Capability Based Security
description
Transcript of Capability Based Security
![Page 1: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/1.jpg)
Capability Based SecurityCapability Based Security
By Zachary Walker
CS265
Section 1
![Page 2: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/2.jpg)
Access Control IssuesAccess Control Issues
Preventing Access– Prevent users form accessing privileged data or
resources Limiting Access
– Need to allow some access but not full access Granting Access
– Give new access or greater access. Revoking Access
– Take back some or all of granted access.
![Page 3: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/3.jpg)
Methods of Access ControlMethods of Access Control
Access Control Lists– Access control
associated with the resource
– Can prevent and revoke access
– Cannot limit or grant access
Capability Lists– Access control
associated with the user
– Can prevent , limit , and grant access
– Can revoke but not like expected ( more later )
![Page 4: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/4.jpg)
Lampson Access MatrixLampson Access Matrix
Network Access
Bank Records
Accounting Program
Billy the CEO
Read/Write Read Execute
Joe the CFO
Read/Write Read/Write Execute
Accounting Program
Read/Write
![Page 5: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/5.jpg)
Why the Lampson Why the Lampson Equivelency Model isn’t Equivelency Model isn’t
exactly accurateexactly accurateWhat happens if an attacker somehow slips
a Trojan Horse virus into the system with the intent to steal funds via the accounting program
We examine the differences between the cases where the CEO and the CFO are attacked by the Trojan Horse
![Page 6: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/6.jpg)
Trojan Horse Attack on an Trojan Horse Attack on an ACL systemACL system
The CEO gets the virus– The Trojan horse is run
by the CEO– The CEO lacks access
to write to bank records
– The Trojan horse in unsuccessful in stealing money
The CFO gets the virus– The Trojan horse is run
by the CFO– The CFO has access to
write bank records– The Trojan horse is
successful in stealing money from the company
![Page 7: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/7.jpg)
ACL view of attackACL view of attack
OS checks the the bank records ACL to see if write is authorized
It is the CFO. No Problem
CFO
Trojan Horse
Bank Records
Write
ACL
![Page 8: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/8.jpg)
The DilemaThe Dilema
The CFO needs write access to the Bank Records
Anyone with write access to the bank records will be susceptible to the Trojan Horse
What is the solution?
![Page 9: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/9.jpg)
CapabilitiesCapabilities
With capabilities write access to the Bank Records are not implicit even if the CFO mistakenly downloads and runs the Trojan Horse
The CFO would have to grant the Trojan horse the write capability to the Bank Records for the attack to be successful
![Page 10: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/10.jpg)
Capability DelegationCapability Delegation
The CFO has capabilities to both the Trojan Horse and the Bank Records
However, the Trojan horse has no notion of the Bank Records CFO
Trojan Horse
Bank Records
![Page 11: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/11.jpg)
Delegation cont.Delegation cont.
For the attack to succeed the CFO would have to explicitly pass the capability (yellow arrow) to the Trojan horse.
CFO
Trojan Horse
Bank Records
![Page 12: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/12.jpg)
ACL DiagramACL Diagram
Arrows go from resources to subjects
![Page 13: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/13.jpg)
Capability DiagramCapability Diagram
Arrows go from subjects to resources
![Page 14: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/14.jpg)
Why are ACL’s the normWhy are ACL’s the norm
When UNIX was being developed ACL’s and C-lists were both viable.
C-lists were known to be more secure but also more complex
ACL’s provided better performance and were deemed secure enough for the current computing environment
![Page 15: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/15.jpg)
EROS a capability based OSEROS a capability based OS
EROS stands for “Extremely Reliable Operating System”
EROS is not the first capability based OSMultics, KeyKOS, and Mach are example
of previous attempts at capability based OS designs
Earlier systems have been criticized for being extremely slow.
![Page 16: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/16.jpg)
How is EROS different from How is EROS different from other OS designsother OS designs
Access control handled by capabilitiesAll data and processes are persistent
throughout power cycles
![Page 17: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/17.jpg)
OS PersistenceOS Persistence
Persistence means the state of the system is maintained even when powered off.
All registers, processes, memory contents, and of course disk data are stored when powered down.
Persistence is actually a necessity of capability based systems
![Page 18: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/18.jpg)
Why is persistence necessaryWhy is persistence necessary
It is a “Chicken or the Egg” issueSuppose the system isn’t persistentWhen the system is started where would the
startup process get it’s capabilities from?There is no simple answer to this question
and the startup condition is one of the most vexing in capability-based OS design
![Page 19: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/19.jpg)
How is EROS initializedHow is EROS initialized
Every resource in the system is allocated an atomic level primitive object
There are Pages, Nodes, and Numbers at the lowest level.
The OS creates capabilities for every primitive object
Every capability every used in the system will be a composition of these base level capabilities
![Page 20: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/20.jpg)
How does persistence workHow does persistence work
In EROS a snapshot of the system is taken every 5 minutes.
long enough to minimize the overhead required for repeated saves
short enough to minimize loss in the case of a system failure
![Page 21: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/21.jpg)
What to save and whereWhat to save and where
User dataProcess ListList of open filesSave them in a partitioned section of disk
set aside for persistent dataNote that network connections and open
streams are not saved and must be re-established
![Page 22: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/22.jpg)
What if?What if?
System crashes during a save?– The data is actually saved to a look ahead log– If the save is interrupted there is an older
version to revert to– Consequence is that there must be two sets of
persistence data maintained
![Page 23: Capability Based Security](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815d3c550346895dcb40cc/html5/thumbnails/23.jpg)
SummarySummary
Capabilities provide much more granularity of control than ACL’s
Capabilities solve security issues unsolvable with ACL’s
ACL’s are much simpler to implement and provide for a faster OS