Presentation on theme: "Capability Based Security By Zachary Walker CS265 Section 1."— Presentation transcript:
Capability Based Security By Zachary Walker CS265 Section 1
Access Control Issues Preventing Access – Prevent users form accessing privileged data or resources Limiting Access – Need to allow some access but not full access Granting Access – Give new access or greater access. Revoking Access – Take back some or all of granted access.
Methods of Access Control Access Control Lists – Access control associated with the resource – Can prevent and revoke access – Cannot limit or grant access Capability Lists – Access control associated with the user – Can prevent, limit, and grant access – Can revoke but not like expected ( more later )
Lampson Access Matrix Network Access Bank Records Accounting Program Billy the CEO Read/WriteReadExecute Joe the CFO Read/Write Execute Accounting Program Read/Write
Why the Lampson Equivelency Model isn’t exactly accurate What happens if an attacker somehow slips a Trojan Horse virus into the system with the intent to steal funds via the accounting program We examine the differences between the cases where the CEO and the CFO are attacked by the Trojan Horse
Trojan Horse Attack on an ACL system The CEO gets the virus – The Trojan horse is run by the CEO – The CEO lacks access to write to bank records – The Trojan horse in unsuccessful in stealing money The CFO gets the virus – The Trojan horse is run by the CFO – The CFO has access to write bank records – The Trojan horse is successful in stealing money from the company
ACL view of attack OS checks the the bank records ACL to see if write is authorized It is the CFO. No Problem CFO Trojan Horse Bank Records Write ACL
The Dilema The CFO needs write access to the Bank Records Anyone with write access to the bank records will be susceptible to the Trojan Horse What is the solution?
Capabilities With capabilities write access to the Bank Records are not implicit even if the CFO mistakenly downloads and runs the Trojan Horse The CFO would have to grant the Trojan horse the write capability to the Bank Records for the attack to be successful
Capability Delegation The CFO has capabilities to both the Trojan Horse and the Bank Records However, the Trojan horse has no notion of the Bank Records CFO Trojan Horse Bank Records
Delegation cont. For the attack to succeed the CFO would have to explicitly pass the capability (yellow arrow) to the Trojan horse. CFO Trojan Horse Bank Records
ACL Diagram Arrows go from resources to subjects
Capability Diagram Arrows go from subjects to resources
Why are ACL’s the norm When UNIX was being developed ACL’s and C-lists were both viable. C-lists were known to be more secure but also more complex ACL’s provided better performance and were deemed secure enough for the current computing environment
EROS a capability based OS EROS stands for “Extremely Reliable Operating System” EROS is not the first capability based OS Multics, KeyKOS, and Mach are example of previous attempts at capability based OS designs Earlier systems have been criticized for being extremely slow.
How is EROS different from other OS designs Access control handled by capabilities All data and processes are persistent throughout power cycles
OS Persistence Persistence means the state of the system is maintained even when powered off. All registers, processes, memory contents, and of course disk data are stored when powered down. Persistence is actually a necessity of capability based systems
Why is persistence necessary It is a “Chicken or the Egg” issue Suppose the system isn’t persistent When the system is started where would the startup process get it’s capabilities from? There is no simple answer to this question and the startup condition is one of the most vexing in capability-based OS design
How is EROS initialized Every resource in the system is allocated an atomic level primitive object There are Pages, Nodes, and Numbers at the lowest level. The OS creates capabilities for every primitive object Every capability every used in the system will be a composition of these base level capabilities
How does persistence work In EROS a snapshot of the system is taken every 5 minutes. long enough to minimize the overhead required for repeated saves short enough to minimize loss in the case of a system failure
What to save and where User data Process List List of open files Save them in a partitioned section of disk set aside for persistent data Note that network connections and open streams are not saved and must be re- established
What if? System crashes during a save? – The data is actually saved to a look ahead log – If the save is interrupted there is an older version to revert to – Consequence is that there must be two sets of persistence data maintained
Summary Capabilities provide much more granularity of control than ACL’s Capabilities solve security issues unsolvable with ACL’s ACL’s are much simpler to implement and provide for a faster OS