Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control in Practice CS461/ECE422 Fall 2010.

Published byAlvin Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control in Practice CS461/ECE422 Fall 2010."— Presentation transcript:

1 Access Control in Practice CS461/ECE422 Fall 2010

2 9/29/2010Computer Security I2 Reading Computer Security – Chapter 2 Computer Security – Chapter 15

3 9/29/2010Computer Security I3 Outline Evolution of OS Object Access Control –Access control lists –Capabilities

4 9/29/2010Computer Security I4 In the Beginning... The program owned the machine –Access all power of the hardware –Could really mess things up Executives emerged –Gather common functionality Multi-user systems required greater separation –Multics, the source of much early OS development

5 9/29/2010Computer Security I5 Types of Separation Physical –Use separate physical resources, e.g. Printers, disk drives Temporal –Time slice different users Logical –Create virtual environment to make it seem that programs are running independently Cryptographic –Hide data and computation from others

6 9/29/2010Computer Security I6 Protecting objects Desire to protect logical entities –Memory –Files or data sets –Executing program –File directory –A particular data structure like a stack –Operating system control structures –Privileged instructions

7 9/29/2010Computer Security I7 Access Control Matrix Access Control Matrix (ACM) and related concepts provides very basic abstraction –Map different systems to a common form for comparison –Enables standard proof techniques –Not directly used in implementation

8 9/29/2010Computer Security I8 Definitions Protection state of system –Describes current settings, values of system relevant to protection Access control matrix –Describes protection state precisely –Matrix describing rights of subjects –State transitions change elements of matrix

9 9/29/2010Computer Security I9 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

10 9/29/2010Computer Security I10 Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p q prwo r rwxo w qa ro r rwxo

11 9/29/2010Computer Security I11 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counter inc_ctr dec_ctr manage inc_ctr+ dec_ctr– manage call call call

12 9/29/2010Computer Security I12 State Transitions Change the protection state of system |– represents transition –X i |–  X i+1 : command  moves system from state X i to X i+1 –X i |– * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands often called transformation procedures

13 9/29/2010Computer Security I13 Example Transitions

14 9/29/2010Computer Security I14 Example Composite Transition

15 9/29/2010Computer Security I15 HRU Model Harrison, Ruzzo, and Ullman proved key safety results in 1976 Talked about systems –With initial protection state expressed in ACM –State transition commands built from a set of primitive operations –Applied conditionally.

16 9/29/2010Computer Security I16 HRU Commands and Operations command α(X1, X2,..., Xk) if rl in A[Xs1, Xo1] and r2 in A[Xs2, Xo2] and... rk in A[Xsk, Xok] then op1; op2; … opn end 6 Primitive Operations enter r into A[Xs, Xo] delete r from A[Xs, Xo] create subject Xs create object Xo destroy subject Xs destroy object Xo

17 9/29/2010Computer Security I17 Practical object access control Can slice the logical ACM two ways –By row: Store with subject –By column: Store with object objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n

18 9/29/2010Computer Security I18 Access Control List Slice by Object –Used by Multics and most modern OS's Let S be set of subjects and R set of rights in system –Access Control List (ACL) l is set of pairs –acl(o) = { (s i, r i ) : 1 ≤ i ≤ n } means any s i can access o using r i

19 9/29/2010Computer Security I19 Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p q prwo r rwxo w qa ro r rwxo

20 9/29/2010Computer Security I20 Unix Access Control Three permission octets associated with each file and directory – Owner, group, and other – Read, write, execute For each file/directory – Can specify RWX permissions for one owner, one group, and one other

21 9/29/2010Computer Security I21 Windows ACL

22 9/29/2010Computer Security I22 Windows ACL Actually two ACL's per file –System ACL (SACL) – controls auditing and now integrity controls –Discretionary ACL (DACL) – controls object access Windows ACLs apply to all named objects –Files –Pipes –Events

23 9/29/2010Computer Security I23 ACL Distinctions What subjects can modify an object's ACL? If there is a privileged user, do the ACLs apply to that user? Does the ACL support groups or wildcards? How are contradictory access control permissions handled? If a default permission is allowed, do the ACL permissions modify it, or is the default only used when the subject is not mentioned in the ACL?

24 9/29/2010Computer Security I24 Revoking rights with ACLs Revoking rights for subject s to a particular object o straightforward –Remove s from ACL(o) –Make sure s has a negative entry in the ACL(o) Example: Alice removes all of Bob's rights to f –What if Bob had given Carol read rights to f? –Should Carol still have those rights?

25 9/29/2010Computer Security I25 ACL Scaling Groups of users Role Base Access Control –Users can take on role at a time Directory inheritance Negative rights

26 9/29/2010Computer Security I26 Practical object access control Can slice the logical ACM two ways –By row: Store with subject –By column: Store with object objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n

27 9/29/2010Computer Security I27 Capability List Slice by Subject –Experimented with in the 80's. Often with object-oriented systems. Let O be set of objects and R set of rights in system –Capability list (C-List) c is a set of pairs –cap(s) = { (o i, r i ) : 1 ≤ i ≤ n } means s can access o i using r i

28 9/29/2010Computer Security I28 Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p q prwo r rwxo w qa ro r rwxo

29 9/29/2010Computer Security I29 Capability Integrity Subject presents capability to access object –Capability encapsulates object ID with allowed rights. Unlike ACLs, capabilities are not completely contained by the OS Capability integrity is a big concern –Tagged memory –Segmented memory –Cryptographic hashs

30 9/29/2010Computer Security I30 Capabilities and propagation Copy rights –Separate version of the base right, e.g read-copy –Some systems had explicit copy bit Right amplification –May need to temporarily amplify rights to object –Perhaps just within particular method or module –Combine abstract class rights with object rights –Counter module example In generally user only has right to invoke counter module on variable of counter type In counter code, process must perform additional operations.

31 9/29/2010Computer Security I31 Revoking capabilities Easy to revoke all rights to a given subject What about revoking everyone's rights to a particular object?

32 9/29/2010Computer Security I32 Capabilities HW Intel iAPX 432 (mid ’70s) – Tried to put even more security enforcement in hardware – Capabilities and object-oriented – Implementation too complex and compiler technology not sufficiently smart – http://en.wikipedia.org/wiki/Intel_iAPX_432 http://en.wikipedia.org/wiki/Intel_iAPX_432 IBM System/38 – From about the same time period – Also had hardware capabilities support Capability-Based Computer Systems by Henry N. Levy – http://www.cs.washington.edu/homes/levy/capabook/ http://www.cs.washington.edu/homes/levy/capabook/

33 9/29/2010Computer Security I33 Protection Rings CS 15.4 – describes Multics implementation Intel Pentium II Software Developer’s Manual: Volume 3. Sections 4.5 through 4.8 – http://developer.intel.com/design/processor/man uals/253668.pdf http://developer.intel.com/design/processor/man uals/253668.pdf

34 9/29/2010Computer Security I34 Memory Protection Rings Originally in Multics In Intel arch since x386

35 9/29/2010Computer Security I35 Privilege Levels CPU enforces constraints on memory access and changes of control between different privilege levels Similar in spirit to Bell-LaPadula access control restrictions Hardware enforcement of division between user mode and kernel mode in operating systems – Simple malicious code cannot jump into kernel space

36 9/29/2010Computer Security I36 Data Access Rules Access allowed if – CPL <= DPL and RPL <= DPL

37 9/29/2010Computer Security I37 Data Access Rules Three players – Code segment has a current privilege level CPL – Operand segment selector has a requested privilege level RPL – Data Segment Descriptor for each memory includes a data privilege level DPL Segment is loaded if CPL <= DPL and RPL <= DPL – i.e. both CPL and RPL are from more privileged rings

38 9/29/2010Computer Security I38 Data Access Examples

39 9/29/2010Computer Security I39 Direct Control Transfers For non-conforming code (the common case) – RPL <= CPL && CPL == DPL – Can only directly jump to code at same privilege level

40 9/29/2010Computer Security I40 Calling Through Gates DLP

41 9/29/2010Computer Security I41 Call Gate Access Rules For Call – CPL <= CG DPL – RPL <= CG DPL – Dst CS DPL <= CPL Same for JMP but – Dst CS DPL == CPL

42 9/29/2010Computer Security I42 Call Gate Examples

43 9/29/2010Computer Security I43 Stack Switching Automatically performed when calling more privileged code – Prevents less privileged code from passing in short stack and crashing more privileged code – Each task has a stack defined for each privilege level

44 9/29/2010Computer Security I44 Hardware Rings Only most basic features generally used – 2 rings – Installed base Time to adoption – Must wait for widespread system code, e.g. Windows NT

45 9/29/2010Computer Security I45 Key Points Separation elements evolved in OS for safety as much as security Memory protections –Segments and pages and rings –HW support Object access control –File ACLs –Capabilities

Download ppt "Access Control in Practice CS461/ECE422 Fall 2010."

Similar presentations

Trusted System Elements and Examples CS461/ECE422 Fall 2011.

Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Chapter 14: Protection.

Chapter 14: Protection.
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Chapter 14: Protection.

Chapter 14: Protection.
Access Control CS461/ECE422 Spring 2012. Reading Material Chapter 4 through section 4.5 Chapters 25 and 26 – For the access control aspects of Unix and.

Access Control CS461/ECE422 Spring Reading Material Chapter 4 through section 4.5 Chapters 25 and 26 – For the access control aspects of Unix and.
Lecture 7 Access Control

Lecture 7 Access Control
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Protection.

Protection.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
Csci5233 computer security & integrity 1 Access Control Matrix.

Csci5233 computer security & integrity 1 Access Control Matrix.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.

ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.

Similar presentations

Ads by Google