Outline

• History
• Quiz
• Access Control Matrix

Authentication vs Authorization

• Today, we are going to start talking about Authorization (Chapter 8)
• Let's briefly review Authentication vs Authorization.
• Authentication -- Are you who you say you are? This deals with restrictions on who (or what) can access system
• Authorization -- Are you allowed to do that? This deals with restrictions on actions of authenticated users
• Authorization is a form of access control
• To start talking about authorization, we first look at system certification...

System Certification

• System Certification are government attempt to certify "security level" of products
• Studying it will give us some idea of the history of authorization
• System certification is still required today if you want to sell your product to the government.

Orange Book

• Trusted Computing System Evaluation Criteria (TCSEC), 1983
• Universally known as the "orange book"
• Name is due to color of it's cover
• About 115 pages
• Developed by DoD (NSA)
• Part of the "rainbow series" of NSA books
• Orange book generated a pseudo-religious fervor among some people
• Less and less intensity as time goes by

Orange Book Outline

• Goals
  • Provide way to assess security products
  • Provide guidance on how to build more secure products
• Four divisions labeled D thru A -- D is lowest, A is highest
• Divisions split into numbered classes

D and C Divisions

• D -- minimal protection. i.e., Losers that can't get into higher division
• C -- discretionary protection, i.e., don't force security on users, have means to detect breaches (audit)
  • C1 -- discretionary security protection
  • C2 -- controlled access protection
  • C2 slightly stronger than C1 (both vague)

B Division

• B -- mandatory protection
• B is a huge step up from C
  • In C, can break security, but get caught
  • In B, "mandatory" means can't break it
• B1 -- labeled security protection
  • All data labeled, which restricts what can be done with it
  • This access control cannot be violated

B and A Divisions

• B2 -- structured protection. Adds covert channel protection onto B1
• B3 -- security domains. On top of B2 protection, adds that code must be tamperproof and "small"
• A -- verified protection. Like B3, but proved using formal methods. Such methods still impractical (usually)

Orange Book: Last Word

• The book has a 2nd part which discusses rationale
• It attempts to provide specific guidance on how to meet the requirements.

Quiz

Which of the following is true?

1. Dictionary attacks are not much of a threat if the password file is copied -- provided passwords are hashed and salts are used.
2. The Equal Error Rate of a biometric is when the insult rate equals the fraud rate.
3. A CSRF attack is an attack against password generators.

Common Criteria

• Successor to the orange book (ca. 1998)
• More than 1000 pages
• An international government standard. And it reads like it... Won't ever stir same passions as orange book
• CC is relevant in practice, but only if you want to sell to the government
• CC uses Evaluation Assurance Levels (EALs) 1 thru 7, from lowest to highest security

EAL

• Note: product with high EAL may not be more secure than one with lower EAL. Why?
• Also, because product has EAL doesnt mean its better than the competition. Why?

EAL 1 thru 7

• EAL1 -- functionally tested
• EAL2 -- structurally tested
• EAL3 -- methodically tested, checked
• EAL4 -- designed, tested, reviewed
• EAL5 -- semiformally designed, tested
• EAL6 -- semiformally verified design and tested
• EAL7 -- formally verified design and tested

Common Criteria

• EAL4 is most commonly sought
• Minimum needed to sell to government
• EAL7 requires formal proofs
• Not many such product...
• Who performs evaluations?
• Government accredited labs, of course
• For a hefty fee (like, at least 6 figures)

Classic Authorization

Classic authorization enforced by

• Access Control Lists (ACLs)
• Capabilities (C-lists)

Lampson's Access Control Matrix

• Subjects (users) index the rows
• Objects (resources) index the columns
• Entries say what subject is allowed to do with that resource

Are You Allowed to Do That?

• Could be 1000's of users, 1000's of resources
• Then matrix with 1,000,000s of entries
• How to manage such a large matrix?
• Need to check this matrix before access to any resource is allowed
• How to make this efficient?

Access Control Lists (ACLs)

• ACL: store access control matrix by column
• Example: ACL for insurance data is in blue

Capabilities (or C-Lists)

• Store access control matrix by row
• Example: Capability for Alice is in red

ACLs vs Capabilities

• Note that arrows point in opposite directions...
• With ACLs, still need to associate users to files

Confused Deputy

• Two resources -- Compiler and BILL file (billing info)
• Compiler can write file BILL
• Alice can invoke compiler with a debug filename
• Alice not allowed to write to BILL

ACL's and Confused Deputy

• Compiler is deputy acting on behalf of Alice
• Compiler is confused -- Alice is not allowed to write BILL
• Compiler has confused its rights with Alice's

Confused Deputy

• Compiler acting for Alice is confused
• There has been a separation of authority from the purpose for which it is used
• With ACLs, difficult to avoid this problem
• With Capabilities, easier to prevent problem
  • Must maintain association between authority and intended purpose. i.e., Alice gives her C-list to compiler
  • Capabilities make it easy to delegate authority. Compiler can then use Alice's capabilities when figuring if can compile, write debug files, etc.

ACLs vs Capabilities

• ACLs
  • Good when users manage their own files
  • Protection is data-oriented
  • Easy to change rights to a resource
• Capabilities
  • Easy to delegate---avoid the confused deputy
  • Easy to add/delete users
  • More difficult to implement
• Capabilities loved by academics - Capability Myths Demolished

Classifications and Clearances

We are now going to start looking at Multilevel Security (MLS) Models.

• Classifications apply to objects
• Clearances apply to subjects
• US Department of Defense (DoD) uses 4 levels:
  • TOP SECRET
  • SECRET
  • CONFIDENTIAL
  • UNCLASSIFIED

Clearances and Classification

• To obtain a SECRET clearance requires a routine background check
• A TOP SECRET clearance requires extensive background check
• Practical classification problems
  • Proper classification not always clear
  • Level of granularity to apply classifications
  • Aggregation -- flipside of granularity

Subjects and Objects

• Let O be an object, S a subject
  • O has a classification
  • S has a clearance
  • Security level denoted L(O) and L(S)
• For DoD levels, we have

  TOP SECRET > SECRET >
  CONFIDENTIAL > UNCLASSIFIED