Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23...
-
Upload
daisy-aborn -
Category
Documents
-
view
212 -
download
1
Transcript of Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23...
![Page 1: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/1.jpg)
Access Control
CS461/ECE422Fall 2011
![Page 2: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/2.jpg)
Reading Material
• Chapter 4 through section 4.5• Chapters 23 and 24– For the access control aspects of Unix and
Windows
![Page 3: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/3.jpg)
Outline
• Access Control Matrix• Access Control List• Capabilities
![Page 4: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/4.jpg)
Access Control in Context
![Page 5: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/5.jpg)
AAA
• Access control part of a broader context• Authentication– Discussed last time. Bind external entity to system
entity• Authorization– Grant a right or permission to the system entity to
access a system resource• Audit– Independent review of system actions
![Page 6: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/6.jpg)
Types of Access Control Policies
• Discretionary Access Control (DAC)– Decision made based on identity of requestor and access
rules– Regular users can adjust the policy
• Mandatory Access Control (MAC)– Decision made by testing labels associated with processes
and resources against system policy rules– Regular user cannot adjust the policy
• Role Based Access Control (RBAC)– Access decisions defined against roles rather than individual
requestors
![Page 7: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/7.jpg)
Access Control Requirements or Differentiators
• Reliable Input - GIGO• Fine and course grain specifications• Least Privilege• Separation of Duty• Open and closed policies – What is the default?• Policy combination and conflict resolution• Administrative policies – How is change to access
control managed?• Dual Control
![Page 8: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/8.jpg)
Access Control Elements
• Subject – system entity capable of access objects. Generally a process in an OS context
• Object – a resource in a system– Often a file– Could also be other named resources like mutex,
process, network interface, network port• Access right – a way that a subject may access an
object in the system– Read, Write, Execute, Delete, Create, Search, Change
Access, Own
![Page 9: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/9.jpg)
Computer Security I 99/29/2010
Access Control Matrix• Access Matrix or Access Control Matrix
(ACM) and related concepts provides very basic abstraction– Map different systems to a common form for
comparison– Enables standard proof techniques– Not directly used in implementation
![Page 10: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/10.jpg)
Computer Security I 109/29/2010
Definitions• Protection state of system
– Describes current settings, values of system relevant to protection
• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
![Page 11: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/11.jpg)
Access Matrix: File ExampleFile 1 File 2 File3 File4
User A OwnReadWrite
OwnReadWrite
User B Read OwnReadWrite
Write Read
User C ReadWrite
Read OwnReadWrite
![Page 12: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/12.jpg)
Access Matrix: Broader ExampleSubjects Files Processes Disks
S1 S2 S3 F1 F2 P1 P2 D1 D2
S1 control owner ownercontrol
Read* Readowner
wakeup wakeup seek owner
S2 control Write* execute owner Seek*
S3 control write stop
![Page 13: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/13.jpg)
Mediation Implementation
![Page 14: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/14.jpg)
Rules Governing Access Matrix ChangeRule Command (by S0) Authorization Operation
R1 Transfer α or α* to S,X ‘α*’ in A[S0,X] Store α or α* in A[S,X]
R2 Grant α or α* to S,X ‘owner’ in A[S0,X] Store α or α* in A[S,X]
R3 Delete α from S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]
Delete α from A[S,X]
R4 w <- read S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]
Copy A[S,X] into w
R5 Create object X None Add column for X to A; store ‘owner’ in A[S0,X]
R6 Destroy object X ‘owner’ in A[S0,X] Delete column X from A
R7 Create subject S None Add row for S to A; execute create object S; store ‘control’ in A[S,S]
R8 Destroy subject S ‘owner’ in A[S0,S] Delete row for S from A; execute destroy object S
![Page 15: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/15.jpg)
Actually Implementing Access Matrix
• Slice by column– Access control list– Used by Multics and most modern OS
• Slice by row– Capability list– Many implementations in the ‘80’s – Often associated with object-oriented systems
![Page 16: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/16.jpg)
Slice and Dice File example
![Page 17: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/17.jpg)
Computer Security I 179/29/2010
Unix Access Control
• Three permission octets associated with each file and directory– Owner, group, and other – Read, write, execute
• For each file/directory– Can specify RWX permissions for one owner, one
group, and one other
![Page 18: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/18.jpg)
Computer Security I 189/29/2010
Windows ACL
![Page 19: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/19.jpg)
Computer Security I 199/29/2010
Windows ACL• Actually two ACL's per file
– System ACL (SACL) – controls auditing and now integrity controls
– Discretionary ACL (DACL) – controls object access
• Windows ACLs apply to all named objects– Files– Pipes– Events
![Page 20: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/20.jpg)
Computer Security I 209/29/2010
ACL Distinctions• What subjects can modify an object's ACL?• If there is a privileged user, do the ACLs apply to
that user?• Does the ACL support groups or wildcards?• How are contradictory access control
permissions handled?• If a default permission is allowed, do the ACL
permissions modify it, or is the default only used when the subject is not mentioned in the ACL?
![Page 21: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/21.jpg)
Computer Security I 219/29/2010
ACL Scaling• Groups of users• Role Base Access Control
– Users can take on role at a time• Directory inheritance• Negative rights
![Page 22: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/22.jpg)
Computer Security I 229/29/2010
Revoking rights with ACLs• Revoking rights for subject s to a particular
object o straightforward– Remove s from ACL(o)– Make sure s has a negative entry in the ACL(o)
• Example: Alice removes all of Bob's rights to file f– What if Bob had given Carol read rights to f?– Should Carol still have those rights?
![Page 23: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/23.jpg)
Capabilities
• Slice Access matrix by row• Capabilities associated with the subjects
![Page 24: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/24.jpg)
Computer Security I 249/29/2010
Capability Integrity• Subject presents capability to access object
– Capability encapsulates object ID with allowed rights.
• Unlike ACLs, capabilities are not completely contained by the OS
• Capability integrity is a big concern– Tagged memory– Segmented memory– Cryptographic hashs
![Page 25: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/25.jpg)
Computer Security I 259/29/2010
Capabilities and propagation• Copy rights
– Separate version of the base right, e.g read-copy– Some systems had explicit copy bit
• Right amplification– May need to temporarily amplify rights to object– Perhaps just within particular method or module– Combine abstract class rights with object rights– Counter module example
• In generally user only has right to invoke counter module on variable of counter type
• In counter code, process must perform additional operations.
![Page 26: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/26.jpg)
Computer Security I 269/29/2010
Revoking capabilities• Easy to revoke all rights to a given subject• What about revoking everyone's rights to a
particular object?
![Page 27: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/27.jpg)
Computer Security I 279/29/2010
Capabilities HW
• Intel iAPX 432 (mid ’70s)– Tried to put even more security enforcement in hardware– Capabilities and object-oriented– Implementation too complex and compiler technology not
sufficiently smart– http://en.wikipedia.org/wiki/Intel_iAPX_432
• IBM System/38– From about the same time period– Also had hardware capabilities support
• Capability-Based Computer Systems by Henry N. Levy– http://www.cs.washington.edu/homes/levy/capabook/
![Page 28: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/28.jpg)
Protection Domains
• In Access Matrix– Replace user with “Protection Domain”
• At run time the process representing user may run under different protection domains
• In extreme case– User mode vs kernel mode
![Page 29: Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.](https://reader035.fdocuments.in/reader035/viewer/2022070307/551a7ed6550346b52d8b5590/html5/thumbnails/29.jpg)
Key Points
• Access control part of broader system• Access Control Matrix or Access Matrix– Means to model access control systems
• Real implementations– Access control lists– Capability lists