Access Control

Part 2  Access Control 1

 Access Control
 Two parts to access control
 Authentication: Who goes there?
o Determine whether access is allowed
o Authenticate human to machine
o Authenticate machine to machine
 Authorization: Are you allowed to do that?
o Once you have access, what can you do?
o Enforces limits on actions
 Note: Access control often used as synonym for
authorization

Part 2  Access Control 2

 Authentication

Part 2  Access Control 3

 Who Goes There?
 How to authenticate a human to a machine?
 Can be based on…
o Something you know
 For example, a password
o Something you have
 For example, a smartcard
o Something you are
 For example, your fingerprint

Part 2  Access Control 4

 Something You Know
 Passwords
 Lots of things act as passwords!
o PIN
o Social security number
o Mother’s maiden name
o Date of birth
o Name of your pet, etc.

Part 2  Access Control 5

 Trouble with Passwords
 “Passwords are one of the biggest practical
problems facing security engineers today.”
 “Humans are incapable of securely storing high-
quality cryptographic keys, and they have
unacceptable speed and accuracy when performing
cryptographic operations. (They are also large,
expensive to maintain, difficult to manage, and they
pollute the environment. It is astonishing that these
devices continue to be manufactured and deployed.)”

Part 2  Access Control 6

 Why Passwords?
 Why is “something you know” more
popular than “something you have” and
“something you are”?
 Cost: passwords are free
 Convenience: easier for SA to reset
pwd than to issue user a new thumb

Part 2  Access Control 7

 Keys vs Passwords

 Crypto keys  Passwords

 Spse key is 64 bits  Spse passwords are 8
characters, and 256
 Then 264 keys different characters
 Choose key at  Then 2568 = 264 pwds
random  Users do not select
 Then attacker must passwords at random
try about 263 keys  Attacker has far less
than 263 pwds to try
(dictionary attack)

Part 2  Access Control 8

 Good and Bad Passwords
 Bad passwords  Good Passwords?
o frank o jfIej,43j-EmmL+y
o Fido o 09864376537263
o password o P0kem0N
o 4444 o FSa7Yago
o Pikachu o 0nceuP0nAt1m8
o 102560 o PokeGCTall150
o AustinStamp

Part 2  Access Control 9

 Password Experiment
 Three groups of users  each group
advised to select passwords as follows
o Group A: At least 6 chars, 1 non-letter
winner o Group B: Password based on passphrase
o Group C: 8 random characters
 Results
o Group A: About 30% of pwds easy to crack
o Group B: About 10% cracked
 Passwords easy to remember
o Group C: About 10% cracked
 Passwords hard to remember
Part 2  Access Control 10
 Password Experiment
 User compliance hard to achieve
 In each case, 1/3rd did not comply (and
about 1/3rd of those easy to crack!)
 Assigned passwords sometimes best
 If passwords not assigned, best advice is
o Choose passwords based on passphrase
o Use pwd cracking tool to test for weak pwds
o Require periodic password changes?

Part 2  Access Control 11

 Attacks on Passwords
 Attacker could…
o Target one particular account
o Target any account on system
o Target any account on any system
o Attempt denial of service (DoS) attack
 Common attack path
o Outsider  normal user  administrator
o May only require one weak password!

Part 2  Access Control 12

 Password Retry
 Suppose system locks after 3 bad
passwords. How long should it lock?
o 5 seconds
o 5 minutes
o Until SA restores service
 What are +’s and -’s of each?

Part 2  Access Control 13

 Password File
 Bad idea to store passwords in a file
 But need a way to verify passwords
 Cryptographic solution: hash the passwords
o Store y = h(password)
o Can verify entered password by hashing
o If attacker obtains password file, he does not
obtain passwords
o But attacker with password file can guess x and
check whether y = h(x)
o If so, attacker has found password!

Part 2  Access Control 14

 Dictionary Attack
 Attacker pre-computes h(x) for all x in a
dictionary of common passwords
 Suppose attacker gets access to password
file containing hashed passwords
o Attacker only needs to compare hashes to his
pre-computed dictionary
o Same attack will work each time
 Can we prevent this attack? Or at least
make attacker’s job more difficult?

Part 2  Access Control 15

 Password File
 Store hashed passwords
 Better to hash with salt
 Given password, choose random s, compute
y = h(password, s)
and store the pair (s,y) in the password file
 Note: The salt s is not secret
 Easy to verify password
 Attacker must recompute dictionary
hashes for each user  lots more work!
Part 2  Access Control 16
 Password Cracking:
Do the Math
 Assumptions
 Pwds are 8 chars, 128 choices per character
o Then 1288 = 256 possible passwords
 There is a password file with 210 pwds
 Attacker has dictionary of 220 common pwds
 Probability of 1/4 that a pwd is in dictionary
 Work is measured by number of hashes

Part 2  Access Control 17

 Password Cracking
 Attack 1 password without dictionary
o Must try 256/2 = 255 on average
o Just like exhaustive key search
 Attack 1 password with dictionary
o Expected work is about
1/4 (219) + 3/4 (255) = 254.6
o But in practice, try all in dictionary and quit if
not found  work is at most 220 and probability
of success is 1/4

Part 2  Access Control 18

 Password Cracking
 Attack any of 1024 passwords in file
 Without dictionary
o Assume all 210 passwords are distinct
o Need 255 comparisons before expect to find
password
o If no salt, each hash computation gives 210
comparisons  the expected work (number of
hashes) is 255/210 = 245
o If salt is used, expected work is 255 since each
comparison requires a new hash computation

Part 2  Access Control 19

 Password Cracking
 Attack any of 1024 passwords in file
 With dictionary
o Probability at least one password is in dictionary
is 1 - (3/4)1024 = 1
o We ignore case where no pwd is in dictionary
o If no salt, work is about 219/210 = 29
o If salt, expected work is less than 222
o Note: If no salt, we can precompute all
dictionary hashes and amortize the work

Part 2  Access Control 20

 Other Password Issues
 Too many passwords to remember
o Results in password reuse
o Why is this a problem?
 Who suffers from bad password?
o Login password vs ATM PIN
 Failure to change default passwords
 Social engineering
 Error logs may contain “almost” passwords
 Bugs, keystroke logging, spyware, etc.
Part 2  Access Control 21
 Passwords
 The bottom line
 Password cracking is too easy!
o One weak password may break security
o Users choose bad passwords
o Social engineering attacks, etc.
 The bad guy has all of the advantages
 All of the math favors bad guys
 Passwords are a big security problem

Part 2  Access Control 22

 Password Cracking Tools
 Popular password cracking tools
o Password Crackers
o Password Portal
o L0phtCrack and LC4 (Windows)
o John the Ripper (Unix)
 Admins should use these tools to test for
weak passwords since attackers will!
 Good article on password cracking
o Passwords - Conerstone of Computer Security

Part 2  Access Control 23

 Biometrics

Part 2  Access Control 24

 Something You Are
 Biometric
o “You are your key”  Schneier
 Examples
o Fingerprint
o Handwritten signature Are
o Facial recognition Have
Know
o Speech recognition
o Gait (walking) recognition
o “Digital doggie” (odor recognition)
o Many more!

Part 2  Access Control 25

 Why Biometrics?
 Biometrics seen as desirable replacement
for passwords
 Cheap and reliable biometrics needed
 Today, a very active area of research
 Biometrics are used in security today
o Thumbprint mouse
o Palm print for secure entry
o Fingerprint to unlock car door, etc.
 But biometrics not too popular
o Has not lived up to its promise (yet)
Part 2  Access Control 26
 Ideal Biometric
 Universal  applies to (almost) everyone
o In reality, no biometric applies to everyone
 Distinguishing  distinguish with certainty
o In reality, cannot hope for 100% certainty
 Permanent  physical characteristic being
measured never changes
o In reality, want it to remain valid for a long time
 Collectable  easy to collect required data
o Depends on whether subjects are cooperative
 Safe, easy to use, etc., etc.
Part 2  Access Control 27
 Biometric Modes
 Identification  Who goes there?
o Compare one to many
o Example: The FBI fingerprint database
 Authentication  Is that really you?
o Compare one to one
o Example: Thumbprint mouse
 Identification problem more difficult
o More “random” matches since more comparisons
 We are interested in authentication
Part 2  Access Control 28
 Enrollment vs Recognition
 Enrollment phase
o Subject’s biometric info put into database
o Must carefully measure the required info
o OK if slow and repeated measurement needed
o Must be very precise for good recognition
o A weak point of many biometric schemes
 Recognition phase
o Biometric detection when used in practice
o Must be quick and simple
o But must be reasonably accurate
Part 2  Access Control 29
 Cooperative Subjects
 We are assuming cooperative subjects
 In identification problem often have
uncooperative subjects
 For example, facial recognition
o Proposed for use in Las Vegas casinos to detect
known cheaters
o Also as way to detect terrorists in airports, etc.
o Probably do not have ideal enrollment conditions
o Subject will try to confuse recognition phase
 Cooperative subject makes it much easier!
o In authentication, subjects are cooperative
Part 2  Access Control 30
 Biometric Errors
 Fraud rate versus insult rate
o Fraud  user A mis-authenticated as user B
o Insult  user A not authenticate as user A
 For any biometric, can decrease fraud or
insult, but other will increase
 For example
o 99% voiceprint match  low fraud, high insult
o 30% voiceprint match  high fraud, low insult
 Equal error rate: rate where fraud == insult
o The best measure for comparing biometrics
Part 2  Access Control 31
 Fingerprint History
 1823  Professor Johannes Evangelist
Purkinje discussed 9 fingerprint patterns
 1856  Sir William Hershel used
fingerprint (in India) on contracts
 1880  Dr. Henry Faulds article in Nature
about fingerprints for ID
 1883  Mark Twain’s Life on the
Mississippi a murderer ID’ed by fingerprint

Part 2  Access Control 32

 Fingerprint History
 1888  Sir Francis Galton (cousin of
Darwin) developed classification system
o His system of “minutia” is still in use today
o Also verified that fingerprints do not change
 Some countries require a number of points
(i.e., minutia) to match in criminal cases
o In Britain, 15 points
o In US, no fixed number of points required

Part 2  Access Control 33

 Fingerprint Comparison
 Examples of loops, whorls and arches
 Minutia extracted from these features

Loop (double) Whorl Arch

Part 2  Access Control 34

 Fingerprint Biometric

 Capture image of fingerprint

 Enhance image
 Identify minutia

Part 2  Access Control 35

 Fingerprint Biometric

 Extracted minutia are compared with

user’s minutia stored in a database
 Is it a statistical match?

Part 2  Access Control 36

 Hand Geometry
 Popular form of biometric
 Measures shape of hand
o Width of hand, fingers
o Length of fingers, etc.
 Human hands not unique
 Hand geometry sufficient
for many situations
 Suitable for authentication
 Not useful for ID problem

Part 2  Access Control 37

 Hand Geometry
 Advantages
o Quick
o 1 minute for enrollment
o 5 seconds for recognition
o Hands symmetric (use other hand backwards)
 Disadvantages
o Cannot use on very young or very old
o Relatively high equal error rate

Part 2  Access Control 38

 Iris Patterns

 Iris pattern development is “chaotic”

 Little or no genetic influence
 Different even for identical twins
 Pattern is stable through lifetime
Part 2  Access Control 39
 Iris Recognition: History
 1936  suggested by Frank Burch
 1980s  James Bond films
 1986  first patent appeared
 1994  John Daugman patented best
current approach
o Patent owned by Iridian Technologies

Part 2  Access Control 40

 Iris Scan
 Scanner locates iris
 Take b/w photo
 Use polar coordinates…
 Find 2-D wavelet trans
 Get 256 byte iris code

Part 2  Access Control 41

 Measuring Iris Similarity
 Based on Hamming distance
 Define d(x,y) to be
o # of non match bits/# of bits compared
o d(0010,0101) = 3/4 and d(101111,101001) = 1/3
 Compute d(x,y) on 2048-bit iris code
o Perfect match is d(x,y) = 0
o For same iris, expected distance is 0.08
o At random, expect distance of 0.50
o Accept as match if distance less than 0.32

Part 2  Access Control 42

 Iris Scan Error Rate
distance Fraud rate

0.29 1 in 1.31010
0.30 1 in 1.5109
0.31 1 in 1.8108
0.32 1 in 2.6107
0.33 1 in 4.0106
0.34 1 in 6.9105
0.35 1 in 1.3105
: equal error rate
distance
Part 2  Access Control 43
 Attack on Iris Scan
 Good photo of eye can be scanned
o Attacker could use photo of eye
 Afghan woman was authenticated by
iris scan of old photo
o Story is here
 To prevent photo attack, scanner could
use light to be sure it is a “live” iris

Part 2  Access Control 44

 Equal Error Rate Comparison
 Equal error rate (EER): fraud == insult rate
 Fingerprint biometric has EER of about 5%
 Hand geometry has EER of about 10-3
 In theory, iris scan has EER of about 10-6
o But in practice, hard to achieve
o Enrollment phase must be extremely accurate
 Most biometrics much worse than fingerprint!
 Biometrics useful for authentication…
 But ID biometrics are almost useless today
Part 2  Access Control 45
Biometrics: The Bottom Line
 Biometrics are hard to forge
 But attacker could
o Steal Alice’s thumb
o Photocopy Bob’s fingerprint, eye, etc.
o Subvert software, database, “trusted path”, …
 Also, how to revoke a “broken” biometric?
 Biometrics are not foolproof!
 Biometric use is limited today
 That should change in the future…

Part 2  Access Control 46

 Something You Have
 Something in your possession
 Examples include
o Car key
o Laptop computer
 Or specific MAC address
o Password generator
 We’ll look at this next
o ATM card, smartcard, etc.

Part 2  Access Control 47

 Password Generator
1. “I’m Alice”
3. PIN, R
2. R
4. F(R)
Password 5. F(R)
generator Alice Bob

 Alice gets “challenge” R from Bob

 Alice enters R into password generator
 Alice sends “response” back to Bob
 Alice has pwd generator and knows PINs
Part 2  Access Control 48
 2-factor Authentication
 Requires 2 out of 3 of
1. Something you know
2. Something you have
3. Something you are
 Examples
o ATM: Card and PIN
o Credit card: Card and signature
o Password generator: Device and PIN
o Smartcard with password/PIN

Part 2  Access Control 49

 Single Sign-on
 A hassle to enter password(s) repeatedly
o Users want to authenticate only once
o “Credentials” stay with user wherever he goes
o Subsequent authentication is transparent to user
 Single sign-on for the Internet?
o Microsoft: Passport
o Everybody else: Liberty Alliance
o Security Assertion Markup Language (SAML)

Part 2  Access Control 50

 Web Cookies
 Cookie is provided by a Website and stored
on user’s machine
 Cookie indexes a database at Website
 Cookies maintain state across sessions
 Web uses a stateless protocol: HTTP
 Cookies also maintain state within a session
 Like a single sign-on for a website
o Though a very weak form of authentication
 Cookies and privacy concerns
Part 2  Access Control 51
 Authorization

Part 2  Access Control 52

 Authentication vs
Authorization
 Authentication  Who goes there?
o Restrictions on who (or what) can access system
 Authorization  Are you allowed to do that?
o Restrictions on actions of authenticated users
 Authorization is a form of access control
 Authorization enforced by
o Access Control Lists
o Capabilities

Part 2  Access Control 53

 Lampson’s Access Control Matrix
 Subjects (users) index the rows
 Objects (resources) index the columns
Accounting Accounting Insurance Payroll
OS program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw
Part 2  Access Control 54
 Are You Allowed to Do That?
 Access control matrix has all relevant info
 But how to manage a large access control (AC)
matrix?
 Could be 1000’s of users, 1000’s of resources
 Then AC matrix with 1,000,000’s of entries
 Need to check this matrix before access to
any resource is allowed
 Hopelessly inefficient

Part 2  Access Control 55

 Access Control Lists (ACLs)
 ACL: store access control matrix by column
 Example: ACL for insurance data is in blue
Accounting Accounting Insurance Payroll
OS program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw
Part 2  Access Control 56
 Capabilities (or C-Lists)
 Store access control matrix by row
 Example: Capability for Alice is in red
Accounting Accounting Insurance Payroll
OS program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw
Part 2  Access Control 57
 ACLs vs Capabilities
r r
Alice --- file1 Alice w file1
r rw

w ---
Bob r file2 Bob r file2
--- r

rw r
Fred r file3 Fred --- file3
r r

Access Control List Capability

 Note that arrows point in opposite directions!

 With ACLs, still need to associate users to filess
Part 2  Access Control 58
 Confused Deputy
 Two resources  Access control matrix
o Compiler and BILL
Compiler
file (billing info) BILL
 Compiler can write Alice x ---
file BILL
Compiler rx rw
 Alice can invoke
compiler with a
debug filename
 Alice not allowed to
write to BILL
Part 2  Access Control 59
 ACL’s and Confused Deputy

Compiler

Alice BILL
 Compiler is deputy acting on behalf of Alice
 Compiler is confused
o Alice is not allowed to write BILL
 Compiler has confused its rights with Alice’s
Part 2  Access Control 60
 Confused Deputy
 Compiler acting for Alice is confused
 There has been a separation of authority
from the purpose for which it is used
 With ACLs, difficult to avoid this problem
 With Capabilities, easier to prevent problem
o Must maintain association between authority and
intended purpose
o Capabilities make it easy to delegate authority

Part 2  Access Control 61

 ACLs vs Capabilities
 ACLs
o Good when users manage their own files
o Protection is data-oriented
o Easy to change rights to a resource
 Capabilities
o Easy to delegate
o Easy to add/delete users
o Easier to avoid the confused deputy
o More difficult to implement
o The “Zen of information security”
 Capabilities loved by academics
o Capability Myths Demolished

Part 2  Access Control 62

 Multilevel Security (MLS)
Models

Part 2  Access Control 63

Classifications and Clearances
 Classifications apply to objects
 Clearances apply to subjects
 US Department of Defense uses 4
levels of classifications/clearances
TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED
Part 2  Access Control 64
Clearances and Classification
 To obtain a SECRET clearance requires a
routine background check
 A TOP SECRET clearance requires
extensive background check
 Practical classification problems
o Proper classification not always clear
o Level of granularity to apply classifications
o Aggregation  flipside of granularity

Part 2  Access Control 65

 Subjects and Objects
 Let O be an object, S a subject
o O has a classification
o S has a clearance
o Security level denoted L(O) and L(S)
 For DoD levels, we have
TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED

Part 2  Access Control 66

 Multilevel Security (MLS)
 MLS needed when subjects/objects at
different levels use same system
 MLS is a form of Access Control
 Military/government interest in MLS for
many decades
o Lots of funded research into MLS
o Strengths and weaknesses of MLS relatively
well understood (theoretical and practical)
o Many possible uses of MLS outside military

Part 2  Access Control 67

 MLS Applications
 Classified government/military information
 Business example: info restricted to
o Senior management only
o All management
o Everyone in company
o General public
 Network firewall
o Keep intruders at low level to limit damage
 Confidential medical info, databases, etc.

Part 2  Access Control 68

 MLS Security Models
 MLS models explain what needs to be done
 Models do not tell you how to implement
 Models are descriptive, not prescriptive
o High level description, not an algorithm
 There are many MLS models
 We’ll discuss simplest MLS model
o Other models are more realistic
o Other models also more complex, more difficult
to enforce, harder to verify, etc.

Part 2  Access Control 69

 Bell-LaPadula
 BLP security model designed to express
essential requirements for MLS
 BLP deals with confidentiality
o To prevent unauthorized reading
 Recall that O is an object, S a subject
o Object O has a classification
o Subject S has a clearance
o Security level denoted L(O) and L(S)

Part 2  Access Control 70

 Bell-LaPadula
 BLP consists of
Simple Security Condition: S can read O
if and only if L(O)  L(S)
*-Property (Star Property): S can write O
if and only if L(S)  L(O)
 No read up, no write down

Part 2  Access Control 71

 McLean’s Criticisms of BLP
 McLean: BLP is “so trivial that it is hard to
imagine a realistic security model for which it
does not hold”
 McLean’s “system Z” allowed administrator to
reclassify object, then “write down”
 Is this fair?
 Violates spirit of BLP, but not expressly
forbidden in statement of BLP
 Raises fundamental questions about the
nature of (and limits of) modeling
Part 2  Access Control 72
 B and LP’s Response
 BLP enhanced with tranquility property
o Strong tranquility property: security labels never change
o Weak tranquility property: security label can only change if
it does not violate “established security policy”
 Strong tranquility impractical in real world
o Often want to enforce “least privilege”
o Give users lowest privilege needed for current work
o Then upgrade privilege as needed (and allowed by policy)
o This is known as the high water mark principle
 Weak tranquility allows for least privilege (high
water mark), but the property is vague

Part 2  Access Control 73

 BLP: The Bottom Line
 BLP is simple, but probably too simple
 BLP is one of the few security models that
can be used to prove things about systems
 BLP has inspired other security models
o Most other models try to be more realistic
o Other security models are more complex
o Other models difficult to analyze and/or apply
in practice

Part 2  Access Control 74

 Biba’s Model
 BLP for confidentiality, Biba for integrity
o Biba is to prevent unauthorized writing
 Biba is (in a sense) the dual of BLP
 Integrity model
o Spse you trust the integrity of O but not O
o If object O includes O and O then you cannot
trust the integrity of O
 Integrity level of O is minimum of the
integrity of any object in O
 Low water mark principle for integrity
Part 2  Access Control 75
 Biba
 Let I(O) denote the integrity of object O
and I(S) denote the integrity of subject S
 Biba can be stated as
Write Access Rule: S can write O if and only if
I(O)  I(S)
(if S writes O, the integrity of O  that of S)
Biba’s Model: S can read O if and only if
I(S)  I(O)
(if S reads O, the integrity of S  that of O)
 Often, replace Biba’s Model with
Low Water Mark Policy: If S reads O, then
I(S) = min(I(S), I(O))
Part 2  Access Control 76
 BLP vs Biba
high BLP Biba high

l L(O) L(O) I(O) l

e e
v v
e e
l L(O) I(O) I(O) l

low Confidentiality Integrity low

Part 2  Access Control 77

 Multilateral Security
(Compartments)

Part 2  Access Control 78

 Multilateral Security
 Multilevel Security (MLS) enforces access
control up and down
 Simple hierarchy of security labels may not
be flexible enough
 Multilateral security enforces access
control across by creating compartments
 Suppose TOP SECRET divided into TOP
SECRET {CAT} and TOP SECRET {DOG}
 Both are TOP SECRET but information flow
restricted across the TOP SECRET level
Part 2  Access Control 79
 Multilateral Security
 Why compartments?
o Why not create a new classification level?
 May not want either of
o TOP SECRET {CAT}  TOP SECRET {DOG}
o TOP SECRET {DOG}  TOP SECRET {CAT}
 Compartments allow us to enforce the need
to know principle
o Regardless of your clearance, you only have
access to info that you need to know

Part 2  Access Control 80

 Multilateral Security
 Arrows indicate “” relationship

TOP SECRET {CAT, DOG}

TOP SECRET {CAT} TOP SECRET {DOG}

TOP SECRET

SECRET {CAT, DOG}

SECRET {CAT} SECRET {DOG}

SECRET
 Not all classifications are comparable, e.g.,
TOP SECRET {CAT} vs SECRET {CAT, DOG}
Part 2  Access Control 81
MLS vs Multilateral Security
 MLS can be used without multilateral security
or vice-versa
 But, MLS almost always includes multilateral
 Example
o MLS mandated for protecting medical records of
British Medical Association (BMA)
o AIDS was TOP SECRET, prescriptions SECRET
o What is the classification of an AIDS drug?
o Everything tends toward TOP SECRET
o Defeats the purpose of the system!
 Multilateral security was used instead
Part 2  Access Control 82
 Covert Channel

Part 2  Access Control 83

 Covert Channel
 MLS designed to restrict legitimate
channels of communication
 May be other ways for information to flow
 For example, resources shared at
different levels may signal information
 Covert channel: “communication path not
intended as such by system’s designers”

Part 2  Access Control 84

 Covert Channel Example
 Alice has TOP SECRET clearance, Bob has
CONFIDENTIAL clearance
 Suppose the file space shared by all users
 Alice creates file FileXYzW to signal “1” to
Bob, and removes file to signal “0”
 Once each minute Bob lists the files
o If file FileXYzW does not exist, Alice sent 0
o If file FileXYzW exists, Alice sent 1
 Alice can leak TOP SECRET info to Bob!
Part 2  Access Control 85
 Covert Channel Example

Alice: Create file Delete file Create file Delete file

Bob: Check file Check file Check file Check file Check file

Data: 1 0 1 1 0

Time:

Part 2  Access Control 86

 Covert Channel
 Other examples of covert channels
o Print queue
o ACK messages
o Network traffic, etc., etc., etc.
 When does a covert channel exist?
1. Sender and receiver have a shared resource
2. Sender able to vary property of resource that
receiver can observe
3. Communication between sender and receiver
can be synchronized

Part 2  Access Control 87

 Covert Channel
 Covert channels exist almost everywhere
 Easy to eliminate covert channels…
o Provided you eliminate all shared resources and
all communication
 Virtually impossible to eliminate all covert
channels in any useful system
o DoD guidelines: goal is to reduce covert channel
capacity to no more than 1 bit/second
o Implication is that DoD has given up trying to
eliminate covert channels!

Part 2  Access Control 88

 Covert Channel
 Consider 100MB TOP SECRET file
o Plaintext version stored in TOP SECRET place
o Encrypted with AES using 256-bit key,
ciphertext stored in UNCLASSIFIED location
 Suppose we reduce covert channel capacity
to 1 bit per second
 It would take more than 25 years to leak
entire document thru a covert channel
 But it would take less than 5 minutes to
leak 256-bit AES key thru covert channel!
Part 2  Access Control 89
 Real-World Covert Channel

 Hide data in TCP header “reserved” field

 Or use covert_TCP, tool to hide data in
o Sequence number
o ACK number
Part 2  Access Control 90
 Real-World Covert Channel
 Hide data in TCP sequence numbers
 Tool: covert_TCP
 Sequence number X contains covert info
ACK (or RST)
SYN Source: B
Spoofed source: C Destination: C
Destination: B ACK: X
SEQ: X B. Innocent
server

A. Covert_TCP C. Covert_TCP
sender receiver
Part 2  Access Control 91
 Inference Control

Part 2  Access Control 92

 Inference Control Example
 Suppose we query a database
o Question: What is average salary of female CS
professors at SJSU?
o Answer: $95,000
o Question: How many female CS professors at
SJSU?
o Answer: 1
 Specific information has leaked from
responses to general questions!

Part 2  Access Control 93

 Inference Control and
Research
 For example, medical records are
private but valuable for research
 How to make info available for
research and protect privacy?
 How to allow access to such data
without leaking specific information?

Part 2  Access Control 94

 Naïve Inference Control
 Remove names from medical records?
 Still may be easy to get specific info
from such “anonymous” data
 Removing names is not enough
o As seen in previous example
 What more can be done?

Part 2  Access Control 95

Less-naïve Inference Control
 Query set size control
o Don’t return an answer if set size is too small
 N-respondent, k% dominance rule
o Do not release statistic if k% or more
contributed by N or fewer
o Example: Avg salary in Bill Gates’ neighborhood
o Used by the US Census Bureau
 Randomization
o Add small amount of random noise to data
 Many other methods  none satisfactory
Part 2  Access Control 96
 Inference Control: The
Bottom Line
 Robust inference control may be impossible
 Is weak inference control better than no
inference control?
o Yes: Reduces amount of information that leaks and
thereby limits the damage
 Is weak crypto better than no crypto?
o Probably not: Encryption indicates important data
o May be easier to filter encrypted data

Part 2  Access Control 97

 CAPTCHA

Part 2  Access Control 98

 Turing Test
 Proposed by Alan Turing in 1950
 Human asks questions to one other human
and one computer (without seeing either)
 If human questioner cannot distinguish the
human from the computer responder, the
computer passes the test
 The gold standard in artificial intelligence
 No computer can pass this today

Part 2  Access Control 99

 CAPTCHA
 CAPTCHA  Completely Automated Public
Turing test to tell Computers and Humans
Apart
 Automated  test is generated and scored
by a computer program
 Public  program and data are public
 Turing test to tell…  humans can pass the
test, but machines cannot pass the test
 Like an inverse Turing test (sort of…)

Part 2  Access Control 100

 CAPTCHA Paradox
 “…CAPTCHA is a program that can
generate and grade tests that it itself
cannot pass…”
 “…much like some professors…”
 Paradox  computer creates and scores
test that it cannot pass!
 CAPTCHA used to restrict access to
resources to humans (no computers)
 CAPTCHA useful for access control
Part 2  Access Control 101
 CAPTCHA Uses?
 Original motivation: automated “bots”
stuffed ballot box in vote for best CS school
 Free email services  spammers used bots
sign up for 1000’s of email accounts
o CAPTCHA employed so only humans can get accts
 Sites that do not want to be automatically
indexed by search engines
o HTML tag only says “please do not index me”
o CAPTCHA would force human intervention

Part 2  Access Control 102

CAPTCHA: Rules of the Game
 Must be easy for most humans to pass
 Must be difficult or impossible for
machines to pass
o Even with access to CAPTCHA software
 The only unknown is some random number
 Desirable to have different CAPTCHAs in
case some person cannot pass one type
o Blind person could not pass visual test, etc.

Part 2  Access Control 103

 Do CAPTCHAs Exist?
 Test: Find 2 words in the following

 Easy for most humans

 Difficult for computers (OCR problem)
Part 2  Access Control 104
 CAPTCHAs
 Current types of CAPTCHAs
o Visual
 Like previous example
 Many others
o Audio
 Distorted words or music
 No text-based CAPTCHAs
o Maybe this is not possible…

Part 2  Access Control 105

 CAPTCHA’s and AI
 Computer recognition of distorted text is a
challenging AI problem
o But humans can solve this problem
 Same is true of distorted sound
o Humans also good at solving this
 Hackers who break such a CAPTCHA have
solved a hard AI problem
 Putting hacker’s effort to good use!
 May be other ways to defeat CAPTCHAs…

Part 2  Access Control 106

 Firewalls

Part 2  Access Control 107

 Firewalls

Internal
Internet Firewall network

 Firewall must determine what to let in to

internal network and/or what to let out
 Access control for the network

Part 2  Access Control 108

 Firewall as Secretary
 A firewall is like a secretary
 To meet with an executive
o First contact the secretary
o Secretary decides if meeting is reasonable
o Secretary filters out many requests
 You want to meet chair of CS department?
o Secretary does some filtering
 You want to meet President of US?
o Secretary does lots of filtering!

Part 2  Access Control 109

 Firewall Terminology
 No standard terminology
 Types of firewalls
o Packet filter  works at network layer
o Stateful packet filter  transport layer
o Application proxy  application layer
o Personal firewall  for single user, home
network, etc.

Part 2  Access Control 110

 Packet Filter
 Operates at network layer
application
 Can filters based on
o Source IP address transport
o Destination IP address
o Source Port network
o Destination Port
link
o Flag bits (SYN, ACK, etc.)
o Egress or ingress physical

Part 2  Access Control 111

 Packet Filter
 Advantage application
o Speed
transport
 Disadvantages
o No state network

o Cannot see TCP connections link

o Blind to application data
physical

Part 2  Access Control 112

 Packet Filter
 Configured via Access Control Lists (ACLs)
o Different meaning of ACL than previously
Source Dest Source Dest Flag
Action IP IP Port Port Protocol Bits

Allow Inside Outside Any 80 HTTP Any

Allow Outside Inside 80 > 1023 HTTP ACK

Deny All All All All All All

 Intention is to restrict incoming packets to

Web responses
Part 2  Access Control 113
 TCP ACK Scan
 Attacker sends packet with ACK bit set,
without prior 3-way handshake
 Violates TCP/IP protocol
 ACK packet pass thru packet filter firewall
o Appears to be part of an ongoing connection
 RST sent by recipient of such packet
 Attacker scans for open ports thru firewall

Part 2  Access Control 114

 TCP ACK Scan
ACK dest port 1207
ACK dest port 1208

ACK dest port 1209

Trudy RST Internal

Packet
Network
Filter

 Attacker knows port 1209 open thru firewall

 A stateful packet filter can prevent this (next)
o Since ACK scans not part of established connections

Part 2  Access Control 115

 Stateful Packet Filter
 Adds state to packet filter application
 Operates at transport layer
transport
 Remembers TCP connections
and flag bits network

 Can even remember UDP link

packets (e.g., DNS requests)
physical

Part 2  Access Control 116

 Stateful Packet Filter
 Advantages application
o Can do everything a packet
filter can do plus... transport

o Keep track of ongoing network

connections
 Disadvantages
link

o Cannot see application data physical

o Slower than packet filtering

Part 2  Access Control 117

 Application Proxy
 A proxy is something that
acts on your behalf application

 Application proxy looks at transport

incoming application data network
 Verifies that data is safe
before letting it in link

physical

Part 2  Access Control 118

 Application Proxy
 Advantages
application
o Complete view of connections
and applications data transport
o Filter bad data at application
layer (viruses, Word macros) network

 Disadvantage link
o Speed
physical

Part 2  Access Control 119

 Application Proxy
 Creates a new packet before sending it
thru to internal network
 Attacker must talk to proxy and convince
it to forward message
 Proxy has complete view of connection
 Prevents some attacks stateful packet
filter cannot  see next slides

Part 2  Access Control 120

 Firewalk
 Tool to scan for open ports thru firewall
 Known: IP address of firewall and IP
address of one system inside firewall
o TTL set to 1 more than number of hops to
firewall and set destination port to N
o If firewall does not let thru data on port N, no
response
o If firewall allows data on port N thru firewall,
get time exceeded error message

Part 2  Access Control 121

 Firewalk and Proxy Firewall
Packet
filter
Trudy Router Router Router

Dest port 12343, TTL=4

Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded

 This will not work thru an application proxy

 The proxy creates a new packet, destroys old TTL

Part 2  Access Control 122

 Personal Firewall
 To protect one user or home network
 Can use any of the methods
o Packet filter
o Stateful packet filter
o Application proxy

Part 2  Access Control 123

Firewalls and Defense in Depth
 Example security architecture
DMZ

FTP server
WWW server

DNS server

Intranet with
Packet Application Personal
Internet Filter Proxy Firewalls

Part 2  Access Control 124

Intrusion Detection Systems

Part 2  Access Control 125

 Intrusion Prevention
 Want to keep bad guys out
 Intrusion prevention is a traditional focus
of computer security
o Authentication is to prevent intrusions
o Firewalls a form of intrusion prevention
o Virus defenses also intrusion prevention
 Comparable to locking the door on your car

Part 2  Access Control 126

 Intrusion Detection
 In spite of intrusion prevention, bad guys
will sometime get into system
 Intrusion detection systems (IDS)
o Detect attacks
o Look for “unusual” activity
 IDS developed out of log file analysis
 IDS is currently a very hot research topic
 How to respond when intrusion detected?
o We don’t deal with this topic here

Part 2  Access Control 127

Intrusion Detection Systems
 Who is likely intruder?
o May be outsider who got thru firewall
o May be evil insider
 What do intruders do?
o Launch well-known attacks
o Launch variations on well-known attacks
o Launch new or little-known attacks
o Use a system to attack other systems
o Etc.

Part 2  Access Control 128

 IDS
 Intrusion detection approaches
o Signature-based IDS
o Anomaly-based IDS
 Intrusion detection architectures
o Host-based IDS
o Network-based IDS
 Most systems can be classified as above
o In spite of marketing claims to the contrary!

Part 2  Access Control 129

 Host-based IDS
 Monitor activities on hosts for
o Known attacks or
o Suspicious behavior
 Designed to detect attacks such as
o Buffer overflow
o Escalation of privilege
 Little or no view of network activities

Part 2  Access Control 130

 Network-based IDS
 Monitor activity on the network for
o Known attacks
o Suspicious network activity
 Designed to detect attacks such as
o Denial of service
o Network probes
o Malformed packets, etc.
 Can be some overlap with firewall
 Little or no view of host-base attacks
 Can have both host and network IDS
Part 2  Access Control 131
Signature Detection Example
 Failed login attempts may indicate
password cracking attack
 IDS could use the rule “N failed login
attempts in M seconds” as signature
 If N or more failed login attempts in M
seconds, IDS warns of attack
 Note that the warning is specific
o Admin knows what attack is suspected
o Admin can verify attack (or false alarm)

Part 2  Access Control 132

 Signature Detection
 Suppose IDS warns whenever N or more
failed logins in M seconds
 Must set N and M so that false alarms not
common
 Can do this based on normal behavior
 But if attacker knows the signature, he can
try N-1 logins every M seconds!
 In this case, signature detection slows the
attacker, but might not stop him

Part 2  Access Control 133

 Signature Detection
 Many techniques used to make signature
detection more robust
 Goal is usually to detect “almost signatures”
 For example, if “about” N login attempts in
“about” M seconds
o Warn of possible password cracking attempt
o What are reasonable values for “about”?
o Can use statistical analysis, heuristics, other
o Must take care not to increase false alarm rate

Part 2  Access Control 134

 Signature Detection
 Advantages of signature detection
o Simple
o Detect known attacks
o Know which attack at time of detection
o Efficient (if reasonable number of signatures)
 Disadvantages of signature detection
o Signature files must be kept up to date
o Number of signatures may become large
o Can only detect known attacks
o Variation on known attack may not be detected
Part 2  Access Control 135
 Anomaly Detection
 Anomaly detection systems look for unusual
or abnormal behavior
 There are (at least) two challenges
o What is normal for this system?
o How “far” from normal is abnormal?
 Statistics is obviously required here!
o The mean defines normal
o The variance indicates how far abnormal lives
from normal

Part 2  Access Control 136

 What is Normal?
 Consider the scatterplot below
 White dot is “normal”
 Is red dot normal?
 Is green dot normal?

y  How abnormal is the

blue dot?
 Stats can be tricky!

Part 2  Access Control 137

 How to Measure Normal?
 How to measure normal?
o Must measure during “representative”
behavior
o Must not measure during an attack…
o …or else attack will seem normal!
o Normal is statistical mean
o Must also compute variance to have any
reasonable chance of success

Part 2  Access Control 138

 How to Measure Abnormal?
 Abnormal is relative to some “normal”
o Abnormal indicates possible attack
 Statistical discrimination techniques:
o Bayesian statistics
o Linear discriminant analysis (LDA)
o Quadratic discriminant analysis (QDA)
o Neural nets, hidden Markov models, etc.
 Fancy modeling techniques also used
o Artificial intelligence
o Artificial immune system principles
o Many others!
Part 2  Access Control 139
 Anomaly Detection (1)
 Spse we monitor use of three commands:
open, read, close
 Under normal use we observe that Alice
open,read,close,open,open,read,close,…
 Of the six possible ordered pairs, four pairs
are “normal” for Alice:
(open,read), (read,close), (close,open), (open,open)
 Can we use this to identify unusual activity?

Part 2  Access Control 140

 Anomaly Detection (1)
 We monitor use of the three commands
open, read, close
 If the ratio of abnormal to normal pairs is
“too high”, warn of possible attack
 Could improve this approach by
o Also using expected frequency of each pair
o Use more than two consecutive commands
o Include more commands/behavior in the model
o More sophisticated statistical discrimination

Part 2  Access Control 141

 Anomaly Detection (2)
 Over time, Alice has  Recently, Alice has
accessed file Fn at accessed file Fn at
rate Hn rate An

H0 H1 H2 H3 A0 A1 A2 A3
.10 .40 .40 .10 .10 .40 .30 .20

 Is this “normal” use?

 We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02
 And consider S < 0.1 to be normal, so this is normal
 Problem: How to account for use that varies over time?

Part 2  Access Control 142

 Anomaly Detection (2)
 To allow “normal” to adapt to new use, we
update long-term averages as
Hn = 0.2An + 0.8Hn
 Then H0 and H1 are unchanged,
H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
 And the long term averages are updated as

H0 H1 H2 H3
.10 .40 .38 .12

Part 2  Access Control 143

 Anomaly Detection (2)
 The updated long  New observed
term average is rates are…
H0 H1 H2 H3 A0 A1 A2 A3
.10 .40 .38 .12 .10 .30 .30 .30

 Is this normal use?

 Compute S = (H0A0)2+…+(H3A3)2 = .0488
 Since S = .0488 < 0.1 we consider this normal
 And we again update the long term averages
by Hn = 0.2An + 0.8Hn

Part 2  Access Control 144

 Anomaly Detection (2)
 The starting  After 2 iterations,
averages were the averages are

H0 H1 H2 H3 H0 H1 H2 H3
.10 .40 .40 .10 .10 .38 .364 .156

 The stats slowly evolve to match behavior

 This reduces false alarms and work for admin
 But also opens an avenue for attack…
 Suppose Trudy always wants to access F3
 She can convince IDS this is normal for Alice!

Part 2  Access Control 145

 Anomaly Detection (2)
 To make this approach more robust, must
also incorporate the variance
 Can also combine N stats as, for example,
T = (S1 + S2 + S3 + … + SN) / N
to obtain a more complete view of “normal”
 Similar (but more sophisticated) approach
is used in IDS known as NIDES
 NIDES includes anomaly and signature IDS

Part 2  Access Control 146

 Anomaly Detection Issues
 System constantly evolves and so must IDS
o Static system would place huge burden on admin
o But evolving IDS makes it possible for attacker to
(slowly) convince IDS that an attack is normal!
o Attacker may win simply by “going slow”
 What does “abnormal” really mean?
o Only that there is possibly an attack
o May not say anything specific about attack!
o How to respond to such vague information?
 Signature detection tells exactly which attack
Part 2  Access Control 147
 Anomaly Detection
 Advantages
o Chance of detecting unknown attacks
o May be more efficient (since no signatures)
 Disadvantages
o Today, cannot be used alone
o Must be used with a signature detection system
o Reliability is unclear
o May be subject to attack
o Anomaly detection indicates something unusual
o But lack of specific info on possible attack!
Part 2  Access Control 148
 Anomaly Detection: The
Bottom Line
 Anomaly-based IDS is active research topic
 Many security professionals have very high
hopes for its ultimate success
 Often cited as key future security technology
 Hackers are not convinced!
o Title of a talk at Defcon 11: “Why Anomaly-based
IDS is an Attacker’s Best Friend”
 Anomaly detection is difficult and tricky
 Is anomaly detection as hard as AI?

Part 2  Access Control 149

 Access Control Summary
 Authentication and authorization
o Authentication  who goes there?
 Passwords  something you know
 Biometrics  something you are (or
“you are your key”)
 Something you have

Part 2  Access Control 150

 Access Control Summary
 Authorization  are you allowed to do that?
o Access control matrix/ACLs/Capabilities
o MLS/Multilateral security
o BLP/Biba
o Covert channel
o Inference control
o CAPTCHA
o Firewalls
o IDS

Part 2  Access Control 151

 Coming Attractions…
 Security protocols
o Generic authentication protocols
o SSL
o IPSec
o Kerberos
o GSM
 We’ll see lots of crypto applications in the
next chapter

Part 2  Access Control 152