RBAC-Capability ProjectRBAC-Capability Project
Design Session IZutao Zhu10/23/2009
Derived from Karthick Jayaraman’s ppt
AgendaAgendaSelf - status checkSummary of requirementsDesign questions
◦Privileged user operations◦Representing role and capabilities◦Session representation◦Delegation◦Separation of duty◦Setuid
SELF STATUS CHECKSELF STATUS CHECK
Self Status CheckSelf Status CheckExpectations
◦Understood requirements◦Comfortable with making changes to
Minix3 Compiling the kernel Adding a new system call Familiar with important portions of the
source code.
Exceeding expectations◦Finished preliminary design and
started coding.
SUMMARY OF SUMMARY OF REQUIREMENTSREQUIREMENTS
RequirementsRequirementsRBAC-Capability should co-exist ACL.UA : User – role mappingPA : Role – capability mappingA privileged user controls (UA) and (PA)
assignment..A login session is a RBAC session. All
processes in an login session belong to the same RBAC session.
Requirements - continuedRequirements - continuedThe CAP_ROLE_DELEGATE role should entitle a
user to delegate his/her roles to others temporarily, and also revoke them at a later time.
Enable, disable, and drop roles.Separation of duty:
◦ SSD and DSD rules. Supporting SETUID
◦ Traditional setuid programs should work◦ Should also support an equivalent of setuid in the
RBAC capability model.
DESIGN QUESTIONSDESIGN QUESTIONS
Privileged User OperationsPrivileged User OperationsWho is the Privileged user ?How to maintain UA and PA
assignment?◦Where to store ?◦Who will update ?
Privileged user operations◦Role_Adduser, Role_Removeuser,
Role_Addpermission, Role_Removepermission, Add_Role_to_Program.
Representing Roles and Representing Roles and CapabilitiesCapabilitiesObserve file-descriptor managementHow to represent a role ?
◦ What information should each role contain ?How to represent a capability ?
◦ What information should each capability contain ?
Should a process reference role / capability ?
Information depends on role-operations◦ ActivateRole, DeactivateRole, DropRole,
DelegateRole, RevokeRole
Session RepresentationSession Representation• RBAC Session : Each login session.• A subset of user-roles is active for each
session.• A user may have multiple sessions.• Each session may have different roles
active.• All processes in a login session
should have the same set of roles. • How to represent a session ?• What does the process carry ?
DelegationDelegationCAP_ROLE_DELEGATE Delegated roles are available to
users immediately.User should explicitly activate
delegated roles.The delegated roles should be
available to all user-sessions.
Separation of DutySeparation of DutyStatic Separation of Duty (SSD)Dynamic separation of Duty
(DSD)When to check each?How to represent the rules?Who can update the rules?
Setuid MechanismSetuid MechanismSetuid programsTraditional setuid programs
should work.How could a RBAC-aware support
a setuid equivalent mechanism ?What is the meaning of these
system calls in the RBAC model:◦Setuid()◦Seteuid()
Next milestoneNext milestoneSetup all kernel data-structures
required for supporting RBAC-capability.
Implement all role operations.◦Should have a facility to printout all
role / capabilities for the process.◦Should be able to show the
correctness of all role operations.
Thank youThank you