▶ 3.3 Sharing and Protecting Files
Computer sharing happens all the time. Personal computers may be cheap enough to be treated as personal property, but computers running server software share their resources continuously with countless users. Some desktops require controlled sharing, like those in libraries or computer labs in schools. Physicians, attorneys, financial planners, and many consultants may use a home computer to process sensitive information about patients or clients; these professionals are obligated to keep this information away from family members.
Sharing always has its limits. In a shared kitchen, the household’s human residents may be perfectly happy to share boxes of cereal and bins of sugar with one another, but not with their pets or with ants and mice. We prevent undesirable sharing by enforcing controls. In a kitchen, we control sharing by putting food in pet-proof and vermin-proof containers (FIGURE 3.9).
FIGURE 3.9 Controlled sharing in a kitchen.
Courtesy of Dr. Richard Smith.
In a computer, the operating system controls the sharing. Files and folders provide the software equivalent of cabinets, boxes, and jars. The operating system controls program execution, RAM access, and access to files on the hard disk. This helps ensure the orderly and predictable behavior of the overall system.
Controls on sharing also help prevent accidental and malicious acts from causing damage. If a person spills something in a cupboard filled with sealed containers, the mess won’t contaminate other food. If a mouse can’t chew into a container of raisins, then the raisins remain safe for people to eat. If a user runs a virus-infested application but lacks the rights to modify application programs, then the virus can’t infect other applications.
To look at file sharing, this section uses the situation introduced in Section 3.1.1: Bob and Alice share Bob’s tower computer. How does Bob protect client data from Alice? Even if she isn’t trying to spy on her competitors, we should protect against her accidentally seeing some of their information.
Objectives
The requirements for sharing files depend on the risks, and the risks depend on objectives and threats. We start with a list of objectives for Bob’s tower computer:
Provide computing facilities for authorized users (Bob and Alice)
Preserve the Chain of Control
Either permit or prevent general sharing of information among the users—in Bob’s case, we want to prevent general sharing.
In general, file-sharing objectives yield one of two situations: either users share their files by default or they are kept isolated by default. Bob’s case is clearly the latter, but we will examine both.
Threats
To develop our list of risks, we consult the list of threats in Section 1.4 and focus on those we can address through file protection. This eliminates people who won’t be logged into the computer and people who simply pose a physical threat, like theft. This leaves the following threats:
■ Script kiddie—sharing a computer at a school, or possibly at work, with people who have too much time and curiosity.
■ Embezzler—sharing with a coworker who is motivated to steal from the company.
■ Employee/colleague/housemate—sharing with someone in our living or working space.
■ Malicious acquaintances—sharing with someone who visits our living or working space, getting physical access to the computer.
■ Administrators—sharing a computer at school or work where an administrator might be inclined to eavesdrop on our work or perhaps even meddle with our files. Bob is the administrator.
Risks
Now we make a list of possible attacks based on Box 1.3. There are six attacks in the complete list; we can omit the first attack: physical theft. We can generalize the remaining ones to capture the essence of what the threats might do on an isolated computer. This yields the following list of risks:
Denial of service: someone deletes some of our files or damages software, making all or part of the computer unusable.
Subversion: a program gets a virus infection or suffers some other malware damage.
Masquerade: one user logs in, trying to pretend to be another user.
Disclosure: some of our personal data is disclosed.
Forgery: someone modifies one of our files without our knowledge, so their statements are presented as our own.
This list of risks is comprehensive enough to use when developing our file protection requirements. It is short enough to make it unnecessary to prioritize the risks.
3.3.1 Security Policies for Sharing and Protection
We often use the term security policy when talking about a particular collection of security requirements. Different strategies for sharing or protecting files often yield two general types of policies: global policies and tailored policies. A global policy establishes file permissions to apply by default and those to apply when we create a new file. We will examine two global policies:
Isolation policy: grant no access to other users’ files
File-sharing policy: grant read access to other users’ files
User files aren’t the only ones in the system. There are system files that might not even be visible to user programs. Most important for users, the system contains application programs, and those are stored in files. To use these programs, the system must grant users the necessary rights. However, the system also must maintain the Chain of Control, so it should not grant the right to modify those programs.
Systems rarely grant both read and write access to other users’ files, at least by default. Even if people are working together on the same project, it is much safer to limit the files they share completely. We need tailored policies to handle special cases like those. Here are examples:
■ Privacy—block all access to certain files in a sharing environment.
■ Shared reading—grant read-only access to certain files in an isolation environment.
■ Shared updating—grant full access to certain files in either environment. For now, however, we focus on global policies.
Underlying System Policy
Regardless of the policies we establish, we will use certain requirements in all of them. These requirements form an underlying system policy that address Objectives a and b introduced in Section 3.3 and the risks associated with them. We won’t make requirements for user file protection because that depends on the choice posed by Objective c.
The fundamental policy shown in TABLE 3.2 addresses the first three risks. The first requirement addresses denial of service. The second requirement addresses masquerade. That requirement also addresses disclosure and forgery indirectly, but we will address those more directly with additional requirements. The third requirement directly addresses denial of service and subversion.
TABLE 3.2 Underlying System Policy for a Shared Computer |
||
|---|---|---|
| # | Requirement | Risks |
| 1 | All users shall be able to execute customary application programs and operating system service programs. | 1 |
| 2 | Each user shall have a separate login and, optionally, a password. | 3 |
| 3 | Programs shall be protected from damage or other modifications by regular users. | 1, 2 |
User Isolation Policy
In Section 3.1.1, we learned about Bob sharing a computer with Alice. She needs access to application programs and to her own files. Bob must block her from reading his bookkeeping spreadsheets, especially those belonging to competitors.
Bob is looking for a policy in which we adjust Objective c to isolate users from one another. We create the basic policy by adding one requirement to the underlying system policy. The requirement directly addresses the risks of disclosure and forgery. It also addresses the risk of denial of service if one user accidentally damages a file belonging to another user. This yields the policy in TABLE 3.3.
TABLE 3.3 Policy for User Isolation |
||
|---|---|---|
| # | Requirement | Risks |
| 1 | All users shall be able to execute customary application programs and operating system service programs. | 1 |
| 2 | Each user shall have a separate login and a password. | 4 |
| 3 | Programs shall be protected from damage or other modifications by regular users. | 1, 3 |
| 4 | Files belonging to one user shall be protected from any access (read or write) by other users. | 1, 2, 5 |
However, Bob had a specific risk in mind:
6. Alice reads or modifies one of Bob’s bookkeeping spreadsheet files.
To protect against that specific risk, we can add some more specific requirements to Bob’s security policy. In particular, we can add requirements to talk specifically about how Bob and Alice will use the computer. These additional requirements appear in TABLE 3.4.
TABLE 3.4 Additional Requirements for Bob’s Particular Situation |
||
|---|---|---|
| # | Requirements | Risks |
| 5 | The system shall have two regular users: Bob and Alice. | 4, 6 |
| 6 | Bob shall have a password to protect his login. | 2, 4, 5, 6 |
| 7 | Alice shall have a password to protect her login. | 1 |
This arrangement provides Bob with the safety he needs and Alice with access to his computer. Alice can’t log in as Bob unless she somehow guesses his password (per Policy 2), so when Alice logs in, she won’t have access to Bob’s files (per Policy 4).
User File-Sharing Policy
When people hide things, others get suspicious. There are some environments where it’s more common to share information than to hide it. For example, many families want to share their information among members. Files may consist of letters, homework, family photos, and so on, and there may be bona fide reasons to share anything and everything. In engineering projects, it is fairly common to share information.
If we assume sharing is the norm, then Risk 4, disclosure, is no longer considered a risk. Instead, it becomes a “denial of service” if we can’t read each others’ files. This yields the policy in TABLE 3.5.
TABLE 3.5 Policy for File Sharing |
||
|---|---|---|
| # | Requirement | Risks |
| 1 | All users shall be able to execute customary application programs and operating system service programs. | 1 |
| 2 | Each user shall have a separate login and a password. | 4 |
| 3 | Programs shall be protected from damage or other modifications by regular users. | 1, 3 |
| 4 | Files belonging to one user shall be readable by other users. | 1 |
| 5 | Files belonging to one user shall be protected from writing by other users. | 1, 3, 5 |
As with user separation, there are some systems that provide sharing by default. This is a tradition of Unix-based systems, which create file directories for individual users and, by default, grant other users access to those files. The resulting policy does not, of course, provide unrestricted sharing. A typical user-sharing policy provides read-only sharing, but protects files from writing except by the owner.