Protection: ACLs & Capabilities

download Protection: ACLs & Capabilities

of 21

  • date post

  • Category


  • view

  • download


Embed Size (px)


Protection: ACLs & Capabilities. Encoding Security. Depends on how a system represents the Matrix Not much sense in storing entire matrix! ACL: column for each object stored as a list for the object Capabilities: row for each subject stored as list for the subject. Access Control Lists. - PowerPoint PPT Presentation

Transcript of Protection: ACLs & Capabilities

  • Protection: ACLs & Capabilities

  • Encoding SecurityDepends on how a system represents the MatrixNot much sense in storing entire matrix!ACL: column for each object stored as a list for the objectCapabilities: row for each subject stored as list for the subject

    Cs414 gradesCs415 gradesEmacsRanveerr/wr/wKill/resumeTomrr/wNoneMohamedrrNone

  • Access Control ListsExample: to control file accessEach file has an ACL associated with it

  • Access Control Lists ExamplesUNIX: has uid and gidEach i-node has 12 mode bits for user, group and othersWhat does x without r mean for a directory?Can access file if you know the name, but cannot list namesWhat does r without x mean?Can list files, but cannot access themOnly the owner can change these rights with chmod commandLast 3 mode bits allow process to change across domainsIn NTFS: each file has a set pf properties (ACL is one)Richer set than UNIX: RWX P(permission) O(owner) D(delete)Further packaging: read (RX), change (RWXO), full control (RWXOPD)

  • ACLs DiscussionNeed good data structuresUser will need to have multiple identitiesNeed defaults for new objectsGood security metaphors to users are needed!

  • CapabilitiesStore information by rowsFor each subject, there is list of objects that it can accessCalled a capability list of c-list; individual items are capabilitiesC-lists are objects too, and may be pointed to from other c-lists

  • CapabilitiesTo access an object, subject presents the capabilitycapability word coined by Dennis and Van Horn in 1966Capability is (x, r) list. x is object and r is set of rights Capabilities are transferableHow to name an object?Is start address sufficient?Array and first element of array have same addressIs start address + length of object sufficient?What if start address changes?Random bit string: use hash table to translate from name to bitsNeed to protect capabilities from being forged by othersACLs were inherently unforgeable

  • Protecting CapabilitiesPrevent users from tampering with capabilitiesTagged ArchitectureEach memory word has extra bit indicating that it is a capabilityThese bits can only be modified in kernel modeCannot be used for arithmetic, etc.Sparse name space implementationKernel stores capability as object+rights+random numberGive copy of capability to the user; user can transfer rightsRelies on inability of user to guess the random numberNeed a good random number generator

  • Protecting CapabilitiesKernel capabilities: per-process capability informationStore the C-list in kernel memoryProcess access capabilities by offset into the C-listIndirection used to make capabilities unforgeableMeta instructions to add/delete/modify capabilities

  • Protecting CapabilitiesCryptographically protected capabilitiesStore capabilities in user space; useful for distributed systemsStore tupleThe check is a nonce, unique number generated when capability is created; kept with object on the server; never sent on the networkLanguage-protected capabilitiesSPIN operating system (Mesa, Java, etc.)

  • Capability RevocationKernel based implementationKernel keeps track of all capabilities; invalidates on revocationObject keeps track of revocation listDifficult to implementTimeout the capabilitiesHow long should the expiration timer be?Revocation by indirectionGrant access to object by creating alias; give capability to aliasDifficult to review all capabilitiesRevocation with conditional capabilitiesObject has state called big bagAccess only if capabilitys little bag has sth. in objects big bag

  • Comparing ACLs & CapabilitiesNumber of comparisons on opening a file?Capability: just one ACLs: linear with number of subjectsImplementing when no groups are supported:Capabilities: easier ACLs: Need to enumerate all the subjectsFinding out who has access to an object?Capabilities: difficultIs it possible to control propagation of rights?Capabilities: some counter can be usedSelective revocation of rights:Easy for ACLs (no immediate effect); difficult for capabilitiesEasier propagation of rights for capabilities

  • Trusted SystemsThe computer world right now is full of security problemsCan we build a secure computer system?Yes!Then why has it not been built yet?Users unwilling to throw out existing systemsNew systems have more features, so:more complexity, code, bugs and security errorsExamples: e-mail (from ASCII to Word), web (applets)Trusted Systems: formally stated security requirements, and how they are met

  • Trusted Computing BaseHeart of every trusted system has a small TCBHardware and software necessary for enforcing all security rulesTypically has:most hardware, Portion of OS kernel, and most or all programs with superuser powerDesirable features include:Should be smallShould be separable and well definedEasy to audit independently

  • Reference MonitorCritical component of the TCBAll sensitive operations go through the reference monitorMonitor decides if the operation should proceedNot there in most OSes

  • Access ControlDiscretionary Access Control (DAC)Subjects can determine who has access to their objectsCommonly used, for example in Unix File SystemIs flawed for tighter security, since program might be buggyMandatory Access Control (MAC)System imposes access control policy that object owners cannot changeMulti-level Security as an example of MACMLS is environment where there are various security levelsEg. Classify info as unclassified, confidential, secret, top secretGeneral sees all documents, lieutenant can only see below confidentialRestrict information flow in environments where various levels interact

  • Bell-La Padula ModelProperties to satisfy for information flowSecurity property: user at level k can read objects at level jj = k

  • Biba ModelIntegrity property: A user at security level k can write only objects at level j, j = kNo write up, no read downWant Bell-La Padula and Biba in the same system, for different types of objectsBut Bell-La Padula and Biba are in direct conflictIn practice, a mix of DAC and MAC

  • Covert ChannelsDo these ideas make our system completely secure?No. Security leaks possible even in a system proved secure mathematically. Lampson 1973Model: 3 processes. The client, server and collaboratorServer and collaborator colludeGoal: design a system where it is impossible for server to leak to the collaborator info received from the client (Confinement)Solution: Access Matrix prevents server to write to a file that collaborator has read access; no IPC eitherCovert Channel: compute hard for 1, sleep for a 0Others: paging, file locking with ACKs, pass secret info even though there is censor

  • Steganography Original picture 1024x768Using lower order RGB bits: 1024x768x3 = 294,912 bytesFive Shakespeare plays total 734,891 bytes:Hamlet, King Lear, Julius Caesar, The Merchant of Venice, Macbeth Compress to: 274 KB, and then encode

  • Orange BookDept. of Defense Standards DoD 5200.28 in 1985Known as Orange Book for the color of its coverDivides OSes into categories based on security propertyD Minimal security.C Provides discretionary protection through auditing. Divided into C1 and C2. C1 identifies cooperating users with the same level of protection. C2 allows user-level access control.B All the properties of C, however each object may have unique sensitivity labels. Divided into B1, B2, and B3.A Uses formal design and verification techniques to ensure security.