OS Security and Access Control

Ittipon (Art) Rassameeroj

 Agenda
• OS Security (Chapter 12) • Access control (Chapter 4)
• Introduction to OS • Access control principles, guidelines, and
• OS security functions elements
• OS hardening • Access control mechanisms: directories,
• Linux security ACL, access control matrix, capabilities
• Windows security • Access Control in UNIX
• Access control policies: DAC, MAC, RBAC,
and ABAC

2
OS Structure

3
OS Structure

4
 Security in OS
• Two goals of OS
• Controlling share access
• Implementing an interface to allow that access
• Basic OS security: separation and sharing
• Keeping one user’s objects secure from being interfered by other users
• However, OS must provide a way to do sharing as well.
• OS is the fundamental controller of all system resources which makes it a
primary target of attack.
• OS is the first line of defense against all sorts of unwanted behaviors.

5
 OS Security Functions
• Identity and credential management
• Performs identification and authentication of people and remote operations
• Access control
• Protects one user from another, ensures that critical areas of memory or storage
are not overwritten by unauthorized processes.
• OS provides different levels of protection for different objects/resources.
• Information flow
• Audit (logging) and integrity protection (e.g., memory protection)

6
OS Layers

7
 Memory and Address Protection
• OS protect each program’s memory from being affected by other programs
• Protection mechanisms
• Fence protection
• Fence registers and base/bounds registers
• Tagged Architecture
• Virtual Memory: segmentation and paging

8
Fence Protection

9
Fence Register

10
Base and Bound Registers

11
Base and Bound Registers

12
Tagged Architecture
• Every word of machine memory has one or
more extra bits to identify the access rights to
that word.
• These access bits can be set only by privileged
(OS) instructions.
• The bits are tested every time an instruction
accesses that location.

13
Virtual Memory Segmentation
Segmentation allows hardware-
supported controlled access to
different memory sections in
different access modes

14
 Virtual Memory:
Segment Address Translation

15
Virtual Memory: Paging
Paging gives efficient memory
management by
• A program is divided into pages.
• Memory is divided into page frames.
• Page size is usually chosen to be a
power of 2: 2 KB, 8 KB, 16 KB.

16
 Virtual Memory:
Page & Segmentation Combination

17
 OS Hardening
• Remove unnecessary services
• If fewer software packages are available to run the risk is reduced.
• When performing the initial installation, the supplied defaults should not be used.
• Configure users and privileges
• Not all users with access to a system will have the same access to all data and resources
on that system.
• Elevated privileges should be restricted to only those users that require them, and then
only when they are needed to perform a task.
• System planning process should consider, e.g., categories of users on the system.
• Default accounts should be secured, e.g., be disable.

18
 OS Hardening
• Configure resource controls
• Once the users and groups are defined, appropriate permissions can be set on data and
resources.
• Many of the security hardening guides provide lists of recommended changes to the
default access configuration.
• Further security possible by installing and configuring additional security tools:
• Anti-virus software
• Host-based firewalls
• IDS or IPS software
• Application white-listing

19
 Linux Security
• Patch management
• Application and service configuration
• Users, groups, and permissions
• Remote access control and apply secure protocols
• SSH2, SSH3
• /etc/hosts.allow, /etc/hosts.deny
• iptables
• Logging
• Chroot jail

20
 Windows Security
• Patch management
• User administration and access control
• Essential that anti-virus, anti-spyware, personal firewall, and other malware and attack detection
and handling software packages are installed and configured.
• Current generation Windows systems include basic firewall and malware countermeasure
capabilities.
• It is important to ensure the set of products in use are compatible.
• Windows systems also support a range of cryptographic functions:
• Encrypting files and directories using the Encrypting File System (EFS)
• Full-disk encryption with AES using BitLocker
• Microsoft Baseline Security Analyzer: Free and easy to use tool that checks for compliance with
Microsoft’s security recommendations

21
 Access Control
• The prevention of unauthorized use of a resource, including the prevention of
use of a resource in an unauthorized manner.
• Central element of computer security
• Access control implements a security policy that specifies who may have access
to what resource in what access type
• Access control involves:
• Authentication: verification of user entity and validity
• Authorization: permission to a user entity to access system resource
• Audit: review & examination of system records and activities

22
Access Control Principles

23
 Access Control Guideline
• Check every access: Access is not granted forever—can be suspended or
revoked.
• Enforce least privilege: Give a subject access to the smallest number of objects
necessary to perform the subject’s task.
• Verify acceptable use: Verify if requested kind of access is acceptable such as
R(ead) is OK, but W(rite)+ (e)X(ecute) is not.

24
 Access Control Elements
• Subject - entity that can access objects
• Users
• Processes/threads representing user or application
• Object - access controlled resource
• Such as files, directories, records, programs, hardware devices, program, etc.
• Types of objects depend on environment.
• Access right - way in which subject accesses an object
• Such as read, write, execute, delete, create, search

25
 Basic Access Control Mechanism
• Directory
• Access Control List
• Access Control Matrix
• Capability

26
 Directory Mechanism
• Unique object owner and users are a subject.
• Owner controls access rights [rwx bits] by assigning or revoking them.
• Each user has access rights directory.

27
 Access Control List (ACL)
A list attached to an object
• Specifying access rights for each subject accessing the object
• Subject could be individuals, groups, or others.

28
 Access Control Matrix
• Directory – subject’s list of ARs for objects accessible by the subject
• Access control list – object’s list of ARs for subjects that can access the object.
• Access control matrix – a sparse matrix (a table)
• Rows for subjects and columns for objects
• Cell(i, j) : subjects i’s access rights to object j

29
 Capabilities for Access Control
• Subjects access objects only via capabilities
• Capability
• A kind of token/ticket given to subject certain rights for an object
• To see (kind of access) a movie (object), an audience (subject) must have a ticket
(capability)
• Capability to transfer access rights
• Allows subject to pass copies of its capabilities to other subjects
• S1 can copy its capability to access O1 and transfer it to S2. If S1 omits ‘transfer’ rights for
O1 in capability passed to S2, S2 can’t transfer these rights to any other subject.

30
 Access Control Policies
• Tell what types of access permitted under what circumstances and by whom.
• Discretionary (DAC): control access based on requestor and volition of resource
owner
• Mandatory (MAC): control access based on security labels and clearances specified
centrally
• Role-based (RBAC): control access based on roles and rules (access allowed in
given roles)
• Attribute-based (ABAC): control access based on attributes, resource, and
environment

31
 Discretionary Access Control (DAC)
• It allows the owner, creator, or data custodian of an object to control and define
access to that object.
• All objects have owners, and access control is based on the discretion or decision
of the owner.
• Often provided using an access control matrix
• Access control matrix is often sparse which can be decomposed by either row or
column.

32
Discretionary Access Control (DAC)
Decomposed by columns

Result in ACL
33
Discretionary Access Control (DAC)
Decomposed by rows

Result in CL
34
 Discretionary Access Control (DAC)
• DAC in OS is more complicated than just accessing to the file.
• It contains other types of object such as process, device, etc.

35
DAC
• It needs “access control function”
• Access attempt triggers 3 steps
1) Subject S issues request of type ! for
object X.
2) OS generates message (S, !, X) to the
controller for X.
3) Controller checks access matrix A to
determine if ! is in A[S, X].

36
Access Control System Commands

37
 UNIX File Access Control
• Unique user identification number (user ID)
• Member of a primary group identified by a group ID
• 12 protection bits
• 9 specify read, write, and execute permission for the owner of
the file, members of the group and all other users
• 2 specify SetUID, SetGID
• 1 is the sticky bit (only owner can move, remove, delete a
file)
• The owner ID, group ID, and protection bits are part of the file’s
inode.

38
UNIX File Access Control

39
 Mandatory Access Control (MAC)
• Aka. Multilevel Security
• MAC is a policy in which people don’t have control over the authorization of people
to information
• Access control is based on a security labeling system.
• It is used in environments where information classification and confidentiality is very important;
such as in the military
• For example, in Bell-LaPadula Model, access is allowed if
• subject clearance level >= object access class and
• object categories subset-of subject categories
• Basically, called No Read up and No Write down

40
MAC Example: Bell-LaPadula Model

41
Mandatory Access Control (MAC)

42
 Role-Based Access Control (RBAC)
• Based on roles which are assigned to the users
• Define a role as a job function in organization.
• Assign access rights to roles instead of individual
users.
• Roles assigned may be static or dynamic.
• Assignment is many-to-many.

43
 RBAC on Access Control Matrix
• Associate users to roles
• Associate roles to objects using DAC access control matrix
• Role should contain minimum set of access rights needed

44
 Attribute-Based Access Control (ABAC)
• Define authorization according to properties of resource and subject.
• Flexibility and expressive
• A logical access control model
• Controls access to objects by evaluating rules against the attributes of subjects,
objects, operations, and the environment relevant to a request.
• Capable of enforcing DAC, MAC, and RBAC concepts
• ABAC enables fine-grained access control.
• Allows unlimited number of attributes to be combined to satisfy any access control
rule.
45
Attribute-Based Access Control (ABAC)

Resources

46
 ABAC Processes Example
1
1) Access request is intercepted for policy
enforcement. User: Bob Application

2) A query is sent to the external authorization Can Bob access

2 5 PERMIT/DENY
service to ask for permissions. record #22?

3) The authorization engine evaluates its Authorization

policies. Service

4) It may also need to query external attribute Policy Rules

sources for more information. 3

4
5) The decision – PERMIT or DENY is returned to Attribute Sources
the policy enforcement point.
47