CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1

Protection and Security - 2


(2) The Access Control List Method

• Each object ‘o’ is assigned a list of pairs (s, P[s,o]), for all subjects ‘s’ that can access the object• The access list for an object corresponds to the access rights contained in the column for object ‘o’ in the access matrix

• Example:

Smith read, write, execute

Jones read

Lee write

rights ess AccSubjects


(2) The Access Control List Method (cont.)

• Operation: Subject ‘s’ requests access ‘’ to object ‘o’– Search access control list of ‘o’ for entry (s, )– If entry exists, check if – If yes, allow execution. Else, exception raised

• Advantages of access control lists– Easy revocation of access rights from a subject to an object: remove

object’s entry from the object’s access control list– Easy review of access rights of all subjects to a given object– Note: it is, however, difficult to determine for a given subject what

objects it has access to


Issues with Access Control Lists

•Efficiency of execution – Access control list needs to be searched for every access to an object!– Option: use shadow capability registers

On first access by a subject, copy access rights from access control list to a shadow register with the subject

The access rights in the shadow register acts as a capability Subsequent accesses by this subject use the shadow register Potential drawback:

– Revocation of access rights becomes more difficult: removing access rights from access control list is not sufficient, some access rights remain in shadow registers


Issues with Access Control Lists (cont)• Efficiency of storage

– The list can be very large, containing the access rights of all subjects that can access this object

– Note: the aggregate storage requirement is about the same as for capabilities– Option: use protection groups

Subjects (users) divided into protection groups Access control list contains the names of groups and their access rights Operation: subject gives its protection group and requested access Issue: All subjects in a protection group have the same access rights to the object

• Authority to change an access control list– Issue: who can modify an access control list?– Options:

Self control: owner process (e.g., creator of the object) can modify list Hierarchical control:

– When object created, owner process specifies what other processes can modify access control list

– Processes organized in a hierarchy: a process can change the access control list of all processes below it in the hierarchy


Examples of Systems using Access Control Lists

• Multics – Access control lists to control access to files– Principle of least privilege

• Unix – Access control list has three entries: owner, group, and other– Access rights: read, write, execute


(3) The Lock-Key Method

• Principles– Hybrid of capability-based method and access control list method– Every subject has a capability list made of tuples (o, k): the subject can

access object ‘o’ using key ‘k’– Every object has an access control list made of tuples (l, ), called lock

entries: any subject that can open lock ‘l’ can access the object with an access right contained in ‘’

• Operation – Subject ‘s’ makes request for access ‘’ to object ‘o’– The system locates tuple (o, k) in capability list of the subject – If present, search access control list of object ‘o’ for entry (l, ), where

k = l and obtain – Access allowed if


(3) The Lock-Key Method (cont.)

• Advantages:– Easy revocation of access rights: to revoke the access rights of a subject

to an object, delete the lock entry corresponding to the key of the subject

– Capability-based addressing can be used

• Disadvantages:– Access control list must be searched for every access

• Example– IBM/360 storage keys protection method similar to lock-key method


Access Matrix Model: Changing The Protection State

• Access matrix is itself a protected object• Commands for changing protection state

– Set of commands ‘C’ for changing protection state defined in the form of the following primitive operations

enter r into P [s, o]

delete r from P [s, o]

create subject s

create object o

destroy subject s

destroy object o– Primitive operations: define changes to be made to the access matrix P– Example: Primitive operation delete r from P [s, o] deletes access right r

from the position P [s, o] in the access matrix, I.e., access right r of subject s to object o is withdrawn


Access Matrix Model: Changing The Protection State (cont.)

• Before the operation is performed (e.g., the delete in previous example), a verification should be made that the process has the right to perform this operation on the access matrix: • Command syntax:

command < command id > (<formal parameters>)

if < conditions >

then

< list of primitive operations >

end.• Command execution

– All checks in the condition part are evaluated. The <conditions> part has checks in the form ‘r in P[s,o]’

– If all checks pass, primitive operations in <list of primitive operations> are executed



• All accesses are validated by a mechanism called a reference monitor: the reference monitor will reject an access not allowed by the access matrix• Each object has an owner

– If ‘s’ is the owner of ‘o’, then own P [ s, o ]– The owner of an object can give (confer) a right to the object to another

subject

• Example: command to create a file and assign ‘own’ and ‘read’ rights to it

command create-read (process, file)

create object file

enter own into P [process, file]

enter read into P [process, file]

end.



•Example: command owner of a file gives ‘write’ access rights to another process

command confer-write (owner, process, file)

if own P [ owner, file ] then

enter write into P [process, file]

end.


Advanced Models of Protection: The Take-Grant Model

• Principles:– Uses directed graphs to model access control– Protection state of system represented by directed graph– More efficient than (sparsely populated) access matrix

• Model:– Graph nodes: subjects and objects– An edge from node ‘x’ to node ‘y’ indicates that subject ‘x’ has an access right to

the object ‘y’: the edge is tagged with the corresponding access rights– Access rights

Read (r), write (w), execute (e) Special access rights for propagating access rights to other nodes

– Take: If node ‘x’ has access right take to node ‘y’, then subject ‘x’ can take any access right that it has on ‘y’ to another node

– Grant: If node ‘x’ has access right grant to node ‘y’, then the entity represented by node ‘y’ can be granted any of the access rights that node ‘x’ has


• Example: take operation– Node ‘x’ has take access to node ‘y’– Node ‘y’ has read and write access to node ‘z’– Node ‘x’ can take access right read from ‘y’ and have this access right

for object ‘z’ : a directed edge labeled ‘r’ is added from node ‘x’ to node ‘z’

x y

z

t wr,

x y

z

t wr,

r

The Take-Grant Model (cont.)



• Example: grant operation– Node ‘x’ has grant access to node ‘y’ and also has read and write access

to node ‘z’– Node ‘x’ can grant read access for ‘z’ to node ‘y’ ( a directed edge

labeled ‘r’ from ‘y’ to ‘z’ is added in the graph)

x

z

yg

wr,

x

z

yg

wr, r


• State and state transitions:– The protection state of the system is represented by the directed graph– System changes state (state transition) when the directed graph changes– The directed graph changes with the following operations

Take Grant Create: A new node is added to the graph

– When node ‘x’ creates a new node ‘y’, a directed edge is added from ‘x’ to ‘y’ Remove: A node deletes some of its access rights to another node



Bell-LaPadula Model

• Used to control information flow• Model components

– Subjects, objects, and access matrix– Several ordered security levels

Each subject has a (maximum) clearance and a current clearance level Each object has a classification (I.e., belongs to a security level)

– Subjects can have the following access rights to objects Read-only Append: subject can only write object (no read permitted) Execute: no read or write Read-write: both read and write are permitted

– Subject that creates an object has control attribute to that object and is the controller of the object

Subject can pass any of the four access rights of the controlled object to another subject


Bell-LaPadula Model (cont.)

• Restrictions on information flow and access control (reading down and writing up properties):

1. The simple security property– A subject cannot have read access to an object with classification higher than the

clearance level of the subject

2. The -property (star property)– A subject has append (I.e., write) access only to objects which have classification

(I.e., security level) higher than or equal to the current security clearance level of the subject

– A subject has read access only to objects which have classification (I.e., security level) lower than or equal to the current security clearance level of the subject

– A subject has read-write access only to objects which have classification (I.e., security level) equal to the current security clearance level of the subject


i Level

writecan

read can

Level n . . .

Level i+1

Level i-1 . . .Level 1

Bell-LaPadula Model (cont.)


Case Studies: Unix

• Subjects:– Each user identified by a a ‘userid’ – A user may belong to a group identified by ‘groupid’– ‘Userid’ and ‘groupid’ are part of the process descriptor of the process

running on behalf of the user and used to verify access rights

• Protected objects: files and directories– Each file has a unique owner (user who created the file)– Each file has two access fields

‘userid’ field: file owner ‘groupid’ field: ‘groupid” of the group to which the file belongs


Case Studies: Unix (cont.)

• Protection mechanism for files: access control list with protection groups for access efficiency

– Protection groups: owner, group, others– Access rights for each group: read, write, execute

Three fields associated with each file of three bits each Only the owner of the file and the super user can change these bits

(‘chmod’ command)

• Protection domain

– Associated with each user– At login, user starts in a protection domain defining access rights– Domain can be changed with ‘su’ (set userid) command


The Hydra Kernel

• Kernel of a multiprocessor OS (Carnegie-Mellon U.)– Provides mechanisms on which a large array of OSs can be built– Supports capability-based protection

• An object (abstraction of a resource) is the unit of protection• Procedure is an abstraction of an operation on an object• Protection mechanism controls the invocation of procedures to instances of objects (i.e., resources)

• Objects– Each object has: name, type, representation,

Representation– Data part: can be accessed by programs with the right capability– Capability part: capabilities for other objects can be changed only by the kernel


The Hydra Kernel (cont.)

• Protection:– Elements: objects (abstraction of resources) and capabilities (references

to objects)– Operation:

Process/user supplies capability for object Kernel validates access rights

• Access rights:– Kernel rights: kernel supports the basic access rights (read, write, copy)– Auxiliary rights: user defined object operations

User defines a new object type and associated operations Kernel treats these operations as auxiliary rights for the object For a user to perform these operations on the object, its capability must

contain these auxiliary rights– Kernel uses a 24-bit mask to encode access rights: kernel rights have

fixed positions


Amoeba• Distributed OS (Tanenbaum)

• Object-based, client-server model – Client processes request operations on objects by sending requests to

server processes via RPCs– Every object is managed by a server process

• Capabilities-based protection: Capability structure

– Server port: identity of server process that manages corresponding object– Object number: identifies specific object– Rights: access allowed– Check: protection against unauthorized changes (cryptographic

technique)

server port object number rights check

Documents

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2