discretionary access control + \item Initial rights issued by third party$\rightarrow$ mandatory access control + \end{itemize*} + \end{itemize*} + + Modify an ACL + \begin{itemize*} + \item Add or remove tuples (subject identification, right set) + \item Owner has right to modify ACL $\rightarrow$ implements discretionary access control + \item Third party has right to modify ACL $\rightarrow$ implements mandatory access control + \item Right to modify ACL is part of ACL $\rightarrow$ universal + \end{itemize*} + + Check Rights + \begin{itemize*} + \item Whenever an object is accessed + \item Search granting tuple in ACL + \end{itemize*} + + Negative Rights + \begin{itemize*} + \item Dominate positive rights + \item represented by tuples (subject identification, negative rights set) + \item Rights of subject: difference of positive and negative rights + \end{itemize*} + + \paragraph{Example: ACLs in Unix} + \begin{tabular}{c | c | c| c} + & read & write & exec \\\hline + owner & y & y & n \\ + group & y & n & n \\ + others & n & n & n + \end{tabular} + \begin{itemize*} + \item 3 elements per list list, 3 elements per right set + \item[$\rightarrow$] 9 bits coded in 16-bit-word (PDP 11, 1972) + \end{itemize*} + + \paragraph{Operations on Capability Lists} + Create and Delete + \begin{itemize*} + \item Together with creation and deletion of a subject + \item Initial rights same as parent $\rightarrow$ inherited + \item Constraints by + \begin{itemize*} + \item Parent $\rightarrow$ discretionary access control + \item Capability $\rightarrow$ mandatory access control + \end{itemize*} + \end{itemize*} + + Modification: Add or remove tuples (object identification, right set) + + Passing on Capabilities, options: + \begin{itemize*} + \item Emission and call-back by capability owner $\rightarrow$ discretionary access control + \item Emission and call-back by third party $\rightarrow$ mandatory access control + \item Emission and call-back controlled by capability itself $\rightarrow$ universal + \end{itemize*} + + \paragraph{$\delta s$ in Administration} + ACLs: Located near objects $\rightarrow$ finding all rights of a subject expensive + + Example BLP: re-classification of a subject $\rightarrow$ update every ACL with rights of this subject + + Group models; e.g. + \begin{itemize*} + \item BLP: subjects with same classification + \item Unix: subjects belonging to project staff + \end{itemize*} + + Role models (role: set of rights); e.g. + \begin{itemize*} + \item BLP: set of rights wrt. objects with same classification + \end{itemize*} + + \paragraph{$\delta s$ in Distributed Systems} + Non-distributed Systems: Management and protection of + \begin{itemize*} + \item subject ids and ACLs in trustworthy OS kernel + \item capability lists in trustworthy OS kernel + \end{itemize*} + + Distributed Systems + \begin{itemize*} + \item No encapsulation of subject ids and ACLs in a single trustworthy OS + \item No encapsulation of capability lists in a single trustworthy OS kernel + \begin{itemize*} + \item Authentication of subjects and management of capabilities on subject’s system + \item Transfer of subject id and capabilities via open communication system + \item Checking of capabilities and subject ids on object’s system + \end{itemize*} + \end{itemize*} + + Vulnerabilities and Counteractions + \begin{itemize*} + \item Subject’s system may fake subject ids + \item Consequence: Reliable subject authentication required $\rightarrow$ authentication architectures (e.g. Kerberos) + \item Non-trustworthy subject systems modify capabilities + \begin{itemize*} + \item[$\rightarrow$] cryptographic sealing of capabilities such that + \item Issuer can be determined + \item Modification can be detected + \item sealing e.g. by digital signatures + \end{itemize*} + \item Non-trustworthy subject systems pass capabilities to third parties or Capabilities are copied by third parties while in transit $\rightarrow$ personalized capabilities + \item Exploit stolen capabilities by ntw. subject system by forging subject id + \begin{itemize*} + \item[$\rightarrow$] cryptographically sealed personalized capabilities + \item[$\rightarrow$] reliable subject authentication required + \item[$\rightarrow$] authentication architectures + \end{itemize*} + \end{itemize*} + + \paragraph{Expressive Power of ACLs and Capability Lists} + \begin{itemize*} + \item Efficient data structures for implementing ACMs/ACFs + \item Located in OSs, middleware, DBMSe, application systems + \item Correctness, tamperproofness, total S/O interaction mediation vital for enforcing access control $\rightarrow$ implementation by strong architectural principles + \item Assume reliable authentication of subjects and objects $\rightarrow$ support by further security mechanisms + \item Are too weak to implement complex security policies + \item Not sufficient for implementing more complex security policies $\rightarrow$ Authorization schemes + \end{itemize*} + \subsubsection{Interceptors} - \subsubsection{Summary} - \subsection{Cryptographic Mechanisms} - \subsubsection{Encryption} - \paragraph{Symmetric} - \paragraph{Asymmetric} - \subsubsection{Cryptographic Hashing} + Policy implementation by algorithms instead of lists + \begin{itemize*} + \item Tamperproof runtime environments for security policies + \item In total control of subject/object interactions + \begin{itemize*} + \item Observation + \item Modification + \item Prevention + \end{itemize*} + \end{itemize*} + + General Architectural Principle: Separation of + \begin{itemize*} + \item (Replaceable) strategies + \item (Strategy-independent) mechanisms + \end{itemize*} + + Applied to Interceptors $\rightarrow$ 2 Parts + \begin{itemize*} + \item Runtime environment for security policies (strategies) + \begin{itemize*} + \item often called ,,policy decision point'' (PDP) + \end{itemize*} + \item Interception points (mechanisms) + \begin{itemize*} + \item often called ,,policy enforcement points'' (PEP) + \end{itemize*} + \end{itemize*} + + Summary + \begin{itemize*} + \item RTE for security policies in policy-controlled systems + \begin{itemize*} + \item SELinux: ,,Policy Server'' + \item CORBA: ,,Policy Objects'' + \end{itemize*} + \item Architecture: separation of responsibilities + \item Strategic component State and authorization scheme + \item Policy enforcement: total policy entities interaction mediation + \item Generality: implement a broad scope of policies (all generally computable) + \begin{itemize*} + \item[$\rightarrow$] rules based on checking digital signatures + \item[$\rightarrow$] interceptor checks/implements encryption + \end{itemize*} + \end{itemize*} + + \subsection{Cryptographic Security Mechanisms} + Encryption + \begin{itemize*} + \item Transformation of a plaintext into a ciphertext + \item Decryption possible only if decrypt algorithm is known + \end{itemize*} + + Cryptosystem Components + \begin{itemize*} + \item 2 functions encrypt, decrypt + \item 2 keys k1, k2 + \item $text = decrypt_{k2}(encrypt_{k1}(text))$ or simply + \item $text = \{\{text\}_{k1}\}_{k2}$ (if encryption function is obvious) + \item Symmetric schemes (secret key): one single key: $k1=k2$ + \item Asymmetric schemes (public key): two different keys: $K1\not=K2$ + \end{itemize*} + + \paragraph{Kerkhoff’s Principle} + \begin{enumerate*} + \item Encryption functions (algorithms) are publicly known + \begin{itemize*} + \item[$\rightarrow$] many experts look at it + \item[$\rightarrow$] quality advantage assumed + \end{itemize*} + \item Keys are secret + \begin{itemize*} + \item[$\rightarrow$] encryption security depends on + \item Properties of algorithms + \item Confidentiality of keys + \end{itemize*} + \end{enumerate*} + + \paragraph{Symmetric Encryption Schemes} + \begin{itemize*} + \item Encryption and decryption with same key + \item[$\rightarrow$] security based on keeping key secret + \item Example: shift letters of a ciphertext forward by K positions + \end{itemize*} + + Application Examples + \begin{enumerate*} + \item Confidentiality of Communication (Assumptions) + \begin{itemize*} + \item Sender and receiver share key k , which has to be established before communication, Authentically, Confidentially + \item Nobody else must know $k(secretkey)$ + \end{itemize*} + \item Authentication: client to server (by shared secret key) + \begin{itemize*} + \item Each client shares an individual and secret key $k_{client}$ with server + \item Server and clients keep key secret + \item Server reliably generates a nonce (=never sent once before ) + \end{itemize*} + \item Sealing of Documents, e.g. Capabilities + \begin{itemize*} + \item 1 key owner $\rightarrow$ owner may + \begin{itemize*} + \item seal document + \item check whether seal is sound + \end{itemize*} + \item Group of key owners $\rightarrow$ each group membermay + \begin{itemize*} + \item Seal document + \item Check whether seal was impressed by group member + \item[$\rightarrow$] nobody in this group can prove it was him + \end{itemize*} + \item Outside the group $\rightarrow$ nobody can do any of these things + \end{itemize*} + \end{enumerate*} + + Algorithms: Block and Stream Ciphers + \begin{itemize*} + \item Block cipher + \begin{itemize*} + \item Decompose plaintext into blocks of equal size (e.g. 64 bits) + \item Encrypt each block + \item e.g. Data Encryption Standard (DES) obsolete since 1998 + \item e.g. Advanced Encryption Standard (AES) (128bits length) + \end{itemize*} + \item Stream cipher + \begin{itemize*} + \item Encrypt each digit of a plaintext stream by a cipher digit stream (e.g. by XOR) + \item Cipher digit stream: pseudo-random digit stream + \end{itemize*} + \end{itemize*} + + \paragraph{Asymmetric Encryption Schemes} + Encryption and decryption with different keys + \begin{itemize*} + \item[$\rightarrow$] key pair $(k1,k2) = (k_{pub} , k_{sec})$ where + \item $decrypt_{k_{sec}} ( encrypt_{k_{pub}} (text)) = text$ + \item $k_{pub}$: public key + \item $k_{sec}$: private (secret) key + \item Conditio sine qua non: Secret key not computable from public key + \end{itemize*} + + Application Examples + \begin{enumerate*} + \item Confidentiality of Communication (compare symmetric encryption schemes) + \begin{itemize*} + \item Sender shares no secret with receiver $\rightarrow$ No trust between sender and receiver necessary + \item Sender must know public key of receiver $\rightarrow$ public-key-Infrastructures (PKIs) containing key certificates + \end{itemize*} + \item Authentication: using public key + \begin{itemize*} + \item Each client owns an individual key pair ( $k_{pub}, k_{sec}$ ) + \item Server knows public keys of clients (PKI) + \item Clients are not disclosing secret key + \item Server reliably generates nonces + \item Properties + \begin{itemize*} + \item Client and server share no secrets + \item No key exchange before communication + \item No mutual trust required + \item But: sender must know public key of receiver + \item[$\rightarrow$] PKIs + \end{itemize*} + \end{itemize*} + \item Sealing of Documents, compare sealing using secret keys + \begin{itemize*} + \item $\exists$ just 1 owner of secret key + \item[$\rightarrow$] only she may seal contract + \item Knowing her public key, + \begin{itemize*} + \item[$\rightarrow$] everybody can check contract’s authenticity + \item[$\rightarrow$] everybody can prove that she was the sealer + \item[$\rightarrow$] repudiability: digital signatures + \end{itemize*} + \end{itemize*} + \end{enumerate*} + + Consequence of Symmetric vs. Asymmetric Encryption + \begin{itemize*} + \item[Sym] shared key, integrity and authenticity can be checked only by key holders $\rightarrow$ message authentication codes (MACs) + \item[Asym] integrity and authenticity can be checked by anyone holding public key (only holder of secret key could have encrypted the checksum) $\rightarrow$ digital signatures + \end{itemize*} + + Key Distribution for Symmetric Schemes + \begin{itemize*} + \item Asymmetric encryption is expensive + \item Key pairs generation (High computational costs, trust needed) + \item Public Key Infrastructures needed for publishing public keys + \begin{itemize*} + \item Worldwide data bases with key certificates, certifying + \item Certification authorities + \end{itemize*} + \item[$\rightarrow$] Use asymmetric key for establishing communication + \begin{itemize*} + \item Mutual authentication + \item Symmetric key exchange + \end{itemize*} + \item Use symmetric encryption for communication + \end{itemize*} + + \paragraph{RSA Cryptosystem (Rivest/Shamir/Adleman)} + Attractive because $encrypt=decrypt$: $decrypt_{k_{sec}}(encrypt_{k_{pub}}(Text))$ und $decrypt_{k_{pub}}(encrypt_{k_{sec}}(Text))$ $\rightarrow$ universal: + \begin{enumerate*} + \item Confidentiality + \item Integrity and authenticity (non repudiability, digital signatures) + \end{enumerate*} + For $n\in\mathbb{N}$ we search 2 primes $p$ and $q$ such that $n=p*q$ + \begin{itemize*} + \item[$\rightarrow$] hard problem because for factorization, prime numbers are needed + \item There are many of them, approx. $7*10^{151}$ + \item Finding them is extremely expensive: Sieve of Eratosthenes + \begin{itemize*} + \item Memory $O(n)\rightarrow$ 12-digit primes $\sim 4$ Terabyte + \item 64 digits: more memory cells than atoms in Solar system + \end{itemize*} + \item Optimization: Atkin’s Sieve, $O(n^{1/2+O(1)})$ + \item Until today, no polynomial factorization algorithm is known + \item Until today, nobody proved that such algorithm cannot exist... + \end{itemize*} + Precautions in PKIs: Prepare for fast exchange of cryptosystem + + \subsubsection{Cryptographic Hash Functions} + Discover violation of integrity of data, so that integrity of information is maintained. + \begin{itemize*} + \item Checksum generation by cryptographic hash functions + \item Checksum encryption + \item Integrity check by + \begin{itemize*} + \item Generating a new checksum + \item Decryption of encrypted checksum + \item Comparison of both values + \end{itemize*} + \end{itemize*} + + Method of Operation: Map data of arbitrary length to checksum of fixed length such that $Text1 \not= Text2 \Rightarrow hash(Text1) \not= hash(Text2)$ with high probability + + Algorithms + \begin{itemize*} + \item 160 - Bit checksums: RIPEMD-160 (obsolete since 2015) + \item Secure Hash Algorithm (SHA-1, published NIST 1993) + \item Larger Checksums: SHA-256, SHA-384, SHA-512 + \item 128-Bit: Message Digest (MD5 (1992)) (no longer approved) + \item MD5: belongs to IPsec algorithm group, used also in SSL + \end{itemize*} + \subsubsection{Digital Signatures} + \begin{itemize*} + \item To assert author of a document (signer) $\rightarrow$ Authenticity + \item To discover modifications after signing $\rightarrow$ Integrity + \item[$\rightarrow$] non-repudiability + \end{itemize*} + + Approach + \begin{itemize*} + \item Create signature + \begin{itemize*} + \item Integrity: create checksum $\rightarrow$ cryptographic hash function + \item Authenticity: encrypt checksum $\rightarrow$ use private key of signer + \end{itemize*} + \item check signature + \begin{itemize*} + \item Decrypt checksum using public key of signer + \item Compare result with newly created checksum + \end{itemize*} + \end{itemize*} + \subsubsection{Cryptographic Attacks} + \paragraph{Ciphertext Only Attacks (weakest assumptions)} + \begin{itemize*} + \item Known: ciphertext $CT$ + \item Wanted: plaintext $T$, $Ke$, $Kd$, algorithm + \item Typical assumptions + \begin{itemize*} + \item $CT$ was completely generated by one $Ke$ + \item Known algorithm + \item Observation of packet sequences in networks + \item Listening into password-based authentication with encrypted passwords + \end{itemize*} + \end{itemize*} + + \paragraph{Known Plaintext Attacks} + \begin{itemize*} + \item Known: $T$ and $CT$ (respectively parts thereof) + \item Wanted: $Ke$, $Kd$, algorithm + \item Listening into challenge/response protocols + \begin{itemize*} + \item Server $\rightarrow$ Client: nonce + \item Client $\rightarrow$ Server: $\{nonce\}_{Ke}$ + \end{itemize*} + \item countermeasure often: Client $\rightarrow$ Server:$\{nonce + Time\}_{Ke}$ + \end{itemize*} + + \paragraph{Chosen Plaintext Attacks} + \begin{itemize*} + \item Known: $T$ and $CT$ where $T$ can be chosen by attacker, $CT$ observable + \begin{itemize*} + \item attacker $\rightarrow X:T$ + \item $X\rightarrow attacker:CT(=\{T\}_{Ke})$ + \end{itemize*} + \item Wanted: $Ke, Kd$ (algorithm often known) + \item Authentication in challenge/response protocols + \begin{itemize*} + \item Attacker (malicious server) tries to find client’s private key + \item sends tailored nonces + \end{itemize*} + \item Authentication by chosen passwords + \begin{itemize*} + \item Attacker tries to find login password + \item Generates passwords and compares their encryptions with password data base + \end{itemize*} + \end{itemize*} + + \paragraph{Chosen Ciphertext Attacks} + \begin{itemize*} + \item Known: $T,CT$ and $Kd$ where $CT$ can be chosen and $T$ can be computed from $CT$ + \item wanted: $Ke$ + \item[$\rightarrow$] successful attacks allow forging digital signatures + \item Attack by + \begin{itemize*} + \item (within limits) Servers while authenticating clients + \item (within limits) Observers of such authentications + \item In a PK cryptosystem: Everybody knowing $Kd$ (the whole world) + \end{itemize*} + \end{itemize*} + + Goals of Cryptographic Algorithms + \begin{itemize*} + \item To provide security properties such as + \begin{itemize*} + \item Integrity, confidentiality, non-repudiability + \item Of communication + \item Of resources such as files, documents, program code + \end{itemize*} + \item Especially: implement assumptions made by security models, such as + \begin{itemize*} + \item Authenticity, integrity, confidentiality of + \item Model entities (subjects, objects, roles, attributes) + \item Model implementations + \end{itemize*} + \end{itemize*} + + Beware: Many Pitfalls! + \begin{itemize*} + \item Weaknesses of mathematical foundations $\rightarrow$ unproved assumptions + \item Weaknesses of algorithms $\rightarrow$ cryptographic attacks + \item Weaknesses of key generation $\rightarrow$ e.g. weak prime numbers + \item Weaknesses of mechanism use $\rightarrow$ co-existence of mechanisms + \end{itemize*} + \subsection{Identification and Authentication} + To reliably identify people, systems,\dots .Required e.g. by + \begin{itemize*} + \item IBAC policies + \item RBAC policies (User-to-role association) + \item ABAC policies (Assignment of attributes to subjects and objects) + \item MLS policies (Assignment of classes to subjects and objects) + \end{itemize*} + + Approaches: Proof of identity by + \begin{itemize*} + \item By proving knowledge of simple secret $\rightarrow$ passwords + \item By biophysicproperties $\rightarrow$ biometrics + \item By proving knowledge of simple secret $\rightarrow$ cryptographic protocols + \end{itemize*} + \subsubsection{Passwords} + \begin{itemize*} + \item Used For: Authentication of humans to IT systems + \item Verified Item: Knowledge of simple secret + \item Convenient + \item Easy to guess / compute (RainbowCrack: $104*10^9$ hash/second) + \begin{itemize*} + \item[$\rightarrow$] password generators + \item[$\rightarrow$] password checkers (min. 8 chars, ...) + \end{itemize*} + \item Easy to compute $\rightarrow$ longpasswords + \item Problem of careless handling (password on post-it) + \item Input can easily be observed (see EC PINs) + \item Trust in system necessary, secret is exposed (EC-PINs) + \item Fundamental requirement in distributed systems + \item[$\rightarrow$] Confidential communication with authenticating system + \end{itemize*} + + Storing the Secret at 2 parties + \begin{itemize*} + \item Principal: Bio-mem, key store, memo, plaintext + \item Authentication service + \begin{itemize*} + \item Local data base, file (,,/etc/passwd'', ,,/etc/shadow'') + \item Distributed systems: centralized directory (LDAP server) + \item Encrypted by one-way function + \item Password-DB (principal, hash(password) ) + \end{itemize*} + \end{itemize*} + \subsubsection{Biometrics} + \begin{itemize*} + \item Used For: Authentication of humans to IT systems + \item Verified Items: Individual properties like voice, hand/retina, finger + \item Verification: By comparing probe with reference pattern + \item Pros: (prospectively) Difficult to counterfeit + \begin{itemize*} + \item Convenient, no secrets to remember, cannot be lost + \item Difficult to intentionally pass on + \end{itemize*} + \item Contras: Fundamental technical problems + \begin{itemize*} + \item Comparison methods with reference fuzzy techniques + \item False Non-match Rate: authorized people are rejected + \item False Match Rate: not authorized people are accepted + \item Susceptible environmental conditions (noise, dirt, fractured arm) + \end{itemize*} + \item Trust in system required + \item Fundamental weaknesses in distributed systems $\rightarrow$ Secure communication to authenticating system required (personal data) + \item Reference probes are personal data $\rightarrow$ Data Protection Act + \item Reaction time on security incidents $\rightarrow$ Passwords, smartcards can be exchanged easily + \end{itemize*} + + Social Barriers + \begin{itemize*} + \item Not easily accepted: Finger prints, criminal image, Retina + \item Naive advertising calls for distrust + \begin{itemize*} + \item Pol: ,,Biometrician undesired on national security congress'' + \item Tec: for many years unkept promise to cure weaknesses + \end{itemize*} + \end{itemize*} + \subsubsection{Cryptographic Protocols} \paragraph{SmartCards} + \begin{itemize*} + \item Used For: Authentication of humans to IT systems + \item Verified Item: Knowledge of complex secret + \begin{itemize*} + \item Secret part of asymmetric key pair + \item Symmetric key + \end{itemize*} + \item Verification + \begin{itemize*} + \item Challenge/response protocols + \item Goal: Proof that secret is known + \item Contrary to password authentication, no secret exposure + \end{itemize*} + \end{itemize*} + + Vehicle for Humans: SmartCards + \begin{itemize*} + \item Small Computing Devices Encompassing + \begin{itemize*} + \item Processor(s) + \item RAM + \item Persistent memory + \item Communication interfaces + \end{itemize*} + \item What They Do + \begin{itemize*} + \item Store and keep complex secrets (keys) + \item Run cryptographic algorithms + \begin{itemize*} + \item Response to challenges in challenge/response protocols + \item Encrypt incoming nonces + \end{itemize*} + \item Launch challenges to authenticate other principals + \begin{itemize*} + \item Generate nonces, verify response + \end{itemize*} + \end{itemize*} + \item Usage... e.g. via plug-ins in browsers + \end{itemize*} + + Properties + \begin{itemize*} + \item no secret is exposed + \begin{itemize*} + \item[$\rightarrow$] no trust in authenticating system required + \item[$\rightarrow$] no trust in network required + \end{itemize*} + \item Besides authentication other features possible $\rightarrow$ digital signatures, credit card, parking card ... + \item Weak verification of card right to use card (PIN, password) $\rightarrow$ some cards have finger print readers + \item Power supply for contactless cards + \end{itemize*} + \paragraph{Authentication Protocols} - \subsection{Summary} + \begin{itemize*} + \item Used For: Authentication between IT systems + \item Method: challenge/response-scheme + \item Based on + \begin{itemize*} + \item symmetric key: principal and authenticating system share secret + \item asymmetric key: authenticating system knows public key of principal + \end{itemize*} + \end{itemize*} + The Fundamentals: 2 Scenarios + \begin{enumerate*} + \item After one single authentication, Alice wants to use all servers in a distributed system of an organization. + \item Alice wants authentic and confidential communication with Bob. Authentication Server serves session keys to Bob and Alice + \end{enumerate*} + + Needham-Schroeder Authentication Protocol (for secret keys) + \begin{itemize*} + \item establish authentic and confidential communication between 2 Principals + \item[$\rightarrow$] confidentiality, integrity, authenticity + \end{itemize*} + \begin{enumerate*} + \item Authentication of Alice to Bob $\rightarrow$ Bob knows other end is Alice + \item Authentication of Bob to Alice $\rightarrow$ Alice knows other end is Bob + \item Establish fresh secret: a shared symmetric session key + \end{enumerate*} + + Fundamental + \begin{itemize*} + \item Common trust in same authentication server + \item Client-specific secret keys ($K_{AS}, K_{BS}$) + \end{itemize*} + + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-needham-schreoeder.png} + %Note: Protocol used in Kerberos security architecture + + Message Semantics + \begin{enumerate*} + \item $A\rightarrow S:A,B,N_A$: A requests session key for B from S + \item $S\rightarrow A:\{N_A,B,K_{AB},K_{AB},A\}_{KBS}\}_{KAS}$: S responds encrypted with $K_{AS}$ such that only A is able to understand + \begin{itemize*} + \item nonce proves that 2. is a reply to 1. (fresh) + \item session key $K_{AB}$ + \item ticket for B; encryption proves $K_{AB}$ was generated by $S$ + \end{itemize*} + \item $A\rightarrow B:\{K_{AB},A\}_{KBS}$: A ticket to B; encryption as challenge + \item $B\rightarrow A:\{N_B\}_{KAB}$: B decrypts ticket \& verifies if A knows $K_{AB}$ + \item $A\rightarrow B:\{N_B-1\}_{KAB}$: A proves by using $K_{AB}$ that he was the sender of 3. (response) + \begin{itemize*} + \item Authentication of A to B: only A can decrypt 2. + \item Authentication of B to A: only B can decrypt 3. + \item A and B now also share a secret session key + \end{itemize*} + \end{enumerate*} + + Authentication Servers + \begin{itemize*} + \item Common trust in server by all principals $\rightarrow$ closed user group, in general belonging to same organization + \item Server shares individual secret with each principal (symmetric key) + \end{itemize*} + + Needham-Schroeder Authentication Protocol for public keys + \begin{itemize*} + \item establish authentic and confidential communication between Principals + \begin{enumerate*} + \item Authentication of Alice to Bob $\rightarrow$ Bob knows other end is Alice + \item Authentication of Bob to Alice $\rightarrow$ Alice knows other end is Bob + \item Establish fresh secret between Alice and Bob: a shared symmetric session key + \end{enumerate*} + \item Premise: Trust + \begin{itemize*} + \item Individually in issuer of certificate (certification authority) + \item[$\rightarrow$] much weaker than secret key based authentication + \end{itemize*} + \item Message Semantics + \begin{enumerate*} + \item $A\rightarrow S:A,B$: A requests public key of B + \item $S\rightarrow A:\{PK_B,B\}_{SK_S}$: S sends certificate; A knows public key of CA + \item $A\rightarrow B:\{N_A,A\}_{PK_B}$: A sends challenge to B + \item $B\rightarrow S:B,A$: B requests public key of A + \item $S\rightarrow B:\{PK_A,A\}_{SK_S}$: S responds (see 2.) + \item $B\rightarrow A:\{N_A, N_B\}_{PK_A}$: B proves it is B and challenges A + \item $A\rightarrow B:\{N_B\}_{PK_B}$: A replies and proves it is A + \end{enumerate*} + \begin{itemize*} + \item Authentication of A to B: 6. together with 7. + \item Authentication of B to A: 3. together with 6. + \item From where key certificates are obtained is irrelevant + \end{itemize*} + \end{itemize*} + + Certificate Servers: Basis of Authentication + \begin{itemize*} + \item Key certificates + \begin{itemize*} + \item Digitally signed mappings (name $\leftrightarrow$ public key) + \item Issued by certification authorities (CA) + \end{itemize*} + \item Certificate servers + \begin{itemize*} + \item Manage certificate data base + \item Need not be trustworthy + \end{itemize*} + \end{itemize*} + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-Certificate-server.png} + + $\delta s$ between Secret Key and Public Key Authentication + \begin{itemize*} + \item Secret Key Authentication + \begin{itemize*} + \item Requires common trust in AS, a-priori key exchange and mutual trust in keeping session key secret + \item Allows for message authentication codes + \item Require online AS + \item accumulation of secrets at AS $\rightarrow$ dangerous, server always online + \item n keys for authenticating n principals + \item $O(n^2)$ session keys for n communicating parties + \end{itemize*} + \item Public Key Authentication + \begin{itemize*} + \item Requires knowledge of public keys $\rightarrow$ PKIs + \item Allows for digital signatures + \item Allow for local chaching of certificates + \item n keys for authenticating n principals + \item $O(n)$ keys for $n$ communicating parties if PKs are used + \item $O(n^2)$ key for n communicating parties if session keys are used + \item Certificate management: PKIs, CAs, data bases, ... + \end{itemize*} + \end{itemize*} \section{Security Architectures} - \subsection{Design Principles} - \subsection{Operating Systems Architectures} + + \note{Trusted Computing Base (TCB)}{The set of functionsof an IT system that are necessary and sufficient for implementing its security properties $\rightarrow$ Isolation, Policy Enforcement, Authentication ...} + + \note{Security Architecture}{The part(s) of a system’s architecture that implement its TCB $\rightarrow$ Security policies, Security Server (PDP) and PEPs, authentication components, ...} + + \note{Security Mechanisms}{Algorithms and data structures for implementing functions of a TCB $\rightarrow$ Isolation mechanisms, communication mechanisms, authentication mechanisms, ...} + + Security architectures have been around for a long time ... + \begin{itemize*} + \item Architecture Components (Buildings, walls, windows,...) + \item Architecture (Component arrangement and interaction) + \item Build a stronghold such that security policies can be enforced + \begin{itemize*} + \item Presence of necessary components/mechanisms + \item Totality of interaction control (,,mediation'') + \item Tamperproofness + \item[$\rightarrow$] architecture design principles + \end{itemize*} + \end{itemize*} + + Check your trust in + \begin{itemize*} + \item Completeness of access mediation (and its verification!) + \item Policy tamperproofness(and its verification!) + \item TCB correctness (and its verification!) + \end{itemize*} + + Problem Areas PDPs/PEPs are + \begin{itemize*} + \item Scattered among many OS components $\rightarrow$ Problem of architecture + \item Not robust + \begin{itemize*} + \item Not isolated from errors within the entire OS + \item Especially in dynamically loaded OS modules + \item[$\rightarrow$] Problem of security architecture implementation + \end{itemize*} + \item OSes/Middleware/Applications are big + \item Only a small set of their functions logically belongs to the TCB + \item[$\rightarrow$] architecture design such that TCB functions are collected + \begin{itemize*} + \item not bypassable (total access mediation), + \item isolated (tamperproofness), + \item trustworthy (verifiable correctness) core + \item[$\rightarrow$] architecture such that these properties are enforced + \end{itemize*} + \end{itemize*} + + \subsection{Architecture Design Principles} + \begin{itemize*} + \item Complete + \item Tamperproof + \item Verifiably correct + \item control of all security-relevant actions in a system + \end{itemize*} + + Approach: Definitions of fundamental security architecture design principles + + \subsubsection{The Reference Monitor Principles} + There Exists an Architecture Component that is + \begin{itemize*} + \item[RM1] Involved in any subject/object interaction $\rightarrow$ total mediation property + \item[RM2] Well-isolated from the rest of the systems $\rightarrow$ tamperproofness + \item[RM3] Small and well-structured enough to analyze correctness by formal methods $\rightarrow$ verifiability + \end{itemize*} + + A security architecture component built along these principles: ,,Reference Monitor'' + \begin{itemize*} + \item 1 PDP (policy implementation) + \item many PEPs (interceptors, policy enforcement) + \end{itemize*} + + Reference Monitor + \begin{itemize*} + \item Core component of a TCB + \item Typically encloses + \begin{itemize*} + \item Security policy implementation(s) (PDP) + \begin{itemize*} + \item Model state (e.g. ACM, subject set, entity attributes) + \item Model behavioral logic (e.g.authorization scheme) + \end{itemize*} + \item Enforcement mechanisms: PEPs + \end{itemize*} + \item Typically excludes (due to complexity and size, RM 3) + \begin{itemize*} + \item Authentication + \item Cryptographic mechanisms + \item Sometimes also model state (e.g.ACLs) + \end{itemize*} + \end{itemize*} + + Consequences of (RM 3) for TCBs + \begin{itemize*} + \item Few functions $\rightarrow$ small size (LoC) + \item Simple functions $\rightarrow$ low complexity + \item Strong isolation + \item Precisely known perimeter + \end{itemize*} + + \subsubsection{Implementation Layers} + \begin{multicols}{2} + Monolithic OS Kernel \includegraphics[width=\linewidth]{Assets/Systemsicherheit-policy-controlled-os-tcp-implementation.png} + \columnbreak + + Microkernel Architecture (Nizza) \includegraphics[width=\linewidth]{Assets/Systemsicherheit-policy-microkernel-tcp-functional.png} + \end{multicols} + \begin{multicols}{2} + Middleware-level Policy \includegraphics[width=\linewidth]{Assets/Systemsicherheit-middleware-level-policy.png} + \columnbreak + + Application \includegraphics[width=\linewidth]{Assets/Systemsicherheit-policy-controlled-app-tcp-implementation.png} + \end{multicols} + \begin{itemize*} + \item Numerous rather weak implementations in Middleware, Applications... + \item Stronger approaches in Microkernel OSes, Security-focused OS + \end{itemize*} + \subsubsection{Nizza} - \subsubsection{SELinux } - \subsection{Distributed Systems Architectures} - \subsubsection{CORBA } - \subsubsection{Web Services } - \subsubsection{Kerberos } - \subsection{Summary} + \begin{itemize*} + \item RM1 - RM3 (Especially: Small TCB) + \item Maintain functionality of + \begin{itemize*} + \item Contemporary legacy OSes + \item Legacy Applications (,,legacy'' = unmodified for security) + \end{itemize*} + \end{itemize*} + + Concepts/Reference monitor principles: + \begin{itemize*} + \item Separation of OS, Applications into security-critical vs. non-critical components $\rightarrow$ precise identification of (minimal) TCB + \item Maintain functionality $\rightarrow$ Paravirtualization of standard legacy OS + \end{itemize*} + + OS View + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-nizza-os-view.png} + \begin{itemize*} + \item Trustworthy microkernel + \item Trustworthy basic services + \item Not trustworthy (paravirtualized) legacy OS + \end{itemize*} + + Application View + \begin{itemize*} + \item Vulnerability increases with growing complexity $\rightarrow$ reduce vulnerability of security-critical code by + \item Software functionality separation + \item Isolation of functional domains %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-nizza-application-view.png} + \item Example: Email Client + \begin{itemize*} + \item Non-critical: reading/composing/sending emails + \item Critical: signing emails (email-client $\leftrightarrow$ Enigmail Signer) + \end{itemize*} + \end{itemize*} + + %Putting it all Together + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-nizza-enigmail.png} + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-nizza-enigmail-tcb.png} + + \begin{itemize*} + \item Code size of TCB reduced by 2 orders of magnitude + \item Functionality of legacy OSes and applications preserved + \item (Moderate) performance penalties + \item Paravirtualization of legacy OS + \item Decomposition of trusted applications + \end{itemize*} + + \subsubsection{Security Enhanced Linux (SELinux)} + \begin{itemize*} + \item State-of-the-art OS + \item State-of-the-art security paradigms + \item[$\rightarrow$] Policy-controlled (Linux) (Security-aware) OS kernel + \end{itemize*} + + Security Policies in SELinux + \begin{itemize*} + \item Implementation by new OS abstractions + \item Somewhat comparable to ,,process'' abstraction + \item Specification of a... + \begin{itemize*} + \item process is a program: algorithm implemented in formal language + \item security policy is a security model: rule set in formal language + \end{itemize*} + \item Runtime environment (RTE) of a ... + \begin{itemize*} + \item process is OSprocess management $\rightarrow$ RTE for application-level programs + \item security policy is OS security Server $\rightarrow$ RTE for kernel-level policies + \end{itemize*} + \end{itemize*} + + SELinux Architecture + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-selinux-architecture.png} + \begin{itemize*} + \item Policy-aware Security Server (policy decision point, PDP) $\rightarrow$ Policy RTE in kernel‘s protection domain + \item Interceptors (policy enforcement points, PEPs) $\rightarrow$ Total interaction control in object managers + \end{itemize*} + + Implementation Concepts + \begin{itemize*} + \item Reference Monitor Principles + \begin{itemize*} + \item Total mediation of security-relevant interactions $\rightarrow$ placement of PEPs: Integration into object managers + \item Tamperproofness of policy implementation $\rightarrow$ placement of PDP: Integration into kernel + \end{itemize*} + \item Policy Support + \begin{itemize*} + \item Authenticity of entities: Unique subject/object identifiers + \item Policy-specific entity attributes (type, role, MLS label) + \end{itemize*} + \item Problem in Linux, + \begin{itemize*} + \item Subject identifiers (PIDs) or object identifiers (i-node numbers) are + \begin{itemize*} + \item neither unique + \item nor are of uniform type + \end{itemize*} + \item[$\rightarrow$] security identifier (SID) + \item Policy-specific subject/object attributes (type, role) are not part of subject/object metadata $\rightarrow$ security context + \item[$\rightarrow$] Approach: Extensions of process/file/socket...-management + \end{itemize*} + \end{itemize*} + + Authenticity of Entities + \begin{itemize*} + \item Object managers help: implement injective mapping SEO $\rightarrow$ SID + \begin{itemize*} + \item SID created by security server + \item Mapping of SIDs to objects by object managers + \end{itemize*} + \end{itemize*} + %\includegraphics[width=\linewidth]{Assets/Systemsicherheit-object-managers.png} + + Entity Attributes + \begin{itemize*} + \item sec. policy implements injective mapping SID $\rightarrow$ security context + \item sec. contexts creation according to policy-specific labeling rules + \item Entry in SID $\rightarrow$ security context mapping table + \end{itemize*} + + Security Context contains + \begin{itemize*} + \item Standard entity attributes such as user ID, Role, Type + \item Policy-specific entity attributes such as Confidentiality/clearance level (e.g. MLS label) + \item is implemented as a text string with policy-dependent format + \end{itemize*} + + Problem: Security contexts of persistent Entities + \begin{itemize*} + \item Policies not aware of persistency of entities $\rightarrow$ persistency of security contexts is job of object managers + \item Layout of object metadata is file system standard $\rightarrow$ security contexts cannot be integrated in i-nodes (their implementation: policy-independent) + \end{itemize*} + + Solution + \begin{itemize*} + \item Persistent objects additionally have persistent SID : ,,PSID'' + \item OMs map these to SID + \item 3 invisible storage areas in persistent memory implementing + \begin{itemize*} + \item Security context of file system itself (label) + \item Bijective mapping: inode $\rightarrow$ PSID + \item Bijective mapping: PSID $\rightarrow$ security context + \end{itemize*} + \end{itemize*} + + Access Vector Cache(AVC) + \begin{itemize*} + \item Located in object managers (user level) resp. in Security Server (kernel level) + \item Caches access decisions + \end{itemize*} + + RM Evaluation of SELinux + \begin{itemize*} + \item Compliance with Reference Monitor Principles + \item Total Mediation Property (placement of PEPs) done manually + \item Tamperproofness of Policy Implementation + \begin{itemize*} + \item Fundamental problem in monolithic software architectures + \item[$\rightarrow$] TCB implementation vulnerable from entire OS kernel code + \item Security server, All object managers, Memory management,... + \item It can be done: Nizza + \end{itemize*} + \item Verifiability + \begin{itemize*} + \item Size and complexity of policy $\rightarrow$ analysis tools + \item Policy‘s RTE claim to be universal + \item Completeness of PEPs + \item Policy isolation + \end{itemize*} + \end{itemize*} + + \subsection{Security Architectures of Distributed Systems} + \subsubsection{CORBA} + \begin{multicols*}{2} + \includegraphics[width=.9\linewidth]{Assets/Systemsicherheit-cobra-1.png} + + \includegraphics[width=.9\linewidth]{Assets/Systemsicherheit-cobra-2.png} + \end{multicols*} + + \subsubsection{Kerberos} + Distributed Authentication and Authorization Architecture with closed user groups( $\rightarrow$ static sets of subjects) + \begin{itemize*} + \item Distributed system run by single organization + \item Workstations and Servers + \item 2 Kerberos servers + \begin{itemize*} + \item Authentication Server (AS) + \item Authorization Server (TGS) + \end{itemize*} + \item Authentication Server (AS) + \begin{itemize*} + \item Authenticates users; Based on key shared between user and AS. Result: authenticator (electronic ID card) + \item Authorizes use of TGS. Based on key shared between AS and TGS. Result: ticket (capability) for TGS + \end{itemize*} + \item Ticket Granting Server (TGS): Issues tickets for all servers + \begin{itemize*} + \item Based on key shared between TGS and respective server + \item Result: ticket(s) for server(s) + \end{itemize*} + \item Kerberos database + \begin{itemize*} + \item Contains for each user and server a mapping $⟨user, server⟩\rightarrow$ authentication key + \item Used by AS + \item Is multiply replicated (availability, scalability) + \end{itemize*} + \end{itemize*} + + Typical Use Case + \begin{enumerate*} + \item Authentication, then request for TGS ticket + \item Authenticator, TGS-Ticket + \item Request for further server tickets + \item Server tickets + \item Service request: Servers decide based on + \end{enumerate*} + + \paragraph{Inside Kerberos Tickets} + \begin{itemize*} + \item Tickets issued by Ticket Granting Server + \item Specify right of one client to use one server (capability) + \item Limited lifetime (to make cryptographic attacks difficult) + \begin{itemize*} + \item balance between secure and convenient + \item Short: inconvenient but more secure (if stolen soon expires) + \item Long: insecure but more convenient (no frequent renewal) + \end{itemize*} + \item Can be used multiply while valid + \item Are sealed by TGS with key of server + \end{itemize*} + + %$T_{Client/Server}=\{Client, Server, Client.NetworkAddress, Timestamp, Lifetime, SessionKey_{Client/Server}\}_{KTGS/Server}$ + + Provisions against Misuse + \begin{itemize*} + \item Tampering by client to fabricate rights for different server $\rightarrow$ guarantee of integrity by MAC using $K_{TGS/Server}$ + \item Use by third party intercepting ticket $\rightarrow$ personalization by Name and network address of client together with Limited lifetime \&Authenticator of client + \end{itemize*} + + Authenticators + \begin{itemize*} + \item Proof of identity of client to server + \item Created using $SessionKey_{Client/Server}$ + \begin{itemize*} + \item[$\rightarrow$] can be created and checked only by + \item Client (without help by AS, client knows session key ) + \item Server + \item TGS (trusted) + \end{itemize*} + \item Can be used exactly once $\rightarrow$ prevent replay attacks by checking freshness + \end{itemize*} + + %$A_{Client}=\{Client, Client.NetworkAddress, Timestamp\}_{SessionKey_{Client/Server}}$ + + \paragraph{Kerberos Login} + %The Complete Process \includegraphics[width=\linewidth]{Assets/Systemsicherheit-kerberos-login.png} + %Single Steps: + \begin{enumerate*} + \item Alice tells her name + \item Alice’s workstation requests authentication + \item The AS + \begin{itemize*} + \item Create fresh timestamp + \item Create session key for Alice communication with the TGS % $SessionKey_{Alice/TGS}$ + \item Create Alice ticket for TGS and encrypt it with $K_{AS/TGS}$ %(so Alice cannot modify it): $Ticket_{Alice/TGS}=\{Alice, TGS, ..., SessionKey_{Alice/TGS}\}_{K_{AS/TGS}}$ + \item Encrypts everything with $K_{Alice/AS}$ (only Alice can read the session key and the TGS-Ticket) %$\{TGS, Timestamp , SessionKey_{Alice/TGS}, Ticket_{Alice/TGS}\}_{K_{Alice/AS}}$ + \end{itemize*} + \item Alice’s workstation + \begin{itemize*} + \item $TGS, Timestamp, SessionKey_{Alice/TGS} , Ticket_{Alice/TGS}$ + \item Requests Alice’s password + \item Get $K_{Alice/AS}$ from password using cryptographic hash + \item Uses it to decrypt above message from AS + \end{itemize*} + \end{enumerate*} + \begin{itemize*} + \item Result: Alice’s workstation has + \begin{itemize*} + \item Session key for TGS session: $SessionKey_{Alice/TGS}$ + \item Ticket for TGS: $Ticket_{Alice/TGS}$ + \item The means to create an authenticator + \end{itemize*} + \end{itemize*} + + \paragraph{Using a Server} + Authentication (bidirectional) + \begin{enumerate*} + \item Authentication of Client (to server) + \begin{itemize*} + \item (Assumption) Alice has session key + \item (Assumption) Alice has server ticket + \end{itemize*} + \begin{enumerate*} + \item Alice assembles authenticator $A_{Alice}$ %=\{Alice,Alice\_network\_address,timestamp\}_{SessionKey_{Alice/Server}}$ Only Alice can do that, because only she knows $SessionKey_{Alice/Server}$ + \item Alice sends $Ticket_{Alice/Server}, A_{Alice}$ to Server + \item Server decrypts ticket and thus gets session key; thus it can decrypt $A_{Alice}$ and check + \begin{itemize*} + \item Freshness + \item Compliance of names in ticket and authenticator + \item Origin of message and network address in authenticator + \end{itemize*} + \end{enumerate*} + \item Authentication of Servers (to client) + \begin{itemize*} + \item send $\{Timestamp+1\}_{SessionKey_{Alice/Server}}$ to Alice + \item only by principal that knows $SessionKey_{Alice/Server}$ + \item only by server that can extract the session key from the ticket %$Ticket_{Alice/Server}=\{Alice,Server ,..., SessionKey_{Alice/Server}\}_{K_{TGS/Server}}$ + \end{itemize*} + \end{enumerate*} + + Getting a Ticket for a Server + \begin{itemize*} + \item Are valid for a pair ⟨client, server⟩ + \item Are issued (but for TGS-Ticket itself) only by TGS + \item Ticket request to TGS: $(server, TGS_{ticket}, authenticator)$ + \end{itemize*} + + TGS: + \begin{itemize*} + \item Checks $Ticket_{Client/TGS}$ and $authenticator$ + \item Generates $SessionKey_{Client/Server}$ for client \& server + \item Generates $Ticket_{Client/Server}$ + \item Encrypts both using shared session key $\{Server,$ $SessionKey_{Client/Server},Ticket_{Client/Server}\}_{SessionKey_{Client/TGS}}$ + \end{itemize*} + \end{multicols} \end{document} \ No newline at end of file