Talal A. Alsubaie

Presenting “Evereds” Paper (2001)

Talal A. Alsubaie1

Bracket Capability for Distributed Systems Security

Overview

Talal A. Alsubaie2

Protection in Operating SystemDistributed System SecurityAccess ControlAccess control listsCapabilitiesCase StudyBracket CapabilitiesBracket Capabilities Implementation

Protection in Operating System

Protection features are provided by O.S.

There are many controlling access approaches to control access to objects:Access Control Matrix, ACL, Capabilities

Most of security concerns about “Controlling Access”.

Talal A. Alsubaie3

Protection in Operating SystemEntities that can perform actions in the system are

called subjects i.e. (Ahmed account).

Entities representing resources to which access may need to be controlled are called objects i.e. (xyz file).

Talal A. Alsubaie4

Object Subject

Access

Protected ObjectsTypical Objects We Desire to Protect:

MemoryDisk and tape drivesPrintersProgramsNetworksData…

Talal A. Alsubaie5

Distributed System SecurityComponents of a distributed system can be viewed as

objects according to the object-oriented paradigm.

One advantage of an object-oriented approach is that the security can be based on the interface methods of an object.

In this presentation, well talk about Object Oriented Programming Access Control.

Talal A. Alsubaie6

Access ControlIs the ability to permit or deny the use of a particular

resource by a particular entity.Access control mechanisms can be used in managing

Physical resourcesAccessing the University.

Logical resources Banking Account.

Digital resources Text document.

We’ll have an example of a Banking System

Talal A. Alsubaie7

Access Control

Talal A. Alsubaie8

Request for Operation

Authorize Request

Imagine a server with a number of entities (which we will call objects) under its control.

Requests come in, but are allowed only if the sender has sufficient access rights.

Access control is how to verify rights.

Access Control List (ACL)

Talal A. Alsubaie9

Access Control List (ACL)A list of permissions attached to an object.The list specifies who is allowed to access the object

and what operations are allowed to be performed on the object.

Each entry in the list specifies a subject and an operation.Example: (Ahmed, Write)

(Saleh, Read) (Mohammed, Read/Write)

on XYZ file.

Talal A. Alsubaie10

General SchemaOne list for each object.Shows all users who have access. Shows what access each user has. Can have default entries for any users.

Specific users have explicit rights and all other users have default rights.

Objects can be shared by all possible users.

Talal A. Alsubaie11

Ahmed R

Mohammed R/W

Talal W

Omar Deny

How does ACL Works?

Talal A. Alsubaie12

Create Request (r) as Subject (s)

(r, s)

ObjectACL

If ( s appears in ACL) if( r appears in ACL[s] ) grant access;

Capabilities

Talal A. Alsubaie13

Capabilities A capability is a token(or ticket or key) which :

Gives the possessor certain rights to an object.Must be unforgeable.May grant transfer(or propagate) rights

Something like delegation of authority.A right to pass copies of capabilities to others.Also should be able to revoke the capability.

User holds a “ticket” for each resource. Example: (XYZ , delete) , hold by Ahmed

Talal A. Alsubaie14

How does Capabilities Works?

Talal A. Alsubaie15

(r, o)

Object

if( r appears in C) grant access;

(C)

Create Request (r) for object (o)

Pass capability (C)

Case StudyE-Banking System using Java

Talal A. Alsubaie16

Java InterfaceAn interface is a contract between a class and the

outside world.When a class implements an interface, it promises to

provide the behavior published by that interface.

Talal A. Alsubaie17

interface Bicycle { void changeGear(int newValue);void speedUp(int increment); void applyBrakes(int decrement);}

class MyBicycle implements Bicycle { // remainder of this class}

Banking System

Talal A. Alsubaie18

A Bank Account object

Account Object

Talal A. Alsubaie19

Class Accounts {void new(Key newKey, String name);void deposit(Key key, Currency amount);void withdraw(Key key, Currency amount)Currency balance(Key key);String getName(Key key);void setInterest(Percent rate);void transfer(Key fromKey, Key toKey,Currency amount)}

Semantic Role-based Access ControlAccess rights can be granted

on the basis of the roles of the users.

A bank teller may have access to the deposit and withdraw methods.

Talal A. Alsubaie20

Teller

Semantic Role-based Access ControlAccess rights can be granted

on the basis of the roles of the users.

A bank teller may have access to the deposit and withdraw methods.

While the bank manager may also have access to the method for setting the interest rate.

Talal A. Alsubaie21

Bank Manager

Semantic Role-based Access ControlIn terms of per-method access control, the previous

mechanism is not ideal.All the methods of the object are still known to all the users even if

they cannot be called

Ideally, in a need-to-know security environment, someone who is not allowed to invoke a method should not KNOW of the existence of that method

Talal A. Alsubaie22

Extending Role-based SecurityATM machine only requires access to the withdraw

and balance methods of an Accounts object.Define a view for the ATMAccount.

Talal A. Alsubaie23

interface ATMAccounts {void withdraw(Key key, Currency amount)Currency balance(Key key);

}

Extending Role-based SecurityWhat access to an Accounts object should be given to

the owner of an individual account?We must ensure that only the right account is being

accessed.This means that the Key parameter of balance and

getName and the fromKey parameter of transfer must be restricted to a particular value (Owners’ Account

#).

Talal A. Alsubaie24

Extending Role-based SecurityWould like the account owner to view the object as if

it had the type:

MyAccount object can be seen as a virtual object.

Talal A. Alsubaie25

interface MyAccount {Currency balance();String getName();void transfer(Key toKey,Currency amount)

}

Bracket Capabilities

Talal A. Alsubaie26

Bracket CapabilitiesTo gain access to an object, the object is “opened”

using a capability. For example:

Where c is a variable of type Capability.

Talal A. Alsubaie27

Accounts acc= c.open();

Bracket CapabilitiesEach persistent object, as well as implementing an

interface such as Accounts also implements the standard interface Persistent which includes methods such as deleteObject, deleteCapability and refine.

Call refine method when the possessor of a capability wishes to grant a more restricted view of the object to other users in the system.

The refine method is called as:

Talal A. Alsubaie28

x = c.open();Capability cref = x.refine(interface, class);

Bracket Capabilities

Talal A. Alsubaie29

Capability C

Capability Cerf

Interface

x = c.open();Capability cref = x.refine(interface, class);

BracketingObject

Bracket CapabilitiesIt can be seen that calls using the capability cref are

directed through a kind of proxy or bracketing object.

Talal A. Alsubaie30

Capability C

Capability Cerf

Interface

BracketingObject

Bracket Capabilities Implementation

Talal A. Alsubaie31

acc = objc.open();Capability AtmCap =

acc.refine(ATMAccounts , Account);

Capability objc

Capability AtmCap

ATMAccount

Bracket Capabilities Implementation

Talal A. Alsubaie32

Capability objc

Capability AtmCap

ATMAccount

The result of a further 'refine' operation

Capability cerf2

Interface2

33

Talal A. AlsubaieeMail: t@talals.netWebsite: www.talals.net