Professional Documents
Culture Documents
UNIX uses access control lists. A user logs into UNIX and has a right to start
processes that make requests. A process is "bigger" than a subject, many domains
may correspond to a single process. Each process has an identity(uid). This uid is
obtained from the file that stores user passwords: /etc/passwd. An entry in
/etc/passwd may look like:
Every process inherits its uid based on which user starts the process. Every process
also has an effective uid, also a number, which may be different from the uid.
Finally, each UNIX process is a member of some groups. In the original UNIX
every user was a member of one group. Currently, users can be members of more
than one group. Group information can be gotten from /etc/passwd or from a file
/etc/groups. System administrators control the latter file. An entry in /etc/groups
may look like:
When a process is created, associated with it is the list of all the groups it is in.
Recall that groups are a way to shorten access control lists. They are useful in other
ways as well.
All of the above implements a form of authentication, knowing the identity of the
subject running command. Objects in UNIX are files. UNIX attempts to make
everything look like a file. (E.g., one can think of "writing" to a process as
equivalent to sending a message, etc.) Because of this, we will only worry about
files, recognizing that just about every resource can be cast as a file.
where the file is stored -- necessary since the directory entry is used to access the
file,
the length of the file -- necessary to avoid reading past the end of the file,
the owner -- a uid, generally the uid of the process that created the file,
a group -- gid of the process that created the file is a member of,
NTFS has Windows ACEs. Unix uses "mode bits" on each file. On NTFS, each
file can have an owner, and zero or more Windows access control entries (ACEs).
An ACE consists of a principal (users and groups are principals), a set of
operations (Read, Write, Execute, etc.)
Windows NT supports multiple file systems, but the protection issues we will
consider are only associated with one: NTFS. In NT there is the notion of an item,
which can be a file or a directory. Each item has an owner. An owner is usually the
thing that created the item. It can change the access control list, allow other
accounts to change the access control list and allow other accounts to become
owner. Entries in the ACL are individuals and groups. Note that NT was designed
for groups of machines on a network, thus, a distinction is made between local
groups (defined on a particular workstation) and global groups (domain wide). A
single name can therefore mean multiple things.
NTFS is structured so that a file is a set of properties, the contents of the file being
just one of those properties. An ACL is a property of an item. The ACL itself is a
list of entries: (user or group, permissions). NTFS permissions are closer to
extended permissions in UNIX than to the 9 mode bits. The permission offer a rich
set of possibilities:
R -- read
W -- write
X -- execute
D -- delete
The owner is allowed to change the ACL. A user with permission P can also
change the ACL. A user with permission O can take ownership. There is also a
packaging of privileges known as permissions sets:
no access
read -- RX
change -- RWXO
If you’re a business that requires a high level of security to control your physical or
digital assets, you need an access control system. Access control systems allow
businesses to verify the identity of a person before they are allowed access to a
physical or digital space. But as with all technology, problems can arise during use.
What are some common issues that businesses have with access control systems?
3. Improper Setup
4. Inefficient Management
Even though issues can happen, your company can avoid running into problems
with your access control system by maintaining the system regularly and working
with a consultant on the system setup. With your access control system working
optimally, you can have peace of mind that your business’s assets are safe and
secure.
WEB Security-
What is the web?
• A collection of application-layer
– Multimedia
– Instant messaging
• Many applications
– Provides
• authentication
• confidentiality
• integrity.
• HTTP Request
– An empty line
• Request methods
– GET Request: attach the data in the URL
• HTML: An Example
– JavaScript can put dynamic text into an HTML page: A JavaScript statement
like the following, which write a variable text into an HTML page:
– Authentication
– Discussion
Difference between Web Access Control and OS Access Control
Web server is stateless. When a user is authenticated, he/she may send several
other requests. The entire duration is called a session. Since web server is stateless,
it does not remember anything about this session. Namely, when the user sends a
request, the server does not know whether they are from the same session (hence,
from the same user). To put in another perspec- tive, because of the lack of session
concept at web server, each web request has to be authenti- cated; otherwise,
attackers can hijack a session.
• Session ID
Web applications have to remember sessions. For example, when a host needs to
customize the content of a website for a user, the web application must be written
to track the user’s progress from page to page.
How to know two requests are from the same sessions, hence do not need
seperate authentication?
∗ Using hidden variables in forms: will be sent automatically when the form is
submitted.
Using URL encoded parameters: has to attach the session ID in the HTTP request.
Here is an example:
/index.php?session_id=some_unique_session_code.
• Cookies and Session ID
– It is sent as an HTTP header by a web server to a web browser and then sent
back unchanged by the browser each time it accesses that server. A cookie can be
used for authenticating, session tracking (state maintenance), and remembering
specific information about users, such as site preferences or the contents of their
electronic shopping carts. The term ”cookie” is derived from ”magic cookie”, a
well-known concept in UNIX computing which inspired both the idea and the
name of browser cookies. Some alternatives to cookies exist; each has its own
uses, advantages, and drawbacks.
– Being simple pieces of text, cookies are not executable. They are neither
spyware or viruses, although cookies from certain sites are detected by many anti-
spyware products because they can allow users to be tracked when they visit
various sites.
Where do we start? We need to understand what are subject and object first, then
we can talk about the access control.
• Policies:
• Objective of XSS:
– When other users browse the infected pages from X, the browser believes
that the JavaScript is from X.
– The Same Origin Policy allows the malicious JavaScript to access cookies of
X, which can send legitimate HTTP requests to X onbehalf of the users, without
the users’ concent.
• Samy worms (see the narrative from Samy at http://namb.la/popular/).
– The worm added Samy to the victim’s friend list, and then further propogate
the worms to those who view their profiles.
• Potential Damage
– Web defacing: the malicous JavaScript code can access and modify the
DOM objects within the page. For example, it can replace a picture in the web
page with a different picture.
• Countermeasures
• CSRF Attack
– If a user is logged into the site and an attacker tricks their browser into
making a request to one of these task urls, then the task is performed and logged as
the logged in user. The tricks can be placed on a web page from the attacker; all
the attacker needs to do is to trick the user to visit their attacking web page while
being logged into the targeted site.
– When the request is made by the user (whether the user is tricked or not), the
cookie will be attached to the request automatically by browsers.
– For web applications using HTTP GET: attacker can use image tag <img> to
cause the victim’s browser to send out a HTTP GET request (when the victim
visits the attacker’s web page, the HTTP GET request will be initiated by the
image tag. Here is an example:
<img src="http://site/buy_stocks?buy=200&stock=yahoo">
– For web applications using HTTP POST: sending data to such applications
is not as easy as sending data to a GET-based applications, because we cannot
append the data to the end of URL for POST-based applications. However, with
the help of JavaScript, attackers can send the data. The basic idea is for the attacker
to craft a web form on his/her site (using JavaScript), and then use JavaScript to
automatically submit the form to the target site.
We cannot use AJAX here, because AJAX can only talk back to the source of the
web page (SOP policy).
– CSRF does not need to run JavaScript code (for GET only); XSS does.
∗ CSRF: the code runs directly from the attacker’s web page.
∗ XSS: the code has to be injected to the target web site’s page.
∗ It does not prevent CSRF, because the attacking contents are not on the target
web site.
∗ It can prevent XSS to certain degree, if the malicious JavaScript code can be
filtered out.
• Countermeasures
– Because the JavaScript code used (if used) by CSRF does not come from the
target web site, the malicious JavaScript cannot see the cookies from the target
web site.
– We can require that all the HTTP request (both GET and POST) to also
include something from the cookie (such as the session ID) in the attached
parameters, in addition to the cookies that are already attached automatically by the
browser. JavaScript code from the target web site can get the secret from the
cookie, but the JavaScript code from the malicious web site cannot access the
cookies.
What is the fundamental problem of XSS and CSRF? Let us evaluate these
problems from the access control perspective. Is there anything wrong with the
access control model currently used by web browser (i.e. the SOP model)? If not,
can we pinpoint what has gone wrong from the design perspective?
Let us review the principles of access control formuated by Saltzer and Schroeder
in their classical paper titled The Protection of Information in Computer Systems .
We have covered these principles in our access control lectures. Here we will
evaluate an access control design using these principles:
• Economy of mechanism
• Fail-safe defaults
• Complete mediation
• Open design
• Separation of privilege
• Least privilege
• Least common mechanism
• Psychological acceptability.
Virtually all businesses, most government agencies, and many individuals now
have Web sites. The number of individuals and companies with Internet access is
expanding rapidly and all of these have graphical Web browsers. As a result,
businesses are enthusiastic about setting up facilities on the Web for electronic
commerce. But the reality is that the Internet and the Web are extremely vulnerable
to compromises of various sorts. As businesses wake up to this reality, the demand
for secure Web services grows.
The topic of Web security is a Very broad one. In this chapter, we begin with a
discussion of the general requirements for Web security and then focus on two
standardized schemes that are becoming increasingly important as part of Web
commerce: SSL/TLS and SET.
The World Wide Web is fundamentally a client/server application running over the
Internet and TCP/IP intranets. As such, the security tools and approaches discussed
so far in this book are relevant to the issue of Web security. But, the Web presents
new challenges not generally appreciated in the context of computer and network
security:
• The Web is increasingly serving as a highly visible outlet for corporate and
product information and as the platform for business transactions. Reputations can
be damaged and money can be lost if the Web servers are subverted.
• Although Web browsers are very easy to use, Web servers are relatively
easy to configure and manage, and Web content is increasingly easy to develop,
the underlying software is extraordinarily complex. This complex software may
hide many potential security flaws. The short history of the Web is filled with
examples of new and upgraded systems, properly installed, that are vulnerable to a
variety of security attacks.
• Casual and untrained (in security matters) users are common clients for
Web-based services. Such users are not necessarily aware of the security risks that
exist and do not have the tools or knowledge to take effective countermeasures.
Provides a summary of the types of security threats faced in using the Web. One
way to group these threats is in terms of passive and active attacks. Passive attacks
include eavesdropping on network traffic between browser and server and gaining
access to information on a Web site that is supposed to be restricted. Active attacks
include impersonating another user, altering messages in transit between client and
server, and altering information on a Web site.
Threats
The most important reasons to adopt SDL practices are: Higher security. In SDL,
continuous monitoring for vulnerabilities results in better application quality and
mitigation of business risks. Cost reduction.