Upload
meris
View
47
Download
0
Tags:
Embed Size (px)
DESCRIPTION
CMSC 414 Computer (and Network) Security Lecture 13. Jonathan Katz. Midterm?. Will be held Oct 21, in class Will cover everything up to and including the preceding lecture (Oct 16) Includes all reading posted on the class syllabus!. Access control lists (ACLs). - PowerPoint PPT Presentation
Citation preview
CMSC 414Computer (and Network) Security
Lecture 13
Jonathan Katz
Midterm?
Will be held Oct 21, in class
Will cover everything up to and including the preceding lecture (Oct 16)
Includes all reading posted on the class syllabus!
Access control lists (ACLs)
Instead of storing central matrix, store each column with the object it represents– Stored as pairs (s, r)
Subjects not in list have no rights– Can use wildcards to give default rights
Example: Unix
Unix divides users into three classes:– Owner of the file– Group owner of the file– All other users
Note that this leaves little flexibility…
Some systems have been extended to allow for more flexibility– Abbrev. ACLs overridden by explicit ACLs
Handling conflicts
Conflicts may arise if two entries give different permissions to a subject– Multiple ways of resolving this; e.g.:
• Allow access if any entry gives rights
• Allow access only if no entry denies rights
• Apply first applicable entry
Default permissions?
Two approaches– Apply ACL entry, if it exists; otherwise, apply
default rule• I.e., ACL entries override default permissions
– Augment the default permissions with those in the appropriate ACL entry
– Example: what if default allows “read” and ACL entry states “write”?
Revocation
How to handle revocation?– Easy to revoke all access with ACLs– But…what if two different users granted the
same right to the same person?• E.g., both A and B give rights to C. Now A wants to
revoke C’s rights. But B still wants to allow rights…
– Can store a history of ACL modifications
Example: Windows NT
Rights:– Read; write; execute; delete; own
Generic (groups of) rights:– No access; read; change; full– Also, a “special access” right (allows any
combination of rights)
Example, continued…
When user accesses a file– If user not present in ACL, nor member of any
group in ACL, deny access– If user (or group containing user) is explicitly
denied access in ACL, deny access– Else, user has union of all rights from each
ACL entry for user (or group containing user)
Example, continued…
Paul, Quentin are in group “students”
Quentin, Regina are in group “staff”
File with ACL: (staff, full), (Quentin, change), (students, no access), (Paul, no access)– Regina has full access
– Quentin has no access (since in “students”)
– Paul has no access
– Note: an explicit deny overrides any permissions
– Safer to explicitly disallow access when unwanted• E.g., in case “students” is later allowed access
Capabilities
The “dual” of ACLs– The row of an access control matrix is
associated with the corresponding subject
More complex to implement securely than ACLs– A process must identify a capability…– …so must have some control over it– (In contrast, the OS controls files)
Protecting capabilities
Can “tag” capabilities so they can be read, but not modified, by processes
Or, store capabilities in protected memory
Can also use cryptography to ensure integrity of capabilities– Using a message authentication code, with a
key known to the OS
Copying capabilities
Copying a capabilities implies giving rights– Copy flag is associated with capabilities– Process cannot copy the capability unless this
flag is set
Revocation
How to revoke access to a file?– Would potentially require revoking all capabilities
associated with that file
One solution: indirection– Capabilities name an entry in a table, rather than an
object itself
– To revoke access to object, invalidate entry in table
– Or, change random number associated with object
Difficult to revoke access by a single subject
Potential problems
What if one process gives capabilities to another? (Possibly indirectly)– Can lead to security violation
One solution: assign security classifications to capabilities– E.g., when capability created, its classification
is the same as the requesting process– Capability contains rights depending on the
object to which it refers
ACLs vs. capabilities
Given a subject, what objects can it access? (capabilities)
Given an object, which subjects can access it? (ACLs)– Second question is asked more often than first
For incident response, capabilities may be preferable– “What else did this subject access?”
“Locks and keys”
Combines ACLs and capabilities– “Lock” associated with each object– “Key” associated with each subject authorized
to access this object– When subject tries to access object, its set of
keys is checked; if it has a key corresponding to the object’s lock, access allowed
Important distinction
ACLs and capabilities are “static”– Require manual intervention to change
Locks and keys are “dynamic”– May change on their own in response to
changes in the system
Example
Cryptographic key used to encrypt a file– A file cannot be “read” unless the subject has
the encryption key– Can also enforce that requests from n users are
required in order to read data (and-access), or that any of n users are able to read data (or-access)
Cryptographic secret sharing
(t, n)-threshold scheme to share a “key”
Using this to achieve (t, n)-threshold encryption
Shamir secret sharing
Another example
Type checking
E.g., label memory locations as either “data” or “instructions”– Do not allow execution of type “data”– Can potentially be used to limit buffer
overflows
Ring-based access control
Memory and files (e.g., disk space) are viewed as equivalent– E.g., a program is loaded into memory and run,
or a file is loaded into RAM– Termed “segments”
Two types of segments: data and procedure
ACLs specify rights on per-user basis– All procedures executed by a user have rights
associated with that user
Ring-based access control
Sequence of 64 “protection rings”– Kernel in ring 0– Higher ring numbers have lower privileges
Proc. in ring r wants to access data segment– Data associated with access bracket (a, b)– If r a, access allowed– If r > b, no access– Else, read allowed; write denied
Ring-based access control
Procedure in ring r wants to execute another procedure segment– Procedure segment has access bracket (a, b),
and also has call bracket (b, c)• If r < a, access permitted but “ring fault” occurs and
trap to kernel
• If r lies between a and b, all access permitted
• If r lies between b and c, access permitted via “gate”
• If r > c, all access denied
Why brackets?
In theory, a process or file should be assigned to one ring– However, this would require a call to the OS
every time a process from another ring needed access; access bracket fixes this problem
– Call bracket allows user to execute programs in well-defined ways (i.e., via gates)
Propagated ACLs
Associated with data, not the object holding the data– Prevents one user from copying data in a file to
a new file, thereby giving access to the data– When a subject reads from an object, the
subject’s PACL is updated– When an object is created, the object takes on
the PACL of the creator
Example…
A creates file f, and allows B, D to access it
After B reads f, PACLnew(B) = PACLold(B) PACL(A)
If B creates new file f’, this file is assigned PACLnew(B)
User U can access f’ only if U is in both PACLold(B) and PACL(A)