RBAC-Capability ProjectRBAC-Capability Project

Design Session IZutao Zhu10/23/2009

Derived from Karthick Jayaraman’s ppt

AgendaAgendaSelf - status checkSummary of requirementsDesign questions

◦Privileged user operations◦Representing role and capabilities◦Session representation◦Delegation◦Separation of duty◦Setuid

SELF STATUS CHECKSELF STATUS CHECK

Self Status CheckSelf Status CheckExpectations

◦Understood requirements◦Comfortable with making changes to

Minix3 Compiling the kernel Adding a new system call Familiar with important portions of the

source code.

Exceeding expectations◦Finished preliminary design and

started coding.

SUMMARY OF SUMMARY OF REQUIREMENTSREQUIREMENTS

RequirementsRequirementsRBAC-Capability should co-exist ACL.UA : User – role mappingPA : Role – capability mappingA privileged user controls (UA) and (PA)

assignment..A login session is a RBAC session. All

processes in an login session belong to the same RBAC session.

Requirements - continuedRequirements - continuedThe CAP_ROLE_DELEGATE role should entitle a

user to delegate his/her roles to others temporarily, and also revoke them at a later time.

Enable, disable, and drop roles.Separation of duty:

◦ SSD and DSD rules. Supporting SETUID

◦ Traditional setuid programs should work◦ Should also support an equivalent of setuid in the

RBAC capability model.

DESIGN QUESTIONSDESIGN QUESTIONS

Privileged User OperationsPrivileged User OperationsWho is the Privileged user ?How to maintain UA and PA

assignment?◦Where to store ?◦Who will update ?

Privileged user operations◦Role_Adduser, Role_Removeuser,

Role_Addpermission, Role_Removepermission, Add_Role_to_Program.

Representing Roles and Representing Roles and CapabilitiesCapabilitiesObserve file-descriptor managementHow to represent a role ?

◦ What information should each role contain ?How to represent a capability ?

◦ What information should each capability contain ?

Should a process reference role / capability ?

Information depends on role-operations◦ ActivateRole, DeactivateRole, DropRole,

DelegateRole, RevokeRole

Session RepresentationSession Representation• RBAC Session : Each login session.• A subset of user-roles is active for each

session.• A user may have multiple sessions.• Each session may have different roles

active.• All processes in a login session

should have the same set of roles. • How to represent a session ?• What does the process carry ?

DelegationDelegationCAP_ROLE_DELEGATE Delegated roles are available to

users immediately.User should explicitly activate

delegated roles.The delegated roles should be

available to all user-sessions.

Separation of DutySeparation of DutyStatic Separation of Duty (SSD)Dynamic separation of Duty

(DSD)When to check each?How to represent the rules?Who can update the rules?

Setuid MechanismSetuid MechanismSetuid programsTraditional setuid programs

should work.How could a RBAC-aware support

a setuid equivalent mechanism ?What is the meaning of these

system calls in the RBAC model:◦Setuid()◦Seteuid()

Next milestoneNext milestoneSetup all kernel data-structures

required for supporting RBAC-capability.

Implement all role operations.◦Should have a facility to printout all

role / capabilities for the process.◦Should be able to show the

correctness of all role operations.

Thank youThank you