.ps 12 .vs 12 .PH ```` .nr W 80 .in 0 .ce 3 \fBKuang: Rule-Based Security Checking\fP Robert W. Baldwin MIT, Lab for Computer Science Programming Systems Research Group .PP The security of data in a particular computer depends both on the integrity of the computer's protection mechanism and on the consistent uses of those mechanisms by the users of that computer. Software verification and specification technology addresses the integrity problem, but very little has been done to insure that the protection mechanisms are being used consistently. This paper describes a rule-based system that finds inconsistencies in the set of protection decisions made by the users of an information system. .PP \fBIntroduction\fP .PP The trend in commercial computer systems has been to increase the the number of mechanisms that allow users to execute commands and to increase the number of mechanisms that allow users to share information. All of these mechanisms must be considered to be part of the protection system. For example, if users can specify a set of commands that will be executed automatically every night, then the database that contains these commands, and the program that processes the database must be considered part of the protection system. Even if the program has been certified to work correctly, the access list for the command database and the set of privileges available to the processing program must be considered to be part of the protection configuration \** .FS The protection configuration is a subset of the access matrix. The access matrix specifies how each user can access each object. I use the term .ul protection configuration to refer to the portion of the access matrix concerning the objects used by any piece of the protection system. .FE of that computer. The problem considered in this paper is ensuring that the protection configuration is consistent with the user's security goals. .PP The goal of flexible information processing and sharing makes computers more useful, but that goal also makes protection systems larger and more complex. The large number of interactions between the pieces of the protection system makes it hard for the users to make protection decisions correctly. This is particularly true when parts of an information system are managed by novices (e.g., personal work stations). Users need automated tools for analyzing the interactions between the pieces of a large protection system. .PP This paper describes a class of systems, called Kuang-type \** .FS This project was inspired by William Gibson's book .ul Neuromancer , which won the 1984 Nebula award for best science fiction novel. Gibson's book describes innovative ways to visualize the structure of information systems. In particular, it describes a program called a Kuang Grade Mark 11 Ice Breaker ( .ul ice refers to the mechanisms used to protect access to information). The program described in this memo is a greatly simplified version of that ice breaker program. .FE systems, for analyzing large protection configurations. This class of systems is illustrated by a Simple Unix Kuang program (SU-Kuang) that answers a question about a Unix protection configuration. The question is "what if an attacker had access to a given set of privileges (groups), could that attacker become super-user?". SU-Kuang allows a system manager to perform a simple what-if analysis of a protection configuration, and in this mode it helps the manager make protection decisions. A typical use of SU-Kuang is to run it periodically to see if access to the group, World, (i.e., minimum privileges) is sufficient to become super-user. In this mode Kuang functions as an automatic security checker. SU-Kuang is just one possible tool for helping users cope with the complexity of a large protection system. Some other desirable tools are mentioned at the end of this paper. .PP The heart of the SU-Kuang program is a set of rules that describe the Unix (BSD4.2) protection system from the point of view of an attacker. For example, one rule says that if an attacker can write the file /etc/passwd (the authentication database), then that attacker can become super-user. To decide whether to use this rule, an attacker would examine the protection configuration of the target machine to see what privileges are required to write the file /etc/passwd. Using similar rules, SU-Kuang can answers the what-if question by performing a backward chaining search of the protection configuration (see figure .ul goal-tree ). Given a goal, like become super-user, SU-Kuang examines all the rules to produce a list of subgoals that would be sufficient to meet its goal. Recursively, each of the subgoals can be processed to produce a list of sub-subgoals. The process continues until there are no new goals. At each step, if a goal can be achieved using the initial privileges of the attacker, SU-Kuang prints out a message that describes the sequence of steps that leads from the initial goals to the target goal. .sp .sp .nf Become Super-User / \\ / \\ Replace /etc/passwd Write /.rhosts / \\ . / \\ . . Become Staff Write /etc . . . . . . . . . . .fi (Example of a goal-tree used by SU-Kuang. The nodes of the tree are goals desired by an attacker. The children of each node are the subgoals that are sufficient to achieve the parent goal. The goal-tree used by SU-Kuang is a pure OR-tree. Any one of the subgoals is sufficient to grant the parent goal.) .PP Notice that SU-Kuang does not find holes in the Unix operating system. It finds mistakes in the protection configuration. For example, SU-Kuang found a security hole on an MIT machine that resulted from two incorrect decisions about who should have write access to start-up command files. SU-Kuang points out holes by describing the sequence of steps used to exploit the hole. The sequence SU-Kuang printed was: "member MIT, write ~tom/.cshrc, member A_STAFF, write ~dick/.login, member STAFF, write /etc, replace /etc/passwd, become ROOT". This means that the attacker had access to the group MIT, which all users are in. The MIT group had write access to one of the start-up command files executed automatically when the user Tom (not his real name) logged in. Anyone in the MIT group could add commands to Tom's start-up command file, and have these commands executed with Tom's privileges next time Tom logged into the machine. Tom is a member of the Athena Staff group, which is not particularly privileged. However, the A_STAFF group does have write access to one of Dick's start-up command files, and Dick is a member of the Staff group, which is one of the most privileged groups. In fact, members of the staff group can write the directory that contains the password database. Write access to the directory allows staff members to delete and recreate the password database. By creating a password database that has a known password for the super-user account, members of the staff group can acquire super-user privileges. .PP My experience running SU-Kuang is that these mistakes are created periodically because the users do not understand the interactions between the numerous pieces of the Unix protection system. However, it is not complicated to write a program that can explore all the possible interactions. SU-Kuang itself is a simple program, and generating the rules that describe the pieces of the protection system is also easy (see section .ul rules ). The simplifying idea is to describe the protection system in terms of how an attacker can manipulate it. Using this framework, performing the analysis is easy. .PP I consider any system that uses attacker-oriented rules to be a Kuang-type system. The remainder of this paper describes the Unix Kuang system I built to determine whether a given set of privileges is sufficient to become super-user. The nature of the rules and the process used to deduce them is illustrated in section .ul rules , which lists the set of rules used to model Unix. The model used by SU-Kuang was incomplete in several ways, so section .ul extensions describes some of the features of Unix that were not modeled. The incomplete model turned out to be very effective at finding security holes, so section .ul experience presents the lessons learned from running SU-Kuang on the computers at MIT. The last section discusses other kinds of Kuang systems and their benefits. .PP \fBRules to model Unix\fP .PP The first step in generating attacker-oriented rules is to determine the types of goals that are relevant to an attacker of the target system. These goal types can be deduced from the basic protection model of the operating system, so before presenting the rules, the Unix protection model is summarized. The second step is to make a list of the pieces of the protection system and to examine each one in terms of the goals an attacker could achieve using each piece. The pieces of the Unix protection system that were included in the prototype's model are listed below along with the rules used to describe each piece. .PP \fBSummary of the Unix protection model\fP .PP The Unix protection model concerns processes and files. Associated with each process is one user identifier UID, and one or more group identifiers (GIDs). The UID and GIDs are generally inherited when one process forks another. One exception is that the super-user (UID = 0) can change the UID and GIDs of his current process. The other exception is that a user can associate a UID and GID with a program stored in the file system. When anyone runs such a program, the process executing that program will run with the stored user and/or group IDs. .PP Associated with each file is one UID, one GID, and nine permission bits. The nine permission bits are divided into three groups to specify the read, write, and execute rights for the file's owner (specified by the UID), for the members of the file's group (specified by the GID), and for all others (the World group). Directories are a special case of files. For a directory, read permission allows a process to list a directory, write permission allows a process to create or delete files in that directory, and execute permission allows a process to resolve names in that directory even if the directory is unreadable. .PP When a process accesses a file or directory it is given either owner, group, or world access permissions, but only one of those three. Owner access is granted if the process and file UIDs match; Group access is granted if the process and file UIDs are different but the file's GID is in the list of GIDs for the process; otherwise, World access is granted. The super-user has full access to all files and directories. Only the owner or the super-user can change the access permissions of a file. .PP \fBThree types of attacker goals\fP .PP The Unix protection model deals with users, groups, and files, so those are the three types of goals that will concern an attacker. The canonical user goal is "execute one of the attacker's programs with a particular UID". For example, the top level goal is "execute a program chosen by the attacker under UID zero (i.e., as super-user)". It is important that the attacker be able to specify the program to be executed with super-user privileges. The login program runs as super-user, and anyone can run it. The attacker wants to specify the computation performed with super-user privileges. One scheme for getting access to super-user privileges is to write the command file that is executed automatically when the super-user logs in. .PP Group ID goals are similar. The canonical form of a GID goal is "execute an arbitrary program with a particular group ID". One possible way to achieve this goal is to add the attacker's UID to the list of users allowed to access the desired group. This authorization database is stored in the file /etc/group. .PP The canonical file goal is "obtain read/write/replace access to a particular file". Achieving a file goal usually involves getting access to a particular group or user ID. However, if the attacker wants to replace a file, one way to do that is to delete the old file and create a new one. That can be done if the attacker has write or replace access to the directory that contains the target file. .PP In summary, SU-Kuang considers three types of goals for an attacker of Unix: user, group, and file. Each type of goal can lead to subgoals of the same or different type. .PP \fBSome pieces of the Unix protection system\fP .PP This section presents the rules that describe many of the pieces of the Unix protection system. Section .ul extensions describes the significant pieces that were left out of the prototype's model. The pieces of the Unix protection system include all programs, like .ul login, that have the set user/group ID property. It also includes programs like .ul cron (cron executes commands in the future) that are forked off by processes that run with special user or group IDs. Finally, programs like .ul sh (a command interpreter) must be included in the protection system because when they are started they execute commands from a file using the privileges of the user invoking them. .PP Each rule describes how a piece of the protection system can be used by an attacker to achieve a desired goal in terms of the ability to achieve a subgoal. The method used to achieve a goal given the subgoal may require that some condition be true. For that reason the rules include a condition that can be tested to decide if the subgoal should be pursued. The conditions are general predicates on the state of the protection configuration. For example, the rule that says that an attacker can become the super-user by writing the password file, has the condition that the password file is writable by someone other than the super-user. .PP In the rules listed below, the notation \*Q/d/f\*U means a pathname for the file \*Qf\*U in the directory with pathname \*Q/d\*U. The goal, \*Qbecome U\*U, means to execute an arbitrary command under the user ID \*QU\*U. The goal, \*Qmember G\*U, means the same thing for group \*QG\*U. The goal, \*Qwrite /d/f\*U, means being able to write the file \*Q/d/f\*U. Finally, \*Qreplace /d/f\*U, means being able to write \*Q/d/f\*U or being able to delete \*Q/d/f\*U and recreate it. .PP \fBThe file system\fP .PP Most programs in the protection system use the file hierarchy to locate their databases. If the file hierarchy can be modified, then the protection system can be tricked into using the wrong database files. The file hierarchy itself must be treated as one of the main databases in the protection configuration. .PP The notation \*QOwner(/d/f)\*U refers to the UID associated with the file \*Q/d/f\*U. Similarly \*QGroup(/d/f)\*U refers to the file's GID. The expression \*QGroupWrite(/d/f)\*U is true if the file \*Q/d/f\*U can be written by the members of \*QGroup(/d/f)\*U. The expression \*QWorldWrite(/d/f)\*U is true if the file can be written by members of the World group (i.e., all users). .sp Rules{ .sp .ul .PP Replace /d/f Write /d/f .PP Replace /d/f Replace /d\** .FS The condition stops the recursion at the root directory of the file system. .FE .PP Write /d/f Become Owner(/d/f)\** .FS The owner of a file can always change the access permissions to allow owner write access. .FE .PP Write /d/f GroupWrite(/d/f) Member Group(/d/f) .PP Write /d/f WorldWrite(/d/f) Member World\** .FS This subgoal is is achievable by all users provided they can get to the file. The notable exceptions are users logged in via anonymous ftp or uucp connections. These users have restricted access to the file hierarchy. .FE .sp } .PP \fBlogin\fP .PP The login program uses two database to set the UID and GIDs of the user's command interpreter. The contents of these databases and the protection of the databases themselves must be considered part of the protection configuration. .PP The user name \*Qroot\*U refers to the super-user. The label, \*QU\*U, stands for an arbitrary UID including \*Qroot\*U. The label, \*QG\*U, stands for an arbitrary GID. The expression \*QUIDS(G)\*U expands to all the UIDs authorized to use the group \*QG\*U according to the files /etc/group or /etc/passwd. .sp Rules{ .sp .ul Become U Replace /etc/passwd\** .FS This rule matches the goal \*QBecome root\*U. .FE Member G Replace /etc/group Member G Become UIDS(G)\** .FS The subgoal means to try to become any member of the group \*QG\*U. .FE .sp } .PP \fBrsh, rlogin, rcp\fP .PP Berkeley Unix includes several remote execution commands that greatly improve the usability of multiple Unix hosts connected by a network. The underlying authentication protocol does not resist an attacker that can transmit arbitrary messages on the network, but even if that problem was fixed, the databases used by these programs would have to be considered as part of the protection system. .PP The file /etc/hosts.equiv lists the names of the hosts that are trusted by the target machine's administrators. If a user has an account on the target machine, and on one of the trusted hosts, then that user can log into the target machine from the trusted machine without supplying a password. Users can list additional hosts (or other users) that they trust in a file (.rhosts) in their home directory. .PP The expression \*QNotEmpty(/d/f)\*U is true if the file /d/f exists and it is not empty. The label, \*Q~U\*U, refers to the home directory of user \*QU\*U. .sp Rules{ .sp .ul .PP Become U (~U/.rhosts) /etc/hosts\** .FS If there is a host listed in the user's remote access database and the host name table is replaceable, then an attacker can make his host appear to be the host listed in the user's database. This assumes that the attacker has super-user privileges on some host that can talk to the target host, because the attacker will need to create an account with the target's user name. This attack will become obsolete when hosts start using a distributed name server rather than a fix hostname database. However, the name server will open other avenues of attack. .FE .PP Become U Write ~U/.rhosts\** .FS The remote execution routines insist that the target user be the owner of the database file, so replace access is not sufficient to use this attack. .FE .PP Become U root Replace /etc/hosts.equiv\** .FS Remote execution with super-user privileges is only accepted from the hosts listed in ~root/.rhosts, so replacing the hosts.equiv file cannot be used to directly gain access to super-user privileges. .FE .sp } .PP \fBshells\fP .PP Several command interpreters, called shells, have been written for Unix. Different users can use different shells, but all shell have some mechanism for executing a list of commands when a user logs in. The files that specify these initialization commands are a part of the protection configuration that each user can change. .PP The expression \*QExists(/d/f)\*U is true if the file /d/f exists. .sp Rules{ .sp .ul .PP Become U Exists(~U/.login) Replace ~U/.login\** .FS This file contains the commands read when a user logs in. The conditional should really test to see if the user is actually using the /bin/csh command interpreter. If csh is being used, then this rule will work even if the file .login doesn't exist, so the conditional is overly strict. .FE .PP Become U Exists(~U/.cshrc) Replace ~U/.cshrc\** .FS This file is read each time a /bin/csh is executed such as at login and when a command file is executed. The conditional is also overly strict. .FE .PP Become U Exists(~U/.profile) Write ~U/.profile\** .FS Same trick for the /bin/sh command interpreter. .FE .sp } .PP \fBcron\fP .PP Cron is a program that is forked off when a Unix system is booted. This means that it runs with super-user privileges. Cron reads a database (/usr/lib/crontab) that describes the commands that should be executed periodically. By default these commands are executed with \*Qroot\*U privileges. .sp Rules{ .sp .ul Become root none Replace /usr/lib/crontab .sp } .PP \fBsendmail\fP .PP The Unix mail system has many features that allow flexible forms of information sharing. The most interesting feature (to system builders and to attackers) is that receiving mail can trigger the invocation of a program which is passed the mail message as its input. The file /usr/lib/aliases specifies the human readable form of a binary database that describes mailing lists, mail forwarding, and programs to invoke when mail is received by certain mailboxes. Being able to modify this database allows an attacker to get access to other people's user and group IDs because the mail sending program runs with the privileges of the user who invokes it. If the destination of the message is on the same host as the source, then the receiving program (also sendmail) will run with the invoker's privileges. If the source of the message is on another computer, then sendmail will run under the UID \*Qdaemon\*U. .sp Rules{ .sp .ul .PP Become daemon none Replace /usr/lib/aliases\** .FS This assumes that the command to build the binary database can be executed by everyone, or that it is executed automatically when the mailer detects that the binary database is out of date. There should also be rules to see if the binary database can be written directly. .FE .PP Become root none Replace /usr/lib/aliases\** .FS Assumes that \*Qroot\*U sends mail to some user on this machine. Such users can be found by scanning the mail logs, which are usually World readable. If such a user exists, the aliases database can be set up to tell sendmail to deliver mail to the recipient and invoke the attacker's program. Next time root sends mail to that user, the attacker's program will be invoked with root privileges. The program would test to see if it was running with \*Qroot\*U privileges, and if so plant a trap door such as making /.rhosts publicly writable. .FE .sp } .PP \fBboot\fP .PP When a Unix reboots, it executes the commands in the file /etc/rc. This file usually executes the commands in the file /etc/rc.local. .sp Rules{ .sp .ul Become root Exists(/etc/rc) Replace /etc/rc Become root Exists(/etc/rc.local) Replace /etc/rc.local } .PP \fBExtensions to the Unix model\fP (extensions) .PP This section lists some of the important pieces of the Unix protection system that were left out of the SU-Kuang's model. Most of these pieces could be added easily. .PP The major deficiency of the model is that it does not include all of the programs that run with super-user privileges. Each of these programs must be modeled if there is some way that an attacker could use the programs' databases to get access to root privileges. .PP Locating all the programs that run with super-user privileges is not easy. Many ordinary programs are executed inside of command files that are run with root privileges. This points out another shortcoming of SU-Kuang. It does not look inside of command files. For example, on system restart, Unix executes the commands in the file /etc/rc with super-user privileges. That file executes additional commands in the file /rc.local, so those commands also runs as root. The prototype has an explicit rule that covers this case, whereas it should deduce this and other cases by parsing the commands in /etc/rc. .PP The prototype does not understand search paths. On Unix, as with most systems, users do not specify the full pathname of the programs they want to execute. Instead, users specify a sequence of directories that should be searched to find the program. Often users tell their command interpreter to first look in a private directory of commands, and quite often that directory is writable by any member of the user's primary group. If an attacker can write a user's private command directory, then the attacker can plant a trojan horse on that user. For example, the user may want to execute /usr/local/gnuemacs, but the user may end up executing the attacker's program in /usr/smith/@_bin/gnuemacs. To model this attack, SU-Kuang would need to be able to read each user's startup command file to determine each user's search path. .PP The file goals considered by the model only include write and replace access to a file. Read access is not considered. To include read access, each piece of the protection system must be re-examined to see if it could provide read access to an arbitrary file. For example, the Unix finger program, which displays information about users, runs with super-user privileges so it can read an information file (.plan) in the specified user's home directory. Unfortunately, some implementations of the finger program allow the .plan file to be a symbolic link to another file, and thus the finger program allows read access to any file on the system. .PP The rules that model the file system do not include the fact that the disks can be accessed via the raw device files. Reading and writing the device files can be used to read and write arbitrary blocks on the disks. These files should only be accessible to the super-user, but often anyone can read them. If so, an attacker can read any file on the disk. .PP A different kind of deficiency in the model is that it does not allow the attacker to guess at passwords. On a system that allows users to pick their own passwords, an attacker can usually guess a few of the passwords. Assuming that an attacker can read the password file, \** .FS Protecting the password file from users logged in on a guest account or using anonymous file transfer is a good idea. However, protecting it from ordinary users is hard. Many programs need read access to the non-password information kept in that file, and making all those programs run with special privileges may create more problems than it solves. .FE the attacker can test passwords at the rate of about ten per second.\** .FS There are lots of tricks that speed up the execution of the Unix salted DES function on a 32 bit machine. .FE A 2000 word dictionary of common passwords can be processed at the rate of a few minutes per account. .PP As in any kind of modeling, the better the model, the better the results. Fortunately, in the case of Unix, making the model more detailed does not require using a more complicated framework. The rule-based framework of SU-Kuang is flexible enough to model all the features described in this section. .PP \fBPrototype Implementation\fP (implementation) .PP The SU-Kuang program described in this paper is easy to implement. The primary inputs to the program are a list of groups (privileges) accessible to the attacker (including the special group \*QWorld\*U), and the target goal (usually \*Qbecome root\*U). The program examines the protection configuration of the machine it is running on, so this can be considered a secondary input. The primary output is a list of the ways that an attacker can achieve the target goal from the initial privileges. Internally, the program builds a goal-tree based on a set of rules that are compiled into the program. When a node of the goal-tree can be directly achieved using the initial privileges, the program prints out the sequence of steps that describe the path from the given node of the goal-tree to the root of the goal-tree. .PP In classic Unix style, the prototype was initially implemented by a set of shell scripts (command files). Later, to improve performance, some of the shell scripts were re-written in C. The top level shell script keeps track of the goal-tree, and invokes other shell scripts to generate successive levels of the goal-tree. For each of the three kinds of goals (user, group, and file), there is a shell script that reads a list of goals of that kind and produces a list of subgoals. .PP Associated with each node of the goal-tree is a human readable comment that describes the path from each node to the root of the goal-tree. This comment is appended to a list of 'successes' if the associated goal can be directly achieved using the initial privileges of the attacker. Since each comment specifies the sequence of steps an attacker could use to achieve the target goal given the current goal, it is easy to derive the comments for subgoals from the comments of parent goals. The subgoal comments is the parent goal's comment plus an indication of which rule was used to derive the subgoal. .PP The basic data abstraction used by SU-Kuang is a goal-table. There are three goal-tables, one for each type of goal. The operations on a goal table are: .ul new, .ul addto, and .ul next. The .ul new operation creates an empty goal table. It takes a set of initial goals that are directly achievable by the attacker. The .ul addto operation adds a goal and a comment to the table. If the goal is already in the table, the table is not changed. If the goal is in the set of directly achievable goals, then .ul addto also appends the comment to the file that contains a list of successes. The operation, .ul next, examines a goal-table and returns any goal-comment pair that it has not already returned. The .ul addto operation is effectively the inner loop of a rule interpreter. .PP The goal-table abstraction is implemented by four files. One file keeps track of all of the goals in the table and it is used to avoid duplicate goals. Another file holds the list of goals initially available to the attacker. Two files are used to support the next operation. One file records all the goal-comment pairs that have been returned by the next operations, the other file lists the goal-comment pairs that have been added to the table but not yet selected by the next operation. .PP Using the goal-table abstraction it is easy to express rules as lines of a shell script. Figure .ul shell rule shows a rule and its shell script implementation. The conditional part of the rules are expressed by shell script conditionals (e.g., \*Q-z\*U means that a file exists and has a length of zero, \*Q!\*U and \*Q&&\*U mean logical negation and conjunction). .sp Rules{ .sp .ul Become root NotEmpty(/.rhosts) Replace /etc/hosts .sp } .nf # $User and $OldComment are set by the goal-table next operation. # $FileGoals refers to the goal-table object for file type goals. if (($User == "root") && (! -z /.rhosts)) then set NewComment="Fake HostAddress, $OldComment" set SubGoal="Replace /etc/hosts" addto $FileGoals $SubGoal $NewComment endif .fi Sample rule and corresponding shell script line. .PP The implementation of SU-Kuang is straight forward. The only reason for describing it in this paper is to demonstrate how easy it is to process the attacker-oriented rules that describe a protection system. .PP \fBExperience\fP (experience) .PP The SU-Kuang system has been run on a large number of sites managed by personnel with a wide range of skills and interests in security. It has almost always found a hole. A Kuang that incorporates the extensions described in section .ul extensions would find more holes. .PP I believe that holes are created because users do not understand how the various pieces of the protection system interact. The main evidence for this is that fact that most holes are found in the protection databases that are maintained by ordinary users (e.g., .login and .rhosts). Also, users who have recently been given special privileges tend to create holes that allow anyone to achieve super-user privileges. When I tell users about the problems SU-Kuang finds, they often do not understand what was wrong with the decision they made. .PP Users create security holes periodically. When I ran SU-Kuang periodically on one computer that had a large complicated protection configuration (e.g., the authorization databases included 300 users and 25 groups), SU-Kuang found new holes every week or two. Often these new holes were created when someone modified a security database. One common procedure for modifying a database is to first rename the original, then copy of the original into a file with the proper name, and finally edit the copy. The motivation for the first rename step is to preserve the timestamp that indicates when the database was last written. Unfortunately, the file copy step does not copy the protection information from the original database. The protection for the copy is determined by the defaults for the currently running process. It is not determined by the original. The file UID is set to the UID of the process that performs the copy, and the GID is set to the GID of the directory that contains the file. The permission bits are set to a default value specified in the copier's login command file. .PP The holes found by SU-Kuang point out that it is hard to set up multiple separate security groups under BSD4.2 Unix. For example, a group that allows its members to install programs in the /etc directory, also allows its members to replace the authentication database in /etc/passwd. The fact that users run with their full privileges (i.e., they can access multiple groups in the same process), makes Berkeley Unix easier to use than other versions of Unix that force users to access one group at a time. However, that same feature makes it easier for an attacker to plant a trojan horse on a user that is a member of a lower privilege group (e.g., the implementors of some project) and a member of a high privilege group (e.g., staff). .PP The impression I have gotten from running SU-Kuang is that most of the features that make Unix easy to use also make Unix hard to secure. However, SU-Kuang does make it easier to build a secure protection configuration for Unix. .PP \fBDiscussion\fP (conclusions) .PP To increase the usefulness of computers, systems designers have provided an increasing number of mechanisms that allow users to execute commands and share information. Since these new mechanisms must be considered part of the protection system, this trend has made protection systems larger and progressively harder to understand. As a protection system becomes more complex, it becomes unlikely that all the protection decisions are made correctly, and these mistakes can ruin the overall security of the information and resources controlled by computers. The commercial environment presents a special problem because usability is the primary goal of commercial information systems, but security cannot be neglected. There needs to be some way to manage the complexity of the protection systems that arise on information systems that stress usability. .PP This paper presents one approach for achieving both usability and security. The idea is to use rule-based systems to analyze the interactions between all the decisions that make up a computer's protection configuration. If analyzing a protection configuration is easy, then the manager of a system can ensure that the system meets the security objectives of its users. A program that performs a simple analysis of a Unix protection configuration was presented to illustrate that this sort of rule-based system is easy to build if the protection system is described from the attacker's viewpoint. This simple Unix analysis system, called SU-Kuang, answered the question "given access to a particular set of privileges, can an attacker achieve super-user privileges?". Using SU-Kuang, a security manager could ensure that a system did not allow ordinary user to achieve super-user privileges. .PP SU-Kuang is just one of many helpful Kuang-type systems. For example, many security objectives are expressed in terms of limiting the set of people who have access to particular privileges. A Kuang-type system that computed the set of privileges accessible to each user would help a security manager determine whether the security objectives are being met. Even better, if the bulk of the security objectives can be expressed in computer understandable form, then the bulk of the work of checking computer security could be automated.