[PDF] - 1 General Access Control General Access Control Control of access PDF Document

SLIDE 1

1

Fall 2008 CS 334: Computer Security 1

Fall 2008

Role of Access Control

Before closing “back doors” we need to

close “front doors”

Access control: determines access to

files & processes in OS

We will return to these themes

throughout the course

Fall 2008 CS 334: Computer Security 2

Classic Models of Security

Computer security has its origin in

military models of security

Different levels of secrecy

– e.g. classified/secret/top secret

Compartmentalized security

– e.g. nuclear, communications, etc. – TS/SCI (top secret/ sensitive compartmented information)

Fall 2008 CS 334: Computer Security 3

Corresponding Access Control

Classic model → Mandatory Access

Control (MAC)

– (we also use the abbreviation MAC for “message authentication code”)

User controlled security → Discretionary

Access Control (DAC)

Fall 2008 CS 334: Computer Security 4

Subjects and Objects

Subjects do things

– users, processes …

Objects have things done to them

– files, processes …

Access types are the things that are

done

– read, write, append, list, detect, remove, execute …

Fall 2008 CS 334: Computer Security 5

Note that some things can be both

Read and Write are Different

Access types can be distinguished by

whether they pass information

Generally “write” passes information (to

another subject)

Generally “read” does not pass

information (to another subject)

Fall 2008 CS 334: Computer Security 6

SLIDE 2

2

Fall 2008 CS 334: Computer Security 7

General Access Control

Control of access to memory relatively easy:

every access guaranteed to go through certain points in hardware

With general objects:

– Number of access points may be large – May be no central authority through which all accesses pass – Access may not be limited to read, write, or execute

Fall 2008 CS 334: Computer Security 8

General Access Control

Memory relatively easy: all accesses to memory through

a program, so we can refer to program (or programmer) as accessing agent

With general objects:

– User (or subject) could be:

Person who uses computing system
Program
Programmer
Another object
Something else that seeks to use an object

Fall 2008 CS 334: Computer Security 9

Access Control Goals

Check every access

– May want to revoke users privilege to access an object (I.e. no indefinite access to object) – May want to prevent further access immediately after revocation

Enforce Least Privilege

– Subject should have access to least number of objects necessary to perform task, even if extra information appears to be useless or harmless.

Verify Acceptable Usage

– Access to object may be yes-no decision, but equally important to check activity to be performed on object is appropriate – E.g. Stack: only push, pop, clear, etc. are acceptable

Fall 2008 CS 334: Computer Security 10

General Access Control Mechanisms

Directory
Access control matrix
Access control list
Capability

Fall 2008 CS 334: Computer Security 11

Directory

Works like a file directory
Every file (object) has a unique owner

who controls access rights (including the right to declare who has what access) and controls revocation of those rights

Fall 2008 CS 334: Computer Security 12

Directory

SLIDE 3

3

Fall 2008 CS 334: Computer Security 13

Directory

Advantages

– Easy to implement

One list per user, listing all accesses
Difficulties

– List becomes too large if many shared objects are accessible to all users

Directory of each user must have entry for each such shared
bject (even if user never uses object)
Deletion of object must be reflected in all directories

Fall 2008 CS 334: Computer Security 14

Directory

Difficulties

– Access revocation

If A passes access right for object F to B, then entry for

F is created in B’s directory

Revocation of access rights for everyone requires

search of each individual directory entry for right to F (could be 10,000 directories)

And B may have passed access rights for F to another

user, so user can’t be counted on to know that this new user’s rights should be revoked

Fall 2008 CS 334: Computer Security 15

Thorny Directory Problem

User S has trouble remembering contents of F from the

name, so wants to rename it.

So subject S is allowed to rename file to any name

unique to the directory of S. So F from A could be called Q to S.

S later forgets that Q is F from A, and so requests

access again from A for F.

But now A may have more trust in S, so it grants

greater access rights

Leaves open the possibility that S may have two

different sets of access rights to F, one under the name F, one under the name Q. Thus pseudonyms can lead to multiple (and inconsistent) permissions for a given

bject

Bottom line: too simple for most object protection situations!

Access Control Matrix

Each row represents a subject, each column

an object.

– Entries are access rights for specific subject to specific object

Fall 2008 CS 334: Computer Security 16 Fall 2008 CS 334: Computer Security 17

Problems with Access Control Matrix

In general a sparse matrix (most subjects

don’t have access rights to many objects)

– Can be implemented as a list of <subject, object, rights> triples, though rarely done because of inefficiency of searching a large number of such triples.

Hard to manage
Who can manage different entries?
What if we need to give “temporary rights”?
Common entries?

Sparse Matrix Representations

Access Control Lists (ACLs)

– objects lists subjects and access types – example: this file can be modified by Alice and read by Charlie

Capabilities

– subjects have particular “permissions” – example: Bob is allowed to modify files

Hybrid models also exist

Fall 2008 CS 334: Computer Security 18

SLIDE 4

4

Fall 2008 CS 334: Computer Security 19

Access Control List

One such list for each object

– Shows all subjects who should have access to the object and what their access is

Different from directory because one

access control list per object; whereas a directory is created for each subject

This may seem trivial, but it provides

some significant advantages:

Fall 2008 CS 334: Computer Security 20

Consider subjects A and S, both with access rights to F. The OS maintains a single access list for F, showing access rights for A and S. List can contain default rights for some users, custom rights for others. So, public object can be shared by all possible users of system without need for object entry in individual directory of each user.

Fall 2008 CS 334: Computer Security 21

Capability

Subject can create object and specify operations

allowed on that object (e.g., read, write, execute permissions on files, subprocesses, data segments)

User can also define completely new objects (e.g., new

data structure) and can define types of accesses previously unknown to OS.

One possible access right to object is transfer or

propogate

Subject with this right can pass copies of capabilities to other

subjects

These passed capabilities has a list of permitted access types,
ne of which might also be transfer

ACLs & Capabilities: Equivalent?

In representative power, yes

– Both are sparse matrix representations of the Access Control Matrix

In philosophy, no

– Often come with particular features & OS philosophy – Capabilities often appeal to researchers – But capability systems often work poorly – Perennial claim: Capability lists are coming back!

Fall 2008 CS 334: Computer Security 22

Where is ACL Applied?

Some systems: on the file
Some systems: on the directory
Some systems: combination

Fall 2008 CS 334: Computer Security 23

Who Determines Identity?

In (non-distributed) multi-user systems,

usually OS

– Login

In distributed systems

– Sometimes a central authority – (trusted third party, e.g., Kerberos)

Single login

– Sometimes knowledge of a password – (e.g., ssh or “guest” file sharing in Windows)

Remote login

Fall 2008 CS 334: Computer Security 24

SLIDE 5

5

Who is Allowed to Modify ACL?

In some systems, the “owner” of the

file/process/directory

Example: chmod command in UNIX

– World access: read/write/execute

For directories: read = list items;
execute = “enter” directory

– Owner access: read/write/execute

Fall 2008 CS 334: Computer Security 25

Fine-Grained Control

But we need options other than “world

access” or “owner-only access”

General ACLs allow arbitrary access, but

hard to manage

Solution: groups

Fall 2008 CS 334: Computer Security 26

Groups

A group is a single id such as

– “Richmond-undergrads” – “friends of Cosmin” – “administrative access”

A group administrator maintains group

membership list

Fall 2008 CS 334: Computer Security 27