SIKKERHED OG SERVICE RAPPORT
Adgangskontrol, database sikkerhed og cloud computing 24/09/2013 ITU 5.1 Indhold • En model for adgangskontrol • Adgangskontrol i operativsystemer —Filbeskyttelse —Linux versus Windows —Encryption file system • • • • • 24/09/2013 Role based adgangskontrol Operativsystemet og dets rolle Virtuelle maskiner Database sikkerhed Cloud computing ITU 5.2 Access control / authorization • • Adgangskontrol er et centralt emne i it-sikkerhed Gollmanns definition af computer security: —Computer security deals with the prevention and detection of unauthorised actions by users (or processes) of a computer system. • Korrekt adgangskontrol forudsætter —Authentication —Authorization • Proper authorisation assumes the existence of a security policy —i.e. a set of rules that state which actions are permitted and which actions are prohibited. • The (security) domain of a security policy is —the set of entities, i.e. users, data objects, machines, etc., that are governed by the policy. 24/09/2013 ITU 5.3 Grundlæggende model for adgangskontrol Access rights Read Write Append authorization Execute Delete Create Search ... Owner Group World Process Objects ... Subjects Reference monitor • Reference monitor model audit objects syslog Filer Directories Ydre enheder Memory Databasefelter ... Identification - Authentication 24/09/2013 ITU 5.4 Security model Access control matrix • First introduced by Butler W. Lampson in 1971 • Access control matrix —Matrix over access rettigheder fil.1 fil.2 user1 owrx r user2 owr user3 fil.3 x x • Søjlerne: —Access Control List (ACL) —Objekt bundet —Kontrollen er anbragt tæt på data • Rækkerne —Capabilities —Subjekt bundet (hvad brugeren kan gøre) 24/09/2013 ITU 5.5 Plain old vanilla UNIX (Linux) • Subjects — Brugere (users) samles i grupper og “others” • Objects — Everything is a file • Den basale beskyttelse i UNIX/Linux: • user • group • other • Bit-orienteret — chmod 640 ”filnavn” • Password fil: — rachel:eH5/.mj7NB3dx:181:100:Cohen:/u/rachel:/bin/ksh Rachel's — guest:b5/&&mj7B3a77:1081:1000:guest:/u/guest:/bin/ksh restricted • Rachel: UID er 181 og primære GID er 100. • 24/09/2013 Superuser (almægtige root) kontra alm. users ITU 5.6 UNIX fortsat • SUID (setuid): • Set User-ID • Tillader kørsel med højere privilegier end normalt • Eksempel • Access rights for passwd (programmet): -r-s--x--x root /usr/bin/passwd • Access rights for password filen -rw-r--r-- root /etc/passwd • Programmet passwd bliver således kørt med root privileges. • Sikkerheden skal altså ligge i programmet! • Confused deputy – —classic security problem 24/09/2013 ITU 5.7 Windows (2K ->) • Beskyttelsen opdelt i: • owner • group (Antal og sammensætning ‘ubegrænset’= ACL) • Roller (bl.a. administrator, power user) • Standalone: —Lokale grupper (ACL) Den • Domains —Globale grupper og lokale grupper. —Active directory ied u n less au thor ized !! • SAM (Security Account Manager) bestyrer password • Security identifiers • Hash password • Registry tailored to users need • NT filbeskyttelse (for NTFS, men ikke ved FAT) • fingranuleret sikkerhed (single file, single user) • Meget fleksibelt og uoverskueligt 24/09/2013 ITU 5.8 Vista Permissions (access rights) 24/09/2013 ITU 5.9 Encryption file system “Launch key for nuclear missile is…” DES File Encryption S e s s i o n K e y 24/09/2013 RSA Key Encryption Owner’s public key RSA Key Encryption Output File *#$fjda^j u539!3t 389E *&\@ Data &%hT^uy#Kl2! (Session Key) Owner’s Name Owner’s Public Key DDF uK&$j)-!il Agent’s Name Agent’s Public Key DRF Recovery agent’s public key RSA Key Encryption Other Users’ DDFs ITU 5.10 Built-in groups • Administrators — Members of this group have the largest amount of default permissions and the ability to change their own permissions. • Backup Operators — Members of this group can back up and restore files on the computer, regardless of any permissions that protect those files. • Power Users — Members of this group can create user accounts • Users — Members of this group can perform most common task. • Guests — Members of this group can also shut down the system on a workstation. • Replicator — The Replicator group supports directory replication functions. • Interactive: — This group contains the user who is currently logged on to the computer. • Network. — This group contains all users who are currently accessing the system over the network. • 24/09/2013 Terminal Server User. ITU 5.11 Capabilties Lokale brugerrettigheder (XP) 24/09/2013 ITU 5.12 Access control policies • Policies: • Discretionary access control (DAC) • Mandatory access control (MAC) • Role-based access control (RBAC) 24/09/2013 ITU 5.13 Role Based Access Control • User: • An individual that has access to this computer system. Each individual has an associated user ID. • Role: • A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role. • Permission: • An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization. • Session: • A mapping between a user and an activated subset of the set of roles to which the user is assigned. 24/09/2013 ITU 5.14 Role assignment and permissions 24/09/2013 ITU 5.15 Fire RBAC models 24/09/2013 ITU 5.16 Operativsystemet 24/09/2013 ITU 5.17 Programmer (applications) Middleware Programmer (applications) API OS - services Operativsystem Hardware Historisk: Executives -> monitors 24/09/2013 Adgangskontrol i alle lag ITU 5.18 To indfaldsvinkler • Virtualisering —Indkapsling (af procedurer, single access point…) —Information hiding (ikke direkte adgang til OS data) —Standardisering (uafhængig af hardware) POSIX • Ressource allokering —Process begrebet (kørende instantiering af program) —OS som “big brother” —Styrer tilgangen til cpu, memory, I/O, disk etc I hvilket lag skal sikkerheden indbygges ? 24/09/2013 ITU 5.19 Virtualisering/lagdeling OS 24/09/2013 ITU 5.20 OS som ressource manager og procesbegrebet • Procesbegrebet • Ressources managed by the kernel (examples): • • • • 24/09/2013 The CPU Main memory Swap space The file system • • • • Process management facilities Clock functions Network facilities Peripheral interfaces ITU 5.21 CPU’en benytter ring-baseret sikkerhed • Hardware tillader to eller flere tilstande —Intel Pentium (gælder fra og med 80386) • • • • Level 0: operating system kernel Level 1: rest of operating system Level 2: I/O drivers etc Level 3: user mode —Motorola 68030: 2 levels • Privileged instructions —Used for system control —Can only be executed at ring 0 —Gates for transfer 24/09/2013 ITU 5.22 Protection domains • Simplificeret computer Controlled invocation (trap instruction) user Userland OS Privileged mode External hardware interrupt • Skift mellem userland og kernel mode foregår ved en trap instruktion • Registre gemmes etc. - context switch 24/09/2013 ITU 5.23 Udnyttelse af processorbeskyttelse • UNIX • • • • • (RISC, Motorola 68030) 2 mulige tilstande NT - XP 2 mulige tilstande VAX/VMS 4 mulige tilstande OS/2 4 mulige tilstande Multix: 8 mulige tilstande DOS: 1 mulig tilstand • Flere tilstande understøtter • Least Privileged Princip (mindste nødvendige rettighed) 24/09/2013 ITU 5.24 Virtualisering VMM VMM VMM Base Functionality (e.g. scheduling) Enhanced Functionality Hypervisor • Virtual Machines • System virtual machines —Hypervisor (Virtual machine monitor) • Type 1 - native VM • Standard X86 processorer opfylder ikke kravene til virtualisering • Type 2 – hosted VM • VMvare, VirtualBox, Virtual PC • Process virtual machines • Java, .NET framework 24/09/2013 ITU 5.25 Features i nye processorer • Intel Virtualization Technology (VT-x) — Processors with Virtualization Technology have an extra instruction set called Virtual Machine Extensions or VMX limited to the hypervisor (a kind of Ring -1). • System Management Mode (SMM) — is an operating mode in which all normal execution (including the operating system) is suspended, and special separate software (usually firmware or a hardware-assisted debugger) is executed in high-privilege mode (a kind of Ring -2) — SMM is entered via the SMI (system management interrupt) • Intel Active Management Technology (AMT) — includes hardware-based remote management features, security features, power-management features, and remote-configuration features. The features allow an IT tech to access an AMT PC when traditional techniques and methods to manage the PC are not available. (a kind of Ring -3). • Trusted Execution Technology (TXT) — is a versatile set of hardware extensions to Intel® processors and chipsets that enhance the digital office platform with security capabilities such as measured launch and protected execution (i.e. Trusted Platform Module) 24/09/2013 ITU 5.26 Database sikkerhed Inferensproblemet 24/09/2013 ITU 5.27 Definition • Database: • A database is a collection of stored operational data (entities & relations) used by the application systems of some particular enterprise • Database management system – Database manager • Database modeller —Hierarkisk database —Netværksdatabase —Relationsdatabase 24/09/2013 ITU 5.28 Relationsdatabase • Relationsdatabase • Relation (tabel): —En mængde af ordnede data record, tuple attribute, field, column • Relations algebra, SQL, QBE • Simplicity, symmetry • The father of relational data bases • Dr. E. F. Codd at IBM, late 1960s —A Relational Model of Data for Large Shared Databanks 24/09/2013 ITU 5.29 Eksempel - relationsdatabase Tabel person Navn Tlf.: Vej Postnr. Hansen 45454545 Vestergade 4000 Petersen 37373737 Østergade 8000 Jensen 90909090 Nørregade 7600 Madsen 11111111 Stationsvej 3000 24/09/2013 Tabel by Postnr. Bynavn 4000 Roskilde 3000 Helsingør 7600 Struer 8000 Århus C ITU 5.30 Databaser • Hvorfor sikkerhedsinteresse for databaser • værdifuldt firma aktiv (data / information) • Sikkerhedsproblemer er ikke løst endnu user ? Appl DBMS OS Virtualisering skaber sikkerhed og data uafhængighed Undgå at kortslutte den lagdelte beskyttelse!! object files 24/09/2013 ITU 5.31 Sikkerhedskrav (1) • Grundlæggende sikkerhedkrav til databaser: • Confidentiality (e.g. sensitive data) • Sensitive data, evt. lovmæssige krav til beskyttelse • Informationer kontra data. Kontrollen ofte tæt på brugeren • Integritet (e.g. medicinske data) • Referential integrity rule • Field check. • tal, bogstaver. Range • Consistency check (state / transition constrains) —Konflikt mellem integritet og fortrolighed • Availability —Deadlock ved samtidig opdatering af flere brugere 24/09/2013 ITU 5.32 Sikkerhedskrav (2) • Auditability —change log. Vi kan ikke undgå bevidste angreb fra en legal bruger, men vi kan føre en log (integritet + secrecy) —evt alle read/write til og fra brugere —men hvad med granularitet og pass through problemer • Non repudiation • User authentication —password + tid • Access control OS DBMS read select Insert Update Create Delete Exec SQL write execute —ikke så simpelt som ved OS —mange data og access modes (på tabel, tuple, eller element niveau) 24/09/2013 ITU 5.33 Sensitive data • Simple typer af disclosures • • • • • eksakte data (bevidst/ubevidst) bounds negative results existence probable values • Det væsentlige dilemma er privacy versus precision. Ingen universal løsning 24/09/2013 ITU 5.34 Eksempel • TABLE: • students • Direkte eller kamuflerede angreb • SELECT name FROM students WHERE sex=‘m’ ∧ drugs=1; • …. —kontrol: rule 'n items over k percent' 24/09/2013 ITU 5.35 SQL security model • SQL giver mulighed for discretionary access control helt ned til de enkelte attributter GRANT SELECT, UPDATE ( Drugs) ON TABLE students TO rektor; • samt mulighed for views CREATE VIEW bopæl AS SELECT Name, Dorm FROM students WHERE Sex = ‘F’; 24/09/2013 ITU 5.36 Inference • Inference: • Derive sensitive information from nonsensitive data • Aggregate funktioner: • COUNT, SUM, AVG, MAX, MIN • Aggregates kan være mere eller mindre sensitive end de enkelte elementer • Eksempel: —SUM —COUNT —Sum-tabellen angiver eksempel på ”disclosure of negativ result” (F,Grey) —Kombinationen af de to aggregates kan afsløre sensitive data (e.g. exact studiestøtte for (M,Holmes)) 24/09/2013 ITU 5.37 Inference og tracker attack • Tracker attack • Query teknik for at opnå sensitive data ved at omgå data’s concealment af “small numbers” count(sex=f,race=c,dorm=Holmes) giver 1 og undertrykkes for at beskytte privacy men count(sex=f) og count(sex=f,race≠c,dorm≠Holmes) kan evalueres separat og giver: 6-5=1, altså det søgte resultat 24/09/2013 ITU 5.38 Control for statistical attack • suppression • limited response suppression • Brug evt. change log til at holde rede på brugernes viden (state) • conceiling • combining results • random sample • random data pertubation 24/09/2013 ITU 5.39 Eksempel: Oracle DB sikkerhed • Strong user authentication — Oracle password-based authentication • Min. Length • Complexity • Disallow easily guessed words — Host based authentication — Third party-based authentication • Biometric • Radius — PKI-based authentication — Mutual authentication • Auditing by: — statement — use of priviledge — object — User • Privileges — Security by default — Least privilege — Grant/revoke — System/object • 24/09/2013 … ITU 5.40 SQL injection • Den paranoide sikkerhedsansvarlige: —Kun port 80 åben —Patched til det yderste • Men —Interaktiv med input fra brugeren (f.eks. Login med password, som chekkes i en database) • Hackeren søger efter: —FORM tags i HTML kode —ASP, JSP, CGI og PHP web pages —Fejludskrifter 24/09/2013 ITU 5.41 SQL injection (fortsat) • SQL statement (eksempel) —SELECT email, passwd, id, name FROM table WHERE email =´ $email´; • Normalt input: [email protected] (=$email) • Simpelt attack: etellerandet´ or ‘x’ =‘x • Test for attribute navne: x´ AND email IS NULL; -• Server response kan lække information • Test for tabel navne: x´ AND 1 = (SELECT COUNT(*) FROM xname);-x´ AND members.email IS NULL; -- • Nådestød: 24/09/2013 x´ DROP TABLE members; -- ITU 5.42 Cloud computing Cloud Computing is a general term used to describe a new class of network based computing that takes place over the Internet, 24/09/2013 ITU 5.43 Basic Characteristics • No-need-to-know —in terms of the underlying details of infrastructure, applications interface with the infrastructure via the APIs. • Flexibility and elasticity —allows these systems to scale up and down at will utilizing the resources of all kinds • Pay as much as used and needed — type of utility computing and the “always on!, anywhere and any place” type of network-based computing. 24/09/2013 ITU 5.44 Essential Characteristics • On-demand self-service. — A consumer can unilaterally provision computing capabilities, as needed automatically without requiring human interaction with each service provider. • Broad network access. — Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). • Resource pooling. — The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. • Rapid elasticity. — Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. • Measured service. — Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. 24/09/2013 ITU 5.45 Service Models • Software as a Service (SaaS). • Platform as a Service (PaaS). • Infrastructure as a Service (IaaS). 24/09/2013 ITU 5.46 Deployment Models • Private cloud. — The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. • Community cloud. — The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). • Public cloud. — The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. • Hybrid cloud. — The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability 24/09/2013 ITU 5.47 Cloud computing and security • Some key issues: • trust, multi-tenancy, encryption, compliance • • • • • • 24/09/2013 Trusting vendor’s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can’t be examined Loss of physical control ITU 5.48 Tokenization - a solution? 24/09/2013 ITU 5.49
© Copyright 2024