Module 8

Authorization
Access control matrix
Multilevel Security
Multilateral security
Covert channel
Inference control
CAPTCHA
 Authentication vs Authorization
 Authentication  Who goes there?
 Restrictions on who (or what) can access system
 Authorization  Are you allowed to do that?
 Restrictions on actions of authenticated users
 Authorization is a form of access control
 Authorization enforced by
 Access Control Lists
 Capabilities

12/26/23
Module 8 Authorization 2
 Access Control Basic Concept
 An access control system regulates the
operations that can be executed on data and
resources to be protected
 Its goal is to control operations executed by
subjects in order to prevent actions that
could damage data and resources
 Access control is typically provided as part
of the operating system and of the database
management system (DBMS)

12/26/23
Module 8 Authorization 3
 Access Control Basic Concept
Subject Access Reference Object
request monitor

 The very nature of access control suggests

that there is an subject requiring access to
a object to perform some specific access
operation.
 A reference monitor grants or denies access
This fundamental and simple notion of access control is due to
Lampson
12/26/23
Module 8 Authorization 4
 Access Control Basic Concept

Access Control
Access
Policies
Permissions

Subject Access Reference Object

request monitor

12/26/23
Module 8 Authorization 5
 Access control matrix

12/26/23
Module 8 Authorization 6
 Lampson’s Access Control Matrix
 Subjects (users) index the rows
 Objects (resources) index the columns

Accounting Accounting Insurance Payroll

os program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw

12/26/23
Module 8 Authorization 7
 Are You Allowed to Do
That?
 Access control matrix has all relevant info
 But how to manage a large access control
(AC) matrix ?
 Could be 1000’s of users, 1000’s of resources
 Then AC matrix with 1,000,000’s of entries
 Need to check this matrix before access to any
resource is allowed: Hopelessly inefficient
 To obtain acceptable performance, split AC
into manageable pieces;
 Two ways: by column or by row
12/26/23
Module 8 Authorization 8
 Access Control Lists (ACLs)
 ACL: store access control matrix by column
 Example: ACL for insurance data is in blue
Accounting Accounting Insurance Payroll
os
program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting program rx rx rw rw rw

 ACL(insurance data)
= {(Bob,---), (Alice,rw), (Sam,rw), (Acc prog, rw)}
12/26/23
Module 8 Authorization 9
 Capabilities (or C-Lists)
 Store access control matrix by row
 Example: Capability for Alice is in red
Accounting Accounting Insurance Payroll
os
program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting program rx rx rw rw rw

 C-list(Alice)
= {(OS,rw), (Acct prog,rw), (Acct data,r),
(Insur data,rw), (payroll data, rw)}
12/26/23
Module 8 Authorization 10
 ACLs vs Capabilities
r r
Alice --- file1 Alice w file1
r rw

w
---
Bob r file2 Bob
---
r file2
r

rw
r
Fred r file3 Fred --- file3
r
r

Access Control List Capability

12/26/23
Module 8 Authorization 11
 Confused Deputy - 1/4
 Two resources
 Compiler and BILL
file (billing info) Access control matrix
 Compiler can Compiler BILL
write file BILL
 Alice can invoke Alice x ---
compiler with a
debug filename Compiler rx rw
 Alice not allowed
to write to BILL

12/26/23
Module 8 Authorization 12
 Confused Deputy - 2/4

debug BILL
nam e BILL
fil e
Compiler

Alice BILL
Confused Deputy
 Compiler is deputy acting on behalf of Alice
 Compiler is confused
 Alice is not allowed to write BILL
 Compiler has confused its rights with Alice’s
12/26/23
Module 8 Authorization 13
 Confused Deputy - 3/4
 Compiler acting for Alice is confused
 Compiler is acting based on it’s own privileges,
when it should be acting based on Alice’s
privileges
 There has been a separation of authority
from the purpose for which it is used
 With ACLs, difficult to avoid this problem
 ACLs are not easy delegated
 ACL(insurance data)
= {(Bob,---), (Alice,rw), (Sam,rw), (Acc prog, rw)}
12/26/23
Module 8 Authorization 14
 Confused Deputy - 4/4
 With Capabilities, easier to prevent
problem
 Must maintain association between authority and
intended purpose
 Capabilities make it easy to delegate authority
 C-list(Alice)
= {(OS,rw), (Acct prog,rw), (Acct data,r),
(Insur data,rw), (payroll data, rw)}

12/26/23
Module 8 Authorization 15
 ACLs vs Capabilities
 ACLs
 Good when users manage their own files
 Protection is data-oriented
 Easy to change rights to a resource
 Capabilities
 Easy to delegate
 Easy to add/delete users
 Easier to avoid the confused deputy
 More difficult to implement

12/26/23
Module 8 Authorization 16
 Multilevel Security (MLS)
Models

12/26/23
Module 8 Authorization 17
 Classifications and Clearances
 Classifications apply to objects
 Clearances apply to subjects
 US Department of Defense uses 4
levels of classifications/clearances
TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED

12/26/23
Module 8 Authorization 18
 Subjects and Objects
 Let O be an object, S a subject
 O has a classification
 S has a clearance
 Security level denoted L(O) and L(S)
 For DoD levels, we have
TOP SECRET > SECRET >
CONFIDENTIAL > UNCLASSIFIED

12/26/23
Module 8 Authorization 19
 MLS Applications
 Mainly used for Classified gov/mil info
 But Business area also used it
 Senior management only – Top Secret
 All management - Secret
 Everyone in company - Confidential
 General public - Unclassified
 Network firewall is another application area
 Keep intruders at low level to limit damage
 Confidential medical info, databases, etc.
12/26/23
Module 8 Authorization 20
 Bell-LaPadula
 BLP security model designed to express
essential requirements for MLS
 BLP deals with confidentiality
 To prevent unauthorized reading
 Recall that O is an object, S a subject
 Object O has a classification
 Subject S has a clearance
 Security level denoted L(O) and L(S)

12/26/23
Module 8 Authorization 21
 Bell-LaPadula
 BLP consists of
Simple Security Condition: S can read O if and
only if L(O)  L(S)
*-Property (Star Property): S can write O if
and only if L(S)  L(O)
 No read up, no write down

12/26/23
Module 8 Authorization 22
 Biba’s Model
 BLP for confidentiality, Biba for integrity
 Biba is to prevent unauthorized writing

12/26/23
Module 8 Authorization 23
 Biba
 Let I(O): the integrity of object O and
I(S): the integrity of subject S
 Biba can be stated as
Write Access Rule: S can write O iff I(O)  I(S)
(if S writes O, the integrity of O  that of S)
Biba’s Model: S can read O iff I(S)  I(O)
(if S reads O, the integrity of S  that of O)
 Often, replace Biba’s Model with
Low Water Mark Policy: If S reads O, then
I(S) = min(I(S), I(O))
12/26/23
Module 8 Authorization 24
 BLP vs Biba

high BLP Biba high

l l
L(O) L(O) I(O) e
e
v v
e e
l L(O) I(O) I(O) l

low low
Confidentiality Integrity

12/26/23
Module 8 Authorization 25
 Multilateral Security
(Compartments)

12/26/23
Module 8 Authorization 26
 Multilateral Security
 Multilevel Security (MLS) enforces
access control up and down
 Multilateral security enforces access
control across by creating compartments

12/26/23
Module 8 Authorization 27
 Multilateral Security
 Suppose TOP SECRET divided into
 TOP SECRET {CAT} and
 TOP SECRET {DOG}
 Both are TOP SECRET but information
flow restricted across the TOP SECRET
level

12/26/23
Module 8 Authorization 28
 Multilateral Security
 Why compartments?
 Why not create a new classification level?
 Restrict information flow across security levels
 Compartments allow us to enforce the need to know
principle
 Subjects are only allowed access to the information that
they must know
 If Subject does not have a legitimate need to know
everything say TOP SECRET level then
 Compartments can be used to limit the TOP SECRET
information that the subject can access.

12/26/23
Module 8 Authorization 29
 Multilateral Security
 Arrows indicate “” relationship
TOP SECRET {CAT, DOG}

TOP SECRET {CAT} TOP SECRET {DOG}

TOP SECRET

SECRET {CAT, DOG}

SECRET {CAT} SECRET {DOG}

SECRET
 Not all classifications are comparable, e.g.,
TOP SECRET {CAT} vs SECRET {CAT, DOG}
12/26/23
Module 8 Authorization 30
 MLS vs Multilateral Security
 MLS can be used without multilateral
security or vice-versa
 But, the two usually used together

12/26/23
Module 8 Authorization 31
 MLS vs Multilateral Security
 Example
 MLS mandated for protecting medical records of
British Medical Association (BMA)
 AIDS was TOP SECRET, prescriptions SECRET
 What is the classification of an AIDS drug?
 Everything tends toward TOP SECRET
 Defeats the purpose of the system!
 Multilateral security was used instead
 AIDS prescription be compartmented from
others
12/26/23
Module 8 Authorization 32
 Covert Channel

12/26/23
Module 8 Authorization 33
 Covert Channel
 MLS designed to restrict legitimate
channels of communication
 May be other ways for information to flow
 For example, resources shared at different
levels may signal information
 Covert channel: “communication path not
intended as such by system’s designers”

12/26/23
Module 8 Authorization 34
 Covert Channel – Cont.
• Any communication channel that can be exploited by a process to
transfer information in a manner that violates the systems security
policy.
• In short, covert channels transfer information using non-standard
methods against the system design.
• Covert channels are very useful to hide communications.
• And this can represent serious threats for computer networks.
• Data leaks can be hidden using these channels
• These hidden channels can be used to hide the real communication,
• While fake innocent data can be transmitted on the normal channel to
appear normal.
• A simple scenario of this are trojans, serving as backdoors.
• These programs can continue doing their transmission which is
innocent, and hide the malicious transmissions in covert channels.

12/26/23
Module 8 Authorization 35
 Covert Channel Example
 Alice has TOP SECRET clearance, Bob has
CONFIDENTIAL clearance
 Suppose the file space shared by all users
 Alice creates file FileXYzW to signal “1”
to Bob, and removes file to signal “0”
 Once each minute Bob lists the files
 If file FileXYzW does not exist, Alice sent 0
 If file FileXYzW exists, Alice sent 1
 Alice can leak TOP SECRET info to Bob!

12/26/23
Module 8 Authorization 36
 Covert Channel Example

Alice: Create file Delete file Create file Delete file

Bob: Check file Check file Check file Check file Check file

Data: 1 0 1 1 0

Time:

12/26/23
Module 8 Authorization 37
 Covert Channel
 Other examples of covert channels
 Print queue, ACK messages
 Network traffic, etc., etc., etc.
 When does a covert channel exist?
Have to satisfy the 3 conditions
1. Sender and receiver have a shared resource
2. Sender able to vary property of resource that
receiver can observe
3. Communication between sender and receiver
can be synchronized
12/26/23
Module 8 Authorization 38
 Covert Channel
 Covert channels exist almost everywhere
 Easy to eliminate covert channels…???
 Provided you eliminate all shared resources and
all communication
 Virtually impossible to eliminate all covert
channels in any useful system
 DoD guidelines: goal is to reduce covert
channel capacity to no more than 1 bit/second
 Implication is that DoD has given up trying to
eliminate covert channels!
12/26/23
Module 8 Authorization 39
 Covert Channel
 Consider 100MB TOP SECRET file
 Plaintext version stored in TOP SECRET place
 Encrypted with AES using 256-bit key,
ciphertext stored in UNCLASSIFIED location
 Suppose we reduce covert channel
capacity to 1 bit per second
 It would take more than 25 years to leak entire
document thru a covert channel
 But it would take less than 5 minutes to leak
256-bit AES key thru covert channel!
12/26/23
Module 8 Authorization 40
 Real-World Covert Channel

 Hide data in TCP header “reserved” field

 Or use covert_TCP tool to hide data in
 Sequence number
 ACK number
12/26/23
Module 8 Authorization 41
 Real-World Covert Channel
 Hide data in TCP sequence numbers
 Tool: covert_TCP
 Sequence number X contains covert info
SYN ACK (or RST)
Spoofed source: C Source: B
Destination: B Destination: C
SEQ: X ACK: X
B. Innocent
server

A. Covert_TCP C. Covert_TCP
sender receiver
12/26/23
Module 8 Authorization 42
 Inference Control

12/26/23
Module 8 Authorization 43
 Inference Control Example
 Suppose we query a database
 Question: What is average salary of female
CS professors at A University?
 Answer: $95,000
 Question: How many female CS professors at
A University?
 Answer: 1
 Specific information has leaked from
responses to general questions!

12/26/23
Module 8 Authorization 44
 Inference Control and Research
 For example, medical records are
private but valuable for research
 How to make info available for research
and protect privacy?
 How to allow access to such data
without leaking specific information?

12/26/23
Module 8 Authorization 45
 Naïve Inference Control
 Remove names from medical records?
 Still may be easy to get specific info
from such “anonymous” data
 Removing names is not enough
 As seen in previous example
 What more can be done?

12/26/23
Module 8 Authorization 46
 Less-naïve Inference Control
 Query set size control
 Don’t return an answer if set size is too small
 N-respondent, k% dominance rule
 Do not release statistic if k% or more of the result
contributed by N or fewer subjects
 Example: Avg salary in Bill Gates’ neighborhood –
reasonable setting of N and k make it difficult to find
B Gate salary
 Used by the US Census Bureau
 Randomization
 Add small amount of random noise to data
 Many other methods  none satisfactory
12/26/23
Module 8 Authorization 47
 Inference Control: The Bottom Line
 Robust inference control may be impossible
 Is weak inference control better than no
inference control?
 Yes: Reduces amount of information that leaks
and thereby limits the damage

12/26/23
Module 8 Authorization 48
 CAPTCHA

12/26/23
Module 8 Authorization 49
 Turing Test
 Proposed by Alan Turing in 1950
 Human asks questions to one other human and one
computer (without seeing either)
 Human can’t see either respondent must try to
determine which is human and which is computer
 If human questioner cannot distinguish the human
from the computer responder, the computer
passes the test
 The gold standard in artificial intelligence
 No computer can pass this today

12/26/23
Module 8 Authorization 50
 CAPTCHA
 CAPTCHA  Completely Automated
Public Turing test to tell Computers and
Humans Apart
 Automated  test is generated and
scored by a computer program
 Public  program and data are public
 Turing test to tell…  humans can pass
the test, but machines cannot pass the
test
 Like an inverse Turing test (sort of…)
12/26/23
Module 8 Authorization 51
 CAPTCHA Paradox
 “…CAPTCHA is a program that can generate
and grade tests that it itself cannot pass…”
 Paradox  computer creates and scores
test that it cannot pass!
 CAPTCHA used to restrict access to
resources to humans (no computers)
 CAPTCHA useful for access control

12/26/23
Module 8 Authorization 52
 CAPTCHA Uses?
 Original motivation: automated “bots”
 Free email services  spammers used bots
sign up for 1000’s of email accounts
 CAPTCHA employed so only humans can get accts
 Sites that do not want to be automatically
indexed by search engines
 HTML tag only says “please do not index me”
 CAPTCHA would force human intervention

12/26/23
Module 8 Authorization 53
 CAPTCHA: Rules of the Game
 Must be easy for most humans to pass
 Must be difficult or impossible for
machines to pass
 Even with access to CAPTCHA software
 The only unknown is some random number
 Desirable to have different CAPTCHAs in
case some person cannot pass one type
 Blind person could not pass visual test, etc.

12/26/23
Module 8 Authorization 54
 Do CAPTCHAs Exist?
 Test: Find 2 words in the following

 Easy for most humans

 Difficult for computers (OCR problem)
12/26/23
Module 8 Authorization 55
 CAPTCHAs
 Current types of CAPTCHAs
 Visual
 Like previous example
 Many others
 Audio
 Distorted words or music

12/26/23
Module 8 Authorization 56
 CAPTCHA’s and AI
 Computer recognition of distorted text is
a challenging AI problem
 But humans can solve this problem
 Same is true of distorted sound
 Humans also good at solving this
 Hackers who break such a CAPTCHA have
solved a hard AI problem

12/26/23
Module 8 Authorization 57
 Assignment 5
 Design and implement your own visual and
audio CAPTCHA. Outline possible attacks
on your CAPTCHA. How secure is your
CAPTCHA?

12/26/23
Module 8 Authorization 58
 Seminar Topics
Sl.No. Module 9 Module 10

1. Certification, Accreditation and Introduction to Real World

Security Assessments Roles and Security Protocols
Responsibilities
2. Delegation of Roles SSH

3. The Security Certification and SSL

Accreditation Process
4. Security Certification IPSec
Documentation
5. Accreditation Decisions Kerbose
6. Continuous Monitoring WEP

12/26/23
Module 8 Authorization 59
12/26/23
Module 8 Authorization 60