UP | HOME
2017-08-13 TOP | Slides

DAC (Discretionary Access Control)

Table of Contents

1 Discretionary Access Control (DAC)

  1. "Trusted Computer System Evaluation Criteria" TCSEC, US DoD Standard 5200.28-STD.
  2. My opinion: "Discretionary", "Mandatory" both misleading names.
  3. Generally speaking: The security model of Linux is DAC
  4. Concepts
    1. Entities: Users, Files, Processes, …
    2. Ownership
    3. Permissions: read, write, execute, …
    4. Granting of permissions
  5. Android inherits from Linux all of DAC.

2 Authentication

  1. Machines
  2. Users
  3. Services/Servers

2.1 User Authentication Approaches

  1. What You Know
  2. What You Have
  3. What You Are

2.2 Passwords

  1. Passwords on a Linux System
  2. Cracking the Passwords
    1. Current consensus: Given enough time, any password can be cracked.
  3. Prevention of Password Cracking

3 Set User ID (suid)

  1. Privilege Acqusition Mechanism
  2. Invoke a program (file) that has suid set.
  3. Expected to be invoked by non-root users.
  4. suid can be set to non-root owner.
  5. The created process runs with the privileges of the owner, not the invoker

3.1 suid examples

-rwsr-xr-x 1 root root 34888 Aug 14 06:15 /bin/mount
-rwsr-xr-x 1 root root 64424 Mar  9  2017 /bin/ping
-rwsr-xr-x 1 root root 40168 Aug 20 19:56 /bin/su

-rwsrw-r-- 1 pmateti pmateti 23097 Jan 21  2015 turnin

3.2 suid root

  1. Discover find / -user root -perm -4000 -type f -exec ls -ld {} \;
  2. An attacker arrives with non-root privileges.
  3. Exploits an suid-root process to spawn a root owned shell.
  4. The classsic "buffer overflow attack" injects the shellcode onto the stack.

4 Android UID setup

  1. ./android-uid.html

5 References

  1. Prabhaker Mateti, Password Cracking, 2013. Skip the Lab experiment. Required Reading.
  2. https://en.wikipedia.org/wiki/Discretionary_access_control Required Reading.
  3. P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments." In Proceedings of the 21st National Information Systems Security Conference, pp. 303–14, Oct. 1998. A classic paper. Recommended Reading
  4. http://faculty.cs.nku.edu/~waldenj/classes/2014/spring/cit380/lectures/AccessControl.pdf Slides. Required Reading.
  5. Karim Yaghmour, ./android-security-yaghmour-2014.pdf Android Security, From the Ground Up, ELCE 2014. Required Reading.
  6. Secuirty features in Ubuntu https://wiki.ubuntu.com/Security/Features Required Reading.

6 End

Copyright © 2017 pmateti@wright.eduwww.wright.edu/~pmateti 2017-08-13