6/7/2007
<html>
<head> <title> CS 111 Scribe Notes </title>
</head>
<body>
Security Continued: <br>
Last lecture we went over: <br>
	Authentication <br>
	Integrity <br>
	Authorization <br>
	Auditing <br><br>

<h2>Authorization</h2>
Try and keep track of everything everyone is allowed to do <br>
Think about it as a 3 dimensional space<br>
axes are: <br> 
	principals/actors/users/subjects - people "using the system and can do stuff" <br>
	objects - things that can be acted upon. <br>
	actions/operations - what they're trying to do with the object <br><br>

In theory, we could set things up this way, as a 3 dimensional bitmap of permissions 
But, its a hassle to support arbitrary generality here.<br>
For two reasons:<br>
	1. Amount of storage and work here grows roughly with the square of the size of the system.<br>
	2. Tough to make sure it's right. Hard to maintain. Might make a mistake, flip wrong bit.<br>
In practice, this scheme is too complicated to set up.<br> <br>

People look for simplifications<br>
You still have to consult the subject, object, and action, to find out if allowed<br>
But, it's not quite that general<br><br>

We want it simpler, easier to implement.<br>
How do we do that?<br>

<h2>Unix model (classic)</h2>
Associate about 12 bits for permissions, stored in inode.<br>
9 of them are pretty straight forward.They come in groups of three.<br>
Lowest order 9 are ordinary, divided into 3 groups<br>
	[special, 3 bits] [owner/user, 3 bits] [group, 3 bits] [other, 3 bits]<br>
Each group of 3 bits are for read, write, execute.Lowest 9 bits look like rwxrwxrwx.<br>
Common patter is 755, rwxr-xr-x, user can write, all others can read and execute<br>
Not all values make sense here...<br>
	---rw--w- says user can not touch file, group can read and write, others can write(silly).<br>
	Generally we expect other bits to be a subset of group, which is a subset of user permissions.<br>
special bits: setuid, setgid, sticky bits. These are messy, used to address ceratin problems.<br>
for a regular file:<br>
	if you execute a file marked setuid, that program doesn't run with your permissions, it runs with permissions of file owner.<br>
	if file is owned by root, marked setuid, then program will always run with root permissions.<br>
Its a way of controlled export of superuser's powers.
Setuid programs are an admission that we can't handle all of the security problems in unix, because it doesn't let you do stuff you should be able to do.<br>

In practice, many systems need this kind of capability.
theres a security model, and then there are exceptions because, if enforced too tightly, the security model becomes a straightjacket.<br>

setgid is the same, except with a group...<br>
sticky bit was originally for optimization.
It meant that when you exit the program, leave it in swap space because someone might want to use it again soon.<br><br>

for directories, these bits are entirely different: <br>
the sticky bit means that only the owner of a file can remove or delete a directory entry.
	Normally, you just have to be able to write to the directory
	. But with sticky bit, you have to be owner of the file too.
	This is due to /tmp that
	everyone has to be able to write here,
	 but anyone can remove files too.
	/tmp would be totally insecure were it not for the sticky bit.<br>
setgid bit affects new files created in the directory.
	If set, newly created files belong to the same group that the directory does.
	This encourages sharing more than default would
	without this rule, files would all be in separate groups.<br>
	
Example: <br>
	courses and quarters need to be accessed by appropriate people, profs, TA's<br>
	/class/spring07/cs111<br>
	/class/spring07/cs131<br>
One approach, create a group "cs111_spring_07" containing prof, TAs<br>
But we have a group for each directory<br>
UNIX permissions feel forced...not designed for this application<br>

Instead, department utilizes Access Control Lists (ACLs)<br>
Used starting in Windows NT, Solaris, some Linux<br>
Associates with each file a list of which users and groups can access the file.<br>
For a file, there is a list of people and their permissions. Granted on a per-user basis.<br><br>

<pre>
if we invoke the following
$ getfacl		# get file access control list
	user::rwx
	group::r-x
	other::r-x
$ setfacl -rm gropu:tas:rwx	#give TAs rwx permissions.
</pre>

<pre>
$ sudo umount /dev/bar
</pre>
This means please execute umount as root, but then go back to being myself again.
You dont want to be root very long because root is really powerful and you'll break things quicker.
The goal of sudo is to minimize priveliges.<br><br>

Sometimes, access control lists grant too much power.
If a TA needs grade access and research project access, they may copy grades to where research users can see them.<br>


Another approach that is gaining popularity in security community is
role based access control (RBAC).
Grant access based on role that user is currently assuming.
Users assume only one role at a time.
Now, this person is a TA with TA permissions, but then they assume research assistant role, losing TA rights.
You can even have roles on a per-process basis.
Associated with operations and not just objects.<br>

One operation is "unlinking a directory".
In traditional unix, only root can do it
under solaris 10, you can give up this ability.<br>

Also, linking to a file you dont own.<br>
Only requirement is that you are able to "see" the file (by searching any other directories.)
why is this a problem?<br>
<pre>
/bin/sudo (setuid root)
if admin fixes bug
	/bin/sudo1
	rename("/bin/sudo1", "/bin/sudo")
</pre>
	fixed? no! because attacker can link the buggy /bin/sudo to /home/attacker/bin/sudo and continue to use it.<br>

Need to keep scale in mind.<br>
For personal desktop, you probably don't need more than "normal" and "root" access<br>
For University of California, even ACLs and RBAC might not be enough.
	It gets really complicated with everyone needing to do all different things, and no more.<br><br>

Policy is authorization<br>
Mechanism is authentication<br>
	based on : who the principal (user) is:<br>
		classic example is retinal scan<br>
		assumption is no two people have same eyes, people dont swap eyes.<br>
	something the principal knows:<br>
		password<br>
		problem with passwords is that they can be guessed or snooped.<br>
	something the principal HAS:<br>
		physical key<br>

Typically you START with who you are, and then they give you one of the other things (password or key).<br>
General design principal for implementing cryptographic authentication: <br>
<i>minimize what has to be secret<br>
Protocols you use should not be secret<br>
Algorithms should not be secret (then they have fewer reviewers)<br>
-keys are the only secrets</i><br>
Kerchkoffs (~1880)<br><br>


<h2>Authentication building blocks</h2>
Cryptographic hash functions<br>
SHA1(M)	= H	//M is message<br>
It returns H, a small, fixed size quantity (160 bits)<br>
If an attacker is told H but not M, he or she cannot guess any value M such that SHA1(M) = H<br>
To reverse engineer it, you have to run through 2^160 random messages, then you have a half chance of running across the original message.<br>

Symmetric encryption (eg triple-DES)<br>
	Sender and recipient share a secret key.
	So going to and from encrypted form is easy.
	But without sercret key, computing message from encrypted version is hard.
	If you have original and encrypted message, computing the key is hard.
In many protocols, common data (time of day) is encrypted, so attacker might know original message.<br>

Third approach is public key encryption<br>
asymmetric<br>
you have secrets you keep to yourself.<br>
you dont just have a message M and key K<br>
you have message M and two "flavors" of same key<br>
	U is public key<br>
	V private key<br>
Basic idea: Given M and someones U, you can encrypt it easily
	 but, you need their V to decrypt it easily.
	 Decrypting with encrypted message and public key is hard. 
	 Getting private key is also hard.<br>

+ no shared secrets to maintain<br>
- tends to be more expensive<br>
= key distribution is still tricky.<br>
	What if you are given attackers public key
	now you just sent your message to THEM<br>

<pre>
simple authentications, shared secret K
A: {I'm Alice}[K]
B: OK
</pre>

Suppose you are an attacker who can eavesdrop and send messages
replay attack is possible
<br>

<pre>
A: I'm Alice
B: Prove it, here's some random bits
A: {proof: random bits}[K]
B: okay
</pre>

Later if attacker replays authentication, it doesn't work with new random bits.
If attacker knows protocol, attacker can spoof packets with A's IP address now that A is authenticated.
Technical term for random bits made up for the occasion is a "nonce"<br>

<pre>
Multiphase authenticatoin (public key)
A: {Nonce[A] + Hi I'm Alice} [Ub]
B: {Nonce[A] + Nonce[B]} [Ua]
A: {Nonce[B] + session key} [Ub]
	K for some shared secret encryption
	might be 150 bits, smaller, faster
</pre>

Ordinary session packets use K plus a hash function (say SHA1)
K keeps data secret, SHA1 makes sure packet hasnt been tampered with.
Common algorithm is HMAC<br>
	{SHA1(K^pad1) + SHA1((k^pad2) + M);}[K]<br>
	20-25% overhead for checksum but high reliability<br><br>
	
<pre>
Secure Shell
	form users viewpoint
	client: ~/.ssh/id_rsa.pub	//public key
		~/.ssh/id_rsa		//private key
		~/.ssh/known_hosts	//table of (ip address, server public key)
server: ~/.ssh/authorized_keys		//list of public keys that are allowed to connect.
</pre>
ssh_keygen
uses random bits to make private and public key pair<br>

You can setup tunnels with ssh -l server.<br>
Basic idea behind a tunnel is as follows:

<pre>
client				server
ssh process			ssh process
with Apache:80
</pre>
Client can say, "if server gets requests on port 80, send them to me."<br>
This idea is bidirectional<br>

ssh tunel = virtualized network<br>
Its a way of escaping whatever bizarre rules your network has.<br>
This gets ugly fast since everyone needs to keep their ssh folders everywhere they might go<br><br>


IPSEC:<br>
oriented toward big guys<br>
+ key management<br>
- huge system, hard to get into<br>

Foolproof way to break into a system based on unix, linux, whatever
with a catch.<br>
Reflections on trusting trust<br>
http://www.acm.org/classics/sep95<br>

Get a copy of login program.
 Modify code so it really does.<br>
	attack:<br>
	"if username == ken, OK."<br>
	convince everyone to use this login program.<br>
The catch is that someone will read that and get rid of it.<br>
So you look at the source code to gcc.c
<pre>
	modify so that
	attack B
	"if source file == login.c then generate this attack above"
	convince everyone to use this gcc
</pre>
but, someone will read gcc source code and fix that.<br>
<pre>
so, write gcc.c'
	if source == "login.c" generate attack code
	if source == "gcc.c" generate attack B code
now compile gcc this way, throw source away
</pre>
give them modified gcc binary and original gcc source code.<br>

<i>if youre doing security you must have a trusted computing base.</i>
you HAVE to trust somebody<br>
you want to minimize this group, but it exists.<br>
you have to know what's in it.<br>
<body>
</html>