Access Control

CS461/ECE422Fall 2011

Reading Material

• Chapter 4 through section 4.5• Chapters 23 and 24– For the access control aspects of Unix and

Windows

Outline

• Access Control Matrix• Access Control List• Capabilities

Access Control in Context

AAA

• Access control part of a broader context• Authentication– Discussed last time. Bind external entity to system

entity• Authorization– Grant a right or permission to the system entity to

access a system resource• Audit– Independent review of system actions

Types of Access Control Policies

• Discretionary Access Control (DAC)– Decision made based on identity of requestor and access

rules– Regular users can adjust the policy

• Mandatory Access Control (MAC)– Decision made by testing labels associated with processes

and resources against system policy rules– Regular user cannot adjust the policy

• Role Based Access Control (RBAC)– Access decisions defined against roles rather than individual

requestors

Access Control Requirements or Differentiators

• Reliable Input - GIGO• Fine and course grain specifications• Least Privilege• Separation of Duty• Open and closed policies – What is the default?• Policy combination and conflict resolution• Administrative policies – How is change to access

control managed?• Dual Control

Access Control Elements

• Subject – system entity capable of access objects. Generally a process in an OS context

• Object – a resource in a system– Often a file– Could also be other named resources like mutex,

process, network interface, network port• Access right – a way that a subject may access an

object in the system– Read, Write, Execute, Delete, Create, Search, Change

Access, Own

Computer Security I 99/29/2010

Access Control Matrix• Access Matrix or Access Control Matrix

(ACM) and related concepts provides very basic abstraction– Map different systems to a common form for

comparison– Enables standard proof techniques– Not directly used in implementation

Computer Security I 109/29/2010

Definitions• Protection state of system

– Describes current settings, values of system relevant to protection

• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix

Access Matrix: File ExampleFile 1 File 2 File3 File4

User A OwnReadWrite

OwnReadWrite

User B Read OwnReadWrite

Write Read

User C ReadWrite

Read OwnReadWrite

Access Matrix: Broader ExampleSubjects Files Processes Disks

S1 S2 S3 F1 F2 P1 P2 D1 D2

S1 control owner ownercontrol

Read* Readowner

wakeup wakeup seek owner

S2 control Write* execute owner Seek*

S3 control write stop

Mediation Implementation

Rules Governing Access Matrix ChangeRule Command (by S0) Authorization Operation

R1 Transfer α or α* to S,X ‘α*’ in A[S0,X] Store α or α* in A[S,X]

R2 Grant α or α* to S,X ‘owner’ in A[S0,X] Store α or α* in A[S,X]

R3 Delete α from S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]

Delete α from A[S,X]

R4 w <- read S,X ‘control’ in A[S0,S]or ‘owner’ in A[S0,X]

Copy A[S,X] into w

R5 Create object X None Add column for X to A; store ‘owner’ in A[S0,X]

R6 Destroy object X ‘owner’ in A[S0,X] Delete column X from A

R7 Create subject S None Add row for S to A; execute create object S; store ‘control’ in A[S,S]

R8 Destroy subject S ‘owner’ in A[S0,S] Delete row for S from A; execute destroy object S

Actually Implementing Access Matrix

• Slice by column– Access control list– Used by Multics and most modern OS

• Slice by row– Capability list– Many implementations in the ‘80’s – Often associated with object-oriented systems

Slice and Dice File example

Computer Security I 179/29/2010

Unix Access Control

• Three permission octets associated with each file and directory– Owner, group, and other – Read, write, execute

• For each file/directory– Can specify RWX permissions for one owner, one

group, and one other

Computer Security I 189/29/2010

Windows ACL

Computer Security I 199/29/2010

Windows ACL• Actually two ACL's per file

– System ACL (SACL) – controls auditing and now integrity controls

– Discretionary ACL (DACL) – controls object access

• Windows ACLs apply to all named objects– Files– Pipes– Events

Computer Security I 209/29/2010

ACL Distinctions• What subjects can modify an object's ACL?• If there is a privileged user, do the ACLs apply to

that user?• Does the ACL support groups or wildcards?• How are contradictory access control

permissions handled?• If a default permission is allowed, do the ACL

permissions modify it, or is the default only used when the subject is not mentioned in the ACL?

Computer Security I 219/29/2010

ACL Scaling• Groups of users• Role Base Access Control

– Users can take on role at a time• Directory inheritance• Negative rights

Computer Security I 229/29/2010

Revoking rights with ACLs• Revoking rights for subject s to a particular

object o straightforward– Remove s from ACL(o)– Make sure s has a negative entry in the ACL(o)

• Example: Alice removes all of Bob's rights to file f– What if Bob had given Carol read rights to f?– Should Carol still have those rights?

Capabilities

• Slice Access matrix by row• Capabilities associated with the subjects

Computer Security I 249/29/2010

Capability Integrity• Subject presents capability to access object

– Capability encapsulates object ID with allowed rights.

• Unlike ACLs, capabilities are not completely contained by the OS

• Capability integrity is a big concern– Tagged memory– Segmented memory– Cryptographic hashs

Computer Security I 259/29/2010

Capabilities and propagation• Copy rights

– Separate version of the base right, e.g read-copy– Some systems had explicit copy bit

• Right amplification– May need to temporarily amplify rights to object– Perhaps just within particular method or module– Combine abstract class rights with object rights– Counter module example

• In generally user only has right to invoke counter module on variable of counter type

• In counter code, process must perform additional operations.

Computer Security I 269/29/2010

Revoking capabilities• Easy to revoke all rights to a given subject• What about revoking everyone's rights to a

particular object?

Computer Security I 279/29/2010

Capabilities HW

• Intel iAPX 432 (mid ’70s)– Tried to put even more security enforcement in hardware– Capabilities and object-oriented– Implementation too complex and compiler technology not

sufficiently smart– http://en.wikipedia.org/wiki/Intel_iAPX_432

• IBM System/38– From about the same time period– Also had hardware capabilities support

• Capability-Based Computer Systems by Henry N. Levy– http://www.cs.washington.edu/homes/levy/capabook/

Protection Domains

• In Access Matrix– Replace user with “Protection Domain”

• At run time the process representing user may run under different protection domains

• In extreme case– User mode vs kernel mode

Key Points

• Access control part of broader system• Access Control Matrix or Access Matrix– Means to model access control systems

• Real implementations– Access control lists– Capability lists