Access Control

dlofnep · 06-01-2004 2:37pm #1

Work is dragging, need something to occupy time. I'll make a brief security post. (or long winded depending on how quickly I get fed up of typing).

General security is usually a hard topic to start off on as it is so broad-based. I will give a brief outline on the lower end of security, AC and design.

The core security model can determine the difference between a security operating system and a weak operating system. it is much like building a fancy house on a poor foundation; it may look good, but underneath, it is really nothing more than a fancy house. Give it 10 years, it will fall. This also applys for any given operating system.

We really only have two kinds of operating systems at the core. One of which is a standard day to day server-end or desktop-end operating system (which be be apart of group 2), or a Trusted operating system.

To implement trusted standards for everyday use could effect the functionality of a standard desktop operating system. It would also add complications for anybody who isn't familiar with how each standard or model design works.

We will start off with a basic access control standard. Discretionary Access Control, or otherwise known as DAC. We also have ACL's (access control lists, but that is beyond the scope of this paper).

DAC is used in your everyday operating system to limit access to a given file/object. In it's most simplistic form, DAC will allow a user to to set the privileges of a file/object. This offers security is used correctly, but it rarely is. Take the following for example.

-rwxr--r-- 1 dlofnep high 11 Jun 13 02:23 secret

Here we have a file named secret. And isn't that beautiful, it is world readable. I have been a silly sod and allowed world readable access to my secret file.

Note for the curious:

Secret is really a love letter to bill gates to express how much I love windows. he has still never replied ;(

This is not a rare occurance as one may think. File access misconfigurations are probably the most common cause of a system to be compromised. It happens every day, but everyday it is shunned and still treated as a standard security control.

As we can see, the main problem with DAC is that it is user-end security, which usually ends up very poor. That is where operating system security comes in. Let me introduce you to MAC. Do not confuse this with a mac address.

MAC stands for mandatory access control, which you may have guessed is system-end policies that are made mandatory; meaning, you cannot change them. Even if you own the file, it is impossible for you to misconfigure it as you will not be able to change the access permissions of the file.

Imaginary scenario:

DAC implementation:

dlofnep@darpa.gov] ls - al

-rwx

1 dlofnep high 06 Jan 13 02:23 donotread

dlofnep@darpa.gov] chmod 777 donotread
dlofnep@darpa.gov] ls - al

-rwxrwxrwx 1 dlofnep high 06 Jan 13 05:23 donotread

MAC implementation:

dlofnep@darpa.gov] ls - al

-r

1 dlofnep high 06 Jan 13 02:23 donotread

dlofnep@darpa.gov] chmod 777 donotread

dlofnep@darpa.gov] ls - al

-r

1 dlofnep high 06 Jan 13 02:23 donotread

As we can see here, MAC would of saving our file's access from being altered.

So in theory and action, alot of privilege escalation based attacks could be halted altogether by implementing a more fine grained and strict access control and thus creating a more security operating system enviroment.

Any comments or suggestions, feel free to ask.

Capt'n Midnight · 06-01-2004 3:05pm

Ah welcome to windows - default file/share Everyone=Full Control
(and Account Operators can make themselves Administrators - even powers users can in some cases )

For windows look at CACLS.EXE and RMTSHARE.EXE (resource kit) to set permissions from batch files without resetting existing file permissions in subfolders.
[php]
%UNC% is a unc path
%USR% is the user (or group name)
Cacls %UNC% /t /c /G "Domain Admins":F <Y
Cacls %UNC% /t /e /c /G %USR%:C
Cacls %UNC% /t /e /c /G SYSTEM:F
Cacls %UNC% /t /e /c /G "Backup Operators":R

%SHR% share name (if ends in $ is not displayed to windows users - linux users etc. can see it)
%PTH% is the path of the shared folder

Rmtshare %SHR%=%PTH%
RmtShare %SHR% /Remark:"DUBLIN - %2 %3"
Rmtshare %SHR% /Grant "Domain Admins":F
Rmtshare %SHR% /Grant %USR%:C
[/php]

Gavin · 06-01-2004 5:23pm

For an implementation of a MAC system, have a look at SELinux.
http://www.nsa.gov/selinux/

Some good articles are on that site detailing MAC itself and the selinux implementation of it.
http://www.nsa.gov/selinux/freenix01-abs.html

http://www.nsa.gov/selinux/slinux-abs.html

From the little I have read on MAC, it does seem quite useful for restricting some traditional attacks. An example I have seen is of a CGI script. Using a mac policy system, it would be possible to specifiy that the CGI script cannot create a child process, thus disallowing it from executing scripts/programs it shouldn't and the same for accessing data. That's just a rough idea, probably wrong.

It would be interesting to see if a MAC system could be useful in other areas such as honeypots..

For trusted computing, have a look at http://www.trustedcomputing.org/home. I've a simplistic paper written on TCPA at http://www.redbrick.dcu.ie/~gavin It is handy for reference documentation at the least.

Gav

dlofnep · 06-01-2004 6:44pm

Interesting tcpa paper..

Access Control

Comments