Date post: | 31-Mar-2015 |
Category: |
Documents |
Upload: | daisy-aborn |
View: | 212 times |
Download: | 1 times |
Access Control
CS461/ECE422Fall 2011
Reading Material
• Chapter 4 through section 4.5• Chapters 23 and 24– For the access control aspects of Unix and
Windows
Outline
• Access Control Matrix• Access Control List• Capabilities
Access Control in Context
AAA
• Access control part of a broader context• Authentication– Discussed last time. Bind external entity to system
entity• Authorization– Grant a right or permission to the system entity to
access a system resource• Audit– Independent review of system actions
Types of Access Control Policies
• Discretionary Access Control (DAC)– Decision made based on identity of requestor and access
rules– Regular users can adjust the policy
• Mandatory Access Control (MAC)– Decision made by testing labels associated with processes
and resources against system policy rules– Regular user cannot adjust the policy
• Role Based Access Control (RBAC)– Access decisions defined against roles rather than individual
requestors
Access Control Requirements or Differentiators
• Reliable Input - GIGO• Fine and course grain specifications• Least Privilege• Separation of Duty• Open and closed policies – What is the default?• Policy combination and conflict resolution• Administrative policies – How is change to access
control managed?• Dual Control
Access Control Elements
• Subject – system entity capable of access objects. Generally a process in an OS context
• Object – a resource in a system– Often a file– Could also be other named resources like mutex,
process, network interface, network port• Access right – a way that a subject may access an
object in the system– Read, Write, Execute, Delete, Create, Search, Change
Access, Own
Computer Security I 99/29/2010
Access Control Matrix• Access Matrix or Access Control Matrix
(ACM) and related concepts provides very basic abstraction– Map different systems to a common form for
comparison– Enables standard proof techniques– Not directly used in implementation
Computer Security I 109/29/2010
Definitions• Protection state of system
– Describes current settings, values of system relevant to protection
• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
Access Matrix: File ExampleFile 1 File 2 File3 File4
User A OwnReadWrite
OwnReadWrite
User B Read OwnReadWrite
Write Read
User C ReadWrite
Read OwnReadWrite
Access Matrix: Broader ExampleSubjects Files Processes Disks
S1 S2 S3 F1 F2 P1 P2 D1 D2
S1 control owner ownercontrol
Read* Readowner
wakeup wakeup seek owner
S2 control Write* execute owner Seek*
S3 control write stop
Mediation Implementation
Rules Governing Access Matrix ChangeRule Command (by S0) Authorization Operation
R1 Transfer α or α* to S,X ‘α*’ in A[S0,X] Store α or α* in A[S,X]
R2 Grant α or α* to S,X ‘owner’ in A[S0,X] Store α or α* in A[S,X]
R3 Delete α from S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]
Delete α from A[S,X]
R4 w <- read S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]
Copy A[S,X] into w
R5 Create object X None Add column for X to A; store ‘owner’ in A[S0,X]
R6 Destroy object X ‘owner’ in A[S0,X] Delete column X from A
R7 Create subject S None Add row for S to A; execute create object S; store ‘control’ in A[S,S]
R8 Destroy subject S ‘owner’ in A[S0,S] Delete row for S from A; execute destroy object S
Actually Implementing Access Matrix
• Slice by column– Access control list– Used by Multics and most modern OS
• Slice by row– Capability list– Many implementations in the ‘80’s – Often associated with object-oriented systems
Slice and Dice File example
Computer Security I 179/29/2010
Unix Access Control
• Three permission octets associated with each file and directory– Owner, group, and other – Read, write, execute
• For each file/directory– Can specify RWX permissions for one owner, one
group, and one other
Computer Security I 189/29/2010
Windows ACL
Computer Security I 199/29/2010
Windows ACL• Actually two ACL's per file
– System ACL (SACL) – controls auditing and now integrity controls
– Discretionary ACL (DACL) – controls object access
• Windows ACLs apply to all named objects– Files– Pipes– Events
Computer Security I 209/29/2010
ACL Distinctions• What subjects can modify an object's ACL?• If there is a privileged user, do the ACLs apply to
that user?• Does the ACL support groups or wildcards?• How are contradictory access control
permissions handled?• If a default permission is allowed, do the ACL
permissions modify it, or is the default only used when the subject is not mentioned in the ACL?
Computer Security I 219/29/2010
ACL Scaling• Groups of users• Role Base Access Control
– Users can take on role at a time• Directory inheritance• Negative rights
Computer Security I 229/29/2010
Revoking rights with ACLs• Revoking rights for subject s to a particular
object o straightforward– Remove s from ACL(o)– Make sure s has a negative entry in the ACL(o)
• Example: Alice removes all of Bob's rights to file f– What if Bob had given Carol read rights to f?– Should Carol still have those rights?
Capabilities
• Slice Access matrix by row• Capabilities associated with the subjects
Computer Security I 249/29/2010
Capability Integrity• Subject presents capability to access object
– Capability encapsulates object ID with allowed rights.
• Unlike ACLs, capabilities are not completely contained by the OS
• Capability integrity is a big concern– Tagged memory– Segmented memory– Cryptographic hashs
Computer Security I 259/29/2010
Capabilities and propagation• Copy rights
– Separate version of the base right, e.g read-copy– Some systems had explicit copy bit
• Right amplification– May need to temporarily amplify rights to object– Perhaps just within particular method or module– Combine abstract class rights with object rights– Counter module example
• In generally user only has right to invoke counter module on variable of counter type
• In counter code, process must perform additional operations.
Computer Security I 269/29/2010
Revoking capabilities• Easy to revoke all rights to a given subject• What about revoking everyone's rights to a
particular object?
Computer Security I 279/29/2010
Capabilities HW
• Intel iAPX 432 (mid ’70s)– Tried to put even more security enforcement in hardware– Capabilities and object-oriented– Implementation too complex and compiler technology not
sufficiently smart– http://en.wikipedia.org/wiki/Intel_iAPX_432
• IBM System/38– From about the same time period– Also had hardware capabilities support
• Capability-Based Computer Systems by Henry N. Levy– http://www.cs.washington.edu/homes/levy/capabook/
Protection Domains
• In Access Matrix– Replace user with “Protection Domain”
• At run time the process representing user may run under different protection domains
• In extreme case– User mode vs kernel mode
Key Points
• Access control part of broader system• Access Control Matrix or Access Matrix– Means to model access control systems
• Real implementations– Access control lists– Capability lists