Presentation on theme: "Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and."— Presentation transcript:
AAA Access control part of a broader context Authentication – Discussed last time. Bind external entity to system entity Authorization – Grant a right or permission to the system entity to access a system resource Audit – Independent review of system actions
Types of Access Control Policies Discretionary Access Control (DAC) – Decision made based on identity of requestor and access rules – Regular users can adjust the policy Mandatory Access Control (MAC) – Decision made by testing labels associated with processes and resources against system policy rules – Regular user cannot adjust the policy Role Based Access Control (RBAC) – Access decisions defined against roles rather than individual requestors
Access Control Requirements or Differentiators Reliable Input - GIGO Fine and course grain specifications Least Privilege Separation of Duty Open and closed policies – What is the default? Policy combination and conflict resolution Administrative policies – How is change to access control managed? Dual Control
Access Control Elements Subject – system entity capable of access objects. Generally a process in an OS context Object – a resource in a system – Often a file – Could also be other named resources like mutex, process, network interface, network port Access right – a way that a subject may access an object in the system – Read, Write, Execute, Delete, Create, Search, Change Access, Own
9/29/2010Computer Security I9 Access Control Matrix Access Matrix or Access Control Matrix (ACM) and related concepts provides very basic abstraction – Map different systems to a common form for comparison – Enables standard proof techniques – Not directly used in implementation
9/29/2010Computer Security I10 Definitions Protection state of system – Describes current settings, values of system relevant to protection Access control matrix – Describes protection state precisely – Matrix describing rights of subjects – State transitions change elements of matrix
Access Matrix: File Example File 1File 2File3File4 User AOwn Read Write Own Read Write User BReadOwn Read Write Read User CRead Write ReadOwn Read Write
Access Matrix: Broader Example SubjectsFilesProcessesDisks S1S2S3F1F2P1P2D1D2 S1 controlowner control Read*Read owner wakeup seekowner S2 controlWrite*executeownerSeek* S3 controlwritestop
Rules Governing Access Matrix Change RuleCommand (by S0)AuthorizationOperation R1Transfer α or α* to S,X‘α*’ in A[S0,X]Store α or α* in A[S,X] R2Grant α or α* to S,X‘owner’ in A[S0,X]Store α or α* in A[S,X] R3Delete α from S,X‘control’ in A[S0,S] or ‘owner’ in A[S0,X] Delete α from A[S,X] R4w <- read S,X‘control’ in A[S0,S] or ‘owner’ in A[S0,X] Copy A[S,X] into w R5Create object XNoneAdd column for X to A; store ‘owner’ in A[S0,X] R6Destroy object X‘owner’ in A[S0,X]Delete column X from A R7Create subject SNoneAdd row for S to A; execute create object S; store ‘control’ in A[S,S] R8Destroy subject S‘owner’ in A[S0,S]Delete row for S from A; execute destroy object S
Actually Implementing Access Matrix Slice by column – Access control list – Used by Multics and most modern OS Slice by row – Capability list – Many implementations in the ‘80’s – Often associated with object-oriented systems
9/29/2010Computer Security I17 Unix Access Control Three permission octets associated with each file and directory – Owner, group, and other – Read, write, execute For each file/directory – Can specify RWX permissions for one owner, one group, and one other
9/29/2010Computer Security I19 Windows ACL Actually two ACL's per file – System ACL (SACL) – controls auditing and now integrity controls – Discretionary ACL (DACL) – controls object access Windows ACLs apply to all named objects – Files – Pipes – Events
9/29/2010Computer Security I20 ACL Distinctions What subjects can modify an object's ACL? If there is a privileged user, do the ACLs apply to that user? Does the ACL support groups or wildcards? How are contradictory access control permissions handled? If a default permission is allowed, do the ACL permissions modify it, or is the default only used when the subject is not mentioned in the ACL?
9/29/2010Computer Security I21 ACL Scaling Groups of users Role Base Access Control – Users can take on role at a time Directory inheritance Negative rights
9/29/2010Computer Security I22 Revoking rights with ACLs Revoking rights for subject s to a particular object o straightforward – Remove s from ACL(o) – Make sure s has a negative entry in the ACL(o) Example: Alice removes all of Bob's rights to file f – What if Bob had given Carol read rights to f? – Should Carol still have those rights?
Capabilities Slice Access matrix by row Capabilities associated with the subjects
9/29/2010Computer Security I24 Capability Integrity Subject presents capability to access object – Capability encapsulates object ID with allowed rights. Unlike ACLs, capabilities are not completely contained by the OS Capability integrity is a big concern – Tagged memory – Segmented memory – Cryptographic hashs
9/29/2010Computer Security I25 Capabilities and propagation Copy rights – Separate version of the base right, e.g read-copy – Some systems had explicit copy bit Right amplification – May need to temporarily amplify rights to object – Perhaps just within particular method or module – Combine abstract class rights with object rights – Counter module example In generally user only has right to invoke counter module on variable of counter type In counter code, process must perform additional operations.
9/29/2010Computer Security I26 Revoking capabilities Easy to revoke all rights to a given subject What about revoking everyone's rights to a particular object?
9/29/2010Computer Security I27 Capabilities HW Intel iAPX 432 (mid ’70s) – Tried to put even more security enforcement in hardware – Capabilities and object-oriented – Implementation too complex and compiler technology not sufficiently smart – http://en.wikipedia.org/wiki/Intel_iAPX_432 http://en.wikipedia.org/wiki/Intel_iAPX_432 IBM System/38 – From about the same time period – Also had hardware capabilities support Capability-Based Computer Systems by Henry N. Levy – http://www.cs.washington.edu/homes/levy/capabook/ http://www.cs.washington.edu/homes/levy/capabook/
Protection Domains In Access Matrix – Replace user with “Protection Domain” At run time the process representing user may run under different protection domains In extreme case – User mode vs kernel mode
Key Points Access control part of broader system Access Control Matrix or Access Matrix – Means to model access control systems Real implementations – Access control lists – Capability lists