case studies in access control - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/cl…situations...

Case Studies in Access Control

Case Studies inAccess Control

Joint SoftwareDevelopment

Mailers

1 / 38

■ Joint software development■ Mail

Joint Software Development



Situations

Roles

PermissionsWhy Enforce AccessControls?

Unix Setup

Windows ACL Setup

Reviewer/TesterAccess

Medium-Size Group

Basic StructureVersion ControlSystems

Why use a VCS?

Note Well

Structure of a VCS

Permission Structure

They’re Not SetUID!

The Repository

Large Organization

Complications

Mailers

2 / 38

Situations



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

3 / 38

■ Small team on a single machine■ Medium-to-large team on a LAN■ Large, distributed team, spread among several

organizations

Roles



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

4 / 38

■ Developer (i.e., can commit changes)■ Tester■ Code reviewer

Permissions



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

5 / 38

■ We want the technical mechanisms to reflectthe organizational roles

■ The real challenge: mapping the organizationalstructure to OS primitives

■ Why?

Why Enforce Access Controls?



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

6 / 38

■ Protect software from outsidersreading/stealing it

■ Protect against unauthorized changes■ Know who made certain changes?

Unix Setup



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

7 / 38

■ Assume you just have user/group/otherpermissions, with no ACLs. How would you setthings up?

■ Put all developers in a certain group■ Make files and directories group

readable/writable■ Decision to turn off “other” read access is

site-dependent

Windows ACL Setup



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

8 / 38

■ Could add each developer individually■ Bad idea — if a developer leaves or joins the

group, many ACLs must be updated■ Still want to use groups; vary group

membership instead■ Advantage: can have multiple sets of group

permissions — why?

Reviewer/Tester Access



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

9 / 38

■ Reviewers and testers need read access■ They do not need write access■ No good, built-in solution on classic Unix■ With ACLs, one group can have r/w

permissions; another can have r permissions

Medium-Size Group



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

10 / 38

■ No longer on single machine with simple filepermissions

■ More need for change-tracking■ More formal organizational structure

Basic Structure



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

11 / 38

■ Basic permission structure should be the same■ Again: use group permissions as the

fundamental permission unit■ Limits of non-ACL systems become more

critical

Version Control Systems



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

12 / 38

■ For medium-size projects, use of a versioncontrol system (i.e., CVS, Subversion,Mercurial, RCS, etc.) is mandatory

■ (Why?)■ What are the permission implications of a

version control system?

Why use a VCS?



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

13 / 38

■ Auditability — who made which change?■ When was a given change made?■ Can you roll back to a known-clean version of

the codebase?■ What patches have been applied to which

versions of the system?

Note Well



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

14 / 38

■ All of those features are important just formanageability

■ Security needs are strictly greater — we haveto deal with active malfeasance as well asordinary bugs and failures

Structure of a VCS



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

15 / 38

Repository Master copy; records all changes,versions, etc.

Working copies Zero or more working copies.Developers check out a version from therepository, make changes, and commit thechanges




Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

16 / 38

Here are the Unix client commands for RCS, CVS,Mercurial, and Subversion. What are the securityimplications?

$ ls -l /usr/bin/ci /usr/bin/cvs \

/usr/pkg/bin/hg /usr/pkg/bin/svn

-r-xr-xr-x 1 root wheel /usr/bin/ci

-r-xr-xr-x 1 root wheel /usr/bin/cvs

-rwxr-xr-x 1 root wheel /usr/pkg/bin/hg

-rwxr-xr-x 1 root wheel /usr/pkg/bin/svn




Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

17 / 38

■ They execute with the permissions of theinvoker

■ They could try to do access control, but it’smeaningless — anyone else could write code todo the same things

■ The permission structure of the repository iswhat’s important

The Repository



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

18 / 38

■ Essential feature: developers must have writepermission on the directories

■ File permissions are irrelevant; old files can berenamed and unlinked instead of beingoverwritten

■ (Potential for annoyance if new directories arecreated with the wrong permission — must setumask properly)

■ But — what prevents a developer with writepermission on the respository from doing nastythings?

■ Nothing. . .

Large Organization



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

19 / 38

■ Use client/server model for repository access■ Most users (including developers) have no

direct access to the VCS repository■ Either build access control into VCS server or

layer on top of underlying OS permissions■ But — must restrict what commands can be

executed on repository by developers

Complications



Situations

Roles


Unix Setup

Windows ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

20 / 38

■ If you rely on OS permissions, something hasto have root privileges, to let the repositorypart of the process run as that user

■ If the VCS itself has a root component, is ittrustable?

■ If you use, say, ssh, is the commandrestriction mechanism trustable?

■ If you rely on VCS permissions, you need toimplement a reliable authentication and ACLmechanism

■ All of this is possible — but is it secure?

Mailers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory

However. . .Local Access orClient/Server?

Client/Server

Bug Containment

Local Mail Storage

Central MailDirectory

Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram

Privileged Programs

Privileged MailReadersMany MoreSubtleties

Why is it Hard?

21 / 38

Mailers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

22 / 38

■ Issue of interest: local mail delivery andretrieval

■ Surprisingly enough, network email doesn’t add(too much) security complexity

Issues



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

23 / 38

■ Email must be reliable■ Users must be able to send email to any other

users■ The system should reliably identify the sender

of each message■ All emails should be logged■ Locking is often necessary to prevent race

conditions when reading and writing a mailbox■ Authentication

Accepting Mail



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

24 / 38

■ Must accept mail from users■ Copy it, either to protected spool directory for

network delivery or directly to recipient’smailbox

Spool Directory



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

25 / 38

■ If the mailer is setuid, it can copy the email toa protected directory with no trouble

■ If the directory is world-writable but notworld-readable, you don’t even need setuid —add a random component to the filenames toprevent overwriting

■ (Homework submission script does this)■ File owner is automatically set correctly, for

use in generating From: line

However. . .



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

26 / 38

■ Cannot securely write metadata for suchdirectories — others could overwrite themetadata file

■ Cannot prevent users from overwriting theirown pending email

■ Listing the mail queue still requires privilege

Local Access or Client/Server?



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

27 / 38

■ For client/server, issues are similar to VCS:authentication, root programs, restrictingactions, etc

■ For local access, must confront permissionissues

■ This is complicated by the many differentversions of Unix over the years

Client/Server



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

28 / 38

■ Standardized, (relatively) simple accessprotocols, POP and IMAP

■ For ISP or large enterprise, neither need norwant general shell-type access to mail server

■ Large system mailers have their ownauthentication database

■ Does not rely on OS permissions■ But — a mail server bug exposes the entire

mail repository■ Also — how do users change their passwords?

Bug Containment



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

29 / 38

■ Separate programs into two sections:

◆ Small, simple section that doesauthentication and changes uid (must runas root)

◆ Large section that runs as that user

■ Major advantage: security holes in largesection don’t matter, since it has no specialprivileges

■ Much more on program structure later in thesemester

Local Mail Storage



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

30 / 38

■ Where is mail stored? Central mailboxdirectory or user’s home directory?

■ Note that mail delivery program must be ableto (a) create, and (b) write to mailboxes

■ If mailbox is in the user’s directory, maildelivery program must have root permissions

Central Mail Directory



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

31 / 38

■ We can put all mailboxes in, say, /var/mail■ What are the permissions on it?■ If it’s writable by group mail, delivery daemon

can create new mailboxes■ Make mailboxes writable by group mail, and

owned by the recipient?■ Permits non-root delivery — but how do new

mailboxes get created and owned by the user?

Dangers of User-Writable Mailbox

DirectoriesCase Studies inAccess Control


Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

32 / 38

Permissionescalation

ln -s /etc/passwd /var/mail/me

Vandalism rm /var/mail/you

Denial ofservice

touch /var/mail/does-not-exist-yet

Defending Against These Attacks



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

33 / 38

Escalation Check mailbox permissions andownership before writing (note: watch for raceconditions)

Vandalism Set “sticky bit” on directoryDoS Remove (or change ownership of)

mailboxes with wrong ownership

Note well: most of these are trickier than theyseem

Delivering Mail to a Program



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

34 / 38

■ Most mail systems permit delivery of email toa program

■ Must execute that program as the appropriateuser

■ (Who is the “appropriate” user? Note that onSolaris, you may (depending on systemconfiguration) be able to give away files)

■ Implies the need for root privileges by thelocal delivery program

Privileged Programs



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

35 / 38

■ What must be privileged?■ What privileges?■ Local delivery needs some privileges, frequently

root

■ Delivery to a program always requires root■ The mail reader?

Privileged Mail Readers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

36 / 38

■ The System V mail reader was setgid togroup mail

■ Could delete empty mailboxes■ More importantly, could create lock files by

linking in the mailbox directory■ But — note the danger if the mailer was buggy

“You don’t give privileges to a whale” (about21K lines of code. . . )

Many More Subtleties



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

37 / 38

■ Writing a mailer is hard

■ I’ve barely scratched the surface of the designdecisions, even the permission-related ones

■ Complicated by varying system semantics

Why is it Hard?



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

38 / 38

■ Mailers cross protection boundaries■ That is, they copy data from one permission

context to another■ Both can be arbitrary userids■ Simply importing data to a userid is a lot easier■ In addition, a lot of functionality is needed■ Not surprisingly, mailers have a very poor

security record

case studies in access control - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/cl…situations...

Documents

Introduction to Cryptography, Part IIsmb%c2%a0%c2%a0%c2%a0%c2%… · Homomorphic Vs. Non-malleable •Homomorphic encryption ... •How many people need to be in a room for the probability

DISTRIBUTION ONLYsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2017. 5. 29. · 3-4. mum m- ” 4..mm.mm.m . we ... In nuclearweapons that areinherently one-point safe,‘nuclearsafety is dependent

FORMAT : A0 C1 C2

Web Server-Side Securitysmb%c2%a0%c2%a0%c2%a0%c2%a0… · Most interesting web sites use server-side scripts: CGI, ASP, PHP, server-side include, etc. Each such script is a separate

Toward Usable Access Control for End-users: A Case Study ...smb%c2%a0%c2%a0%c2%a0... · evaluating how Facebook users utilize the available privacy controls to implement an access

A Introduction to Modern Cryptographysmb%c2%a0%c2%a0%c2%a0...on the history of cryptography. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, Simon

Practical Issues with Intrusion Detectionsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2006. 11. 14. · Extrusion Detection Simple Logging Log Files Finding Compromised Hosts 3 / 42. Locations

Frank Miller’s Codebooksmb%c2%a0%c2%a0%c2%a0%c2%a0… · Lots of Google and Google books searches; ... memory of it in 1912 when he formulated his maxim? Does the evidence exist

คู่มือสมัครเข้ารับการศึกษาskmo.moph.go.th/sites/default/files/File_patbook/%C3%A0%C2%B8%… · คู่มือสมัครเข้ารับการศึกษา

Año 20 Saltillo, Coahuila 10 de junio de 2019 Número 241 ...transparencia.saltillo.gob.mx/Articulo%2028/VII.%C2%A0%C2%A0%C… · Asignación de nomenclatura al Bulevar El Minero,

Protecting the Clientsmb%c2%a0%c2%a0%c2%a0... · If someone using the application connects to your server—or if you can trick someone into connecting to your server via a watering

Documento1 - transparencia.saltillo.gob.mxtransparencia.saltillo.gob.mx/Articulo%2028/VIII.%c2%a0%c2%a0%c2… · del IMCS, o de quienes el Comité designe, y la decisión será inapetable,

Doing History in the Internet Agesmb%c2%a0%c2%a0%c2%a0... · the Freemasons (1829), the Templars (1867), and the Ku Klux Klan (1872) Neither of these two meanings is listed in the

Comment%20cr%c3%a9er%20une%20page%20 fan%20sur%20facebook%20avec%20awsclic%c2%a0

Authentication - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0… · password as the key + This is where the 8-character limit comes from Any decent cryptosystem can resist ﬁnding

Risks of Computers: What do we Do? - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0... · The Bloomberg Crash ... ther traders said they depended on Bloomberg chat so heavily that they weren’t

แนวทางการบ าบัดรักษาด้วยเมทาโดนระยะยาวe-lib.ddc.moph.go.th/images/pic_book/68.%C3%A0%C2... · แนวทางการบ

Authentication - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0… · password as the key (Why not encrypt the password?) + This is where the 8-character limit comes from Any decent cryptosystem

Complex Access Control - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%… · hTop, Planesi and hSecret, Subsi are not comparable, Steven M. Bellovin September 14, 2010 30. Using this Scheme

Program Structure IIsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2015-11-18 · Linux 2.6 Kernel.17 Commercial code 20–30 ... Windows 7 has cut down on the prompts—but some say that makes

Security: The Human Elementsmb%c2%a0%c2%a0%c2%a0%c2%a0… · The Human Element “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable

Google versus Chinasmb%c2%a0%c2%a0%c2%a0%c2%… · including from Chinese companies like Huawei. ... • Some of the attacks were directed at dissidents and activists ... they could

Computers, Society, and the Lawsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2017-04-13 · Recording Electronic) voting machines and Internet voting ... lUse machine learning to make predictions

Viruses, Worms, and Trojan Horsessmb%C2%A0%C2%A0%C2%A0%C2%A0%… · How do they spread? What can be done about them? Steven M. Bellovin February 9, 2020 2. Worms in Science Fiction

ControlCenter2smb%c2%a0%c2%a0%c2%a0...MC3764 CAP (Section 4.2). The CAP will provide the same multiple code population and limited-try fea- tures as the MCCS, but the W82 will not

Internet Security: Then and Nowsmb%c2%a0%c2%a0%c2%a0...13 SSL To some extent, a fig leaf: “it's safe to shop here, because your traffic is encrypted” 99.999% of consumers don't

C2 04 CATALOGO.dwg C2-04 A0 2) - Ponferrada

Preparing Your Google Cloud VM for W4187smb%c2%a0%c2%a0%c2%a0%c2%a0… · 7. Select No for \Please email me updates ..." unless you actually want email updates on new o erings. 8

STAINES AP-PLANS PHDD C2-A0 HVAC MECH

The Crypto Warssmb%c2%a0%c2%a0%c2%a0%c2%a0...The American Black Chamber The US originally did little of this, but learned rapidly during World War I (During the Civil War, the Union

Biometrics; Authentication as a Systems Problemsmb%c2%a0%c2%a0%… · · 2013-09-26the problmes are likely to remain difﬁcult issues for system designers? Steven M. Bellovin

Encryp’on, Security, and Privacysmb%c2%a0%c2%a0%c2%a0%c2%a0… · Examples l Incorrectly padding a short message to match the encryp’on algorithm’s requirements has resulted

Software Complexitysmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/tal… · Why Technologists Oppose Golden Keys • It has nothing to do with dislike of the FBI or the NSA • Technologists can

Final Review - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0… · Final Review The Test Conditions Format Material Limits Memory and Virtual Memory Paging File Systems Permissions Device

Wiretapping and Surveillancesmb%c2%a0%c2%a0%c2%a0%c2%a0… · They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. They know you called the suicide prevention