IAS Chapter 4: Sharing Files

• Tailoring the security policy to grant special access to individuals or groups • Permission flags in Unix-like systems • Access control lists in Macintosh and Windows systems • Monitoring system events through logging

Tailored File Sharing

• Ex.

  • Bob and Tina shall be able to read and modify the survey data, no one except Bob and Tina will have access to the survey data

• When tailoring, we answer 4 questions:

  • Which resources are we managing?

  • Which users have access?

  • Deny by Default or Modify the existing rights?

  • What access rights do nonowners have?

Tailored Policies

• Privacy

  • Overrides a global file sharing policy

  • Protects a set of files from access by others

• Shared Reading

  • Overrides a global isolation policy

  • Grants read access to a set of files

• Shared Updating

  • Overrides either global policy

  • Grants read and write access to a set of files

How do we tailor the access rights?

• Cannot do it with simple permission flags or with compact access rules

  • We need more than just Owner, System, or World

• Simple File Sharing on Windows

  • Keeps a list of users granted access to a particular directory tree

  • Access Options:

    • Read-only access, Contributor access

    • Co-owner access, Owner access

User Groups

• Each file has a set of group access rights, and the ID of an established group of users

  • “World” is a group that contains all users

  • Other groups must have a file that lists the users in each group

• The OS applies group rights, as well as other rights, when deciding whether a process is allowed access to a resource

• We create a group by creating a list of users in that group, then giving the group a name

Solving Bob’s Problem

• We create a folder for the project files

  • The folder must be visible to Bob and Tina

  • The folder “belongs” to the “Survey” group

    • Actually, one user owns each file

    • The file’s group is a separate setting

• Access Rights for the folder and its files:

  • Owner: RW -

  • Group: RW -

  • World: —-

Administrative Groups

• Many systems have a separate “Admin” group

  • User IDs who are part of the group may perform administrative tasks

  • Restrict access to administrative functions by blocking the right to execute the programs

  • Windows also associates other privileges with user groups, including administrative rights

• If a user is in the “Admin” group, they automatically have access to administrative functions

Privileged User IDs

• Admins logged in as “root” to perform administrative tasks

  • Problem: the system could not tell which admin performed a particular tasks. "Accountability”

• Modern Unix has “SUDO” and “SetUID”

  • User with administrative role uses one of these commands to execute a privileged operation as “root”

  • Similar to OS-X “unlock” and Windows UAC

Administration and Least Privilege

• Administrative roles pose a danger

  • If an admin user executes a Trojan Horse program or a virus, the malware can use the administrative rights to modify the OS itself

  • This risk applies to “root” users and to members of “admin” user groups

• Safe Alternative: Temporary Rights (UAS)

• Safe Alternative: Have 2 User IDs

  • Regular user ID has no special privileges

  • Special user ID has administrative privileges

File Permission Flags

• Traditional Unix uses “file permission flag” to indicate access rights

  • Modern Unix systems may also use “access control lists (ACLs)”

• 3 Sets of RWX flags

  • Owner Rights (called “user rights” or “u”)

  • Group Rights (called “group rights” or “g”)

  • World Rights (called “other rights” or “o”)

• Specified in that order: Owner-Group-Word

  • “rwxrwxrwx” gives everyone full access rights

Permissions and Ambiguity

• Can Tina read a file with these permissions:

  • Owner: Bob - RWX

  • Group: Survey (Bob and Tina) - no access

  • World: R—

• Answer: It depends on the Operating System

  • On OpenVMS: Yes, permissions are combined, then checked

  • On UNIX: No, applies the list that applies closest to Tina: the group permissions

Access Control Lists (ACLs)

• The general-purpose technique clusters access rights by row (by resource, by file)

  • Simple permission flags require a small, fixed amount of storage for each file

    • ACLs may be arbitrary long

      • It poses a challenge for the OS

• An alternative to User Groups

  • We simply keep a list of individuals with the right to access a particular file or folder

  • Efficient if each file needs its own tailored lists

OS-X ACLs

• Based on Unix permission flags

  • Provides owner/group/world right by default

• GUI only provides RW access controls

• Keyboard commands provide more sophisticated controls

Microsoft Windows ACLs

• Present in “Professional”, “Business”, and other sophisticated versions of Windows

  • “Home” and “Basic” versions use the simple access lists described earlier

• Each ACL entry gives permission for a specific user or group

  • Users and Groups are defined on the computer or by network-wide “Domain”

  • Each entry specifies a list of permissions

  • Each permission may be “Permit” or “Deny”

Applying a Windows ACL

• Permissions are applied in a specific order:

  • 1. Permissions specifically assigned to that file or directory are applied first

  • 2. Next, apply those inherited from the enclosing directory

  • 3. If more permissions inherited, apply them in inheritance order: most recent to least recent

• For each set, we apply Deny rules first

• As soon as we find a permission that matches this user or process, we stop and apply it

Building Effective ACLs

• Deny by Default is the best general approach

  • Start with no rights, or a small set of defaults

    • Permissions to owner and administrators

  • Add “Allow” rights as needed

• Keep the rules as simple as possible

• Example that needs a “Deny” right

  • A group of all students called “Students”

  • Need a group “Students Minus Freshman”

  • Easiest approach: Deny “Freshman” Group

Default File Protection

• Windows users device, directory, and folder rights to establish default protections

  • The rights are inherited from enclosing folders

  • Inheritance is dynamic

    • If we change rights on an outer folder, it may change rights on an inner folder

    • Most other ACL implementations are static

      • Changes do not affect existing rights

• We can enable and disable inheritance

  • Often disabled to apply special rights

Trojan Horse

• Tina plays a video game that Eve has installed on Bob’s shared computer

• Bob then discovers that someone has copied his protected files into the game’s folder

  • How did this happen?

• The game was a Trojan Horse program

  • In addition to implementing the game, the program also copied files that Bob owned

  • It used Bob’s access rights to copy his files

How the Attack Worked

• Transitive Trust - a basic principle

  • If we trust Program 1, and it trust Program 2, then we are also trusting Program 2

  • If we run a program, then we trust its author

• Bob trusted the game program: the program copied Bob’s files to Suitemates’ folder

Monitoring System Security

• Effective security requires monitoring

  • Defenses may only detect and delay

  • Alarms are useless if no one listens

• Access controls are preventive - they try to block an attack from succeeding

• Monitoring is detective - it detects the attack without necessarily blocking it

  • Often provided through logs:

    • Event logs and audit logs

The “Wily Hacker”

• Found by astronomy graduate student Clifford Stoll

  • Pursued 75 cent shortage in accounting

  • Found a spy in Germany who penetrated many US universities and defense sites

• Shortage was a mismatch between system event logs and the accounting logs

  • The attacker used processor resources

  • The attacker’s work did not yield a charge in the accounting logs

• Story became a bestselling book

The Logging Mechanism

• A process shared by all the system components

  • 1. A program detects a significant event and emits a log entry to describe it

  • 2. The logging process retrieves the event, and discards less-significant events

  • 3. The logging process saves the event in a log file

  • 4. Administrators monitor the logs for significant events that demand action

• Avoid collecting too few - or too many events

External Security Requirements

• Logging does not directly improve system performance or security - it might help detect and resolve problems, or it might not

  • Appears more “efficient” to disable logging

  • Benefits are indirect

• Most systems keep logs to comply with External Security Requirements

  • Based on laws, government regulations, industry standards, or a combination of them

Industry Security Standards

• ANSI X-standards

  • Used by the banking industry to protect electronic funds transfer

• PCI-DDS

  • Used by “Payment Card Industry” to protect credit card transactions

• ISO 27000

  • Family of international standards for security system quality improvement

US Government Standards

• FIPS - Federal Information Processing

• SOX - Sarbaines-Oxley - financial and accounting standards for public companies

• HIPAA - Health Information - security standards for certain types of personal health data

• GLBA - Gramm-Leach-Bliley - standards for protecting personal financial information

• FISMA - Federal information management - security standards for federal computer systems