access control in practice cs461/ece422 fall 2010
TRANSCRIPT
![Page 1: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/1.jpg)
Access Control in Practice
CS461/ECE422
Fall 2010
![Page 2: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/2.jpg)
9/29/2010 Computer Security I 2
Reading• Computer Security – Chapter 2• Computer Security – Chapter 15
![Page 3: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/3.jpg)
9/29/2010 Computer Security I 3
Outline• Evolution of OS• Object Access Control
– Access control lists– Capabilities
![Page 4: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/4.jpg)
9/29/2010 Computer Security I 4
In the Beginning...• The program owned the machine
– Access all power of the hardware– Could really mess things up
• Executives emerged– Gather common functionality
• Multi-user systems required greater separation– Multics, the source of much early OS
development
![Page 5: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/5.jpg)
9/29/2010 Computer Security I 5
Types of Separation• Physical
– Use separate physical resources, e.g. Printers, disk drives
• Temporal– Time slice different users
• Logical– Create virtual environment to make it seem that
programs are running independently• Cryptographic
– Hide data and computation from others
![Page 6: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/6.jpg)
9/29/2010 Computer Security I 6
Protecting objects• Desire to protect logical entities
– Memory– Files or data sets– Executing program– File directory– A particular data structure like a stack– Operating system control structures– Privileged instructions
![Page 7: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/7.jpg)
9/29/2010 Computer Security I 7
Access Control Matrix
• Access Control Matrix (ACM) and related concepts provides very basic abstraction– Map different systems to a common form for
comparison– Enables standard proof techniques– Not directly used in implementation
![Page 8: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/8.jpg)
9/29/2010 Computer Security I 8
Definitions
• Protection state of system– Describes current settings, values of system
relevant to protection
• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
![Page 9: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/9.jpg)
9/29/2010 Computer Security I 9
Description
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn• Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[si, oj] R
• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
![Page 10: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/10.jpg)
9/29/2010 Computer Security I 10
Example 1
• Processes p, q
• Files f, g
• Rights r, w, x, a, o
f g p q
p rwo r rwxo w
q a ro r rwxo
![Page 11: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/11.jpg)
9/29/2010 Computer Security I 11
Example 2• Procedures inc_ctr, dec_ctr, manage• Variable counter• Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
![Page 12: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/12.jpg)
9/29/2010 Computer Security I 12
State Transitions
• Change the protection state of system
• |– represents transition– Xi |– Xi+1: command moves system from state
Xi to Xi+1
– Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
• Commands often called transformation procedures
![Page 13: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/13.jpg)
9/29/2010 Computer Security I 13
Example Transitions
![Page 14: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/14.jpg)
9/29/2010 Computer Security I 14
Example Composite Transition
![Page 15: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/15.jpg)
9/29/2010 Computer Security I 15
HRU Model
• Harrison, Ruzzo, and Ullman proved key safety results in 1976
• Talked about systems– With initial protection state expressed in ACM– State transition commands built from a set of
primitive operations– Applied conditionally.
![Page 16: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/16.jpg)
9/29/2010 Computer Security I 16
HRU Commands and Operations• command α(X1, X2 , . . ., Xk)
if rl in A[Xs1, Xo1] and r2 in A[Xs2, Xo2] and ... rk in A[Xsk, Xok]then
op1; op2; … opnend
• 6 Primitive Operations• enter r into A[Xs, Xo]• delete r from A[Xs, Xo]• create subject Xs• create object Xo• destroy subject Xs• destroy object Xo
![Page 17: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/17.jpg)
9/29/2010 Computer Security I 17
Practical object access control• Can slice the logical ACM two ways
– By row: Store with subject– By column: Store with object
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
![Page 18: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/18.jpg)
9/29/2010 Computer Security I 18
Access Control List• Slice by Object
– Used by Multics and most modern OS's• Let S be set of subjects and R set of rights in
system– Access Control List (ACL) l is set of pairs
– acl(o) = { (si, r
i) : 1 ≤ i ≤ n } means any s
i can
access o using ri
![Page 19: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/19.jpg)
9/29/2010 Computer Security I 19
Example 1
• Processes p, q
• Files f, g
• Rights r, w, x, a, o
f g p q
p rwo r rwxo w
q a ro r rwxo
![Page 20: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/20.jpg)
9/29/2010 Computer Security I 20
Unix Access Control
• Three permission octets associated with each file and directory– Owner, group, and other
– Read, write, execute
• For each file/directory– Can specify RWX permissions for one owner, one
group, and one other
![Page 21: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/21.jpg)
9/29/2010 Computer Security I 21
Windows ACL
![Page 22: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/22.jpg)
9/29/2010 Computer Security I 22
Windows ACL• Actually two ACL's per file
– System ACL (SACL) – controls auditing and now integrity controls
– Discretionary ACL (DACL) – controls object access
• Windows ACLs apply to all named objects– Files– Pipes– Events
![Page 23: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/23.jpg)
9/29/2010 Computer Security I 23
ACL Distinctions• What subjects can modify an object's ACL?• If there is a privileged user, do the ACLs
apply to that user?• Does the ACL support groups or wildcards?• How are contradictory access control
permissions handled?• If a default permission is allowed, do the
ACL permissions modify it, or is the default only used when the subject is not mentioned in the ACL?
![Page 24: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/24.jpg)
9/29/2010 Computer Security I 24
Revoking rights with ACLs• Revoking rights for subject s to a particular
object o straightforward– Remove s from ACL(o)– Make sure s has a negative entry in the ACL(o)
• Example: Alice removes all of Bob's rights to f– What if Bob had given Carol read rights to f?– Should Carol still have those rights?
![Page 25: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/25.jpg)
9/29/2010 Computer Security I 25
ACL Scaling• Groups of users• Role Base Access Control
– Users can take on role at a time• Directory inheritance• Negative rights
![Page 26: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/26.jpg)
9/29/2010 Computer Security I 26
Practical object access control• Can slice the logical ACM two ways
– By row: Store with subject– By column: Store with object
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
![Page 27: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/27.jpg)
9/29/2010 Computer Security I 27
Capability List• Slice by Subject
– Experimented with in the 80's. Often with object-oriented systems.
• Let O be set of objects and R set of rights in system– Capability list (C-List) c is a set of pairs
• – cap(s) = { (o
i, r
i) : 1 ≤ i ≤ n } means s can access
oi using r
i
![Page 28: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/28.jpg)
9/29/2010 Computer Security I 28
Example 1
• Processes p, q
• Files f, g
• Rights r, w, x, a, o
f g p q
p rwo r rwxo w
q a ro r rwxo
![Page 29: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/29.jpg)
9/29/2010 Computer Security I 29
Capability Integrity• Subject presents capability to access object
– Capability encapsulates object ID with allowed rights.
• Unlike ACLs, capabilities are not completely contained by the OS
• Capability integrity is a big concern– Tagged memory– Segmented memory– Cryptographic hashs
![Page 30: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/30.jpg)
9/29/2010 Computer Security I 30
Capabilities and propagation• Copy rights
– Separate version of the base right, e.g read-copy– Some systems had explicit copy bit
• Right amplification– May need to temporarily amplify rights to object– Perhaps just within particular method or module– Combine abstract class rights with object rights– Counter module example
• In generally user only has right to invoke counter module on variable of counter type
• In counter code, process must perform additional operations.
![Page 31: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/31.jpg)
9/29/2010 Computer Security I 31
Revoking capabilities• Easy to revoke all rights to a given subject• What about revoking everyone's rights to a
particular object?
![Page 32: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/32.jpg)
9/29/2010 Computer Security I 32
Capabilities HW
• Intel iAPX 432 (mid ’70s)– Tried to put even more security enforcement in hardware– Capabilities and object-oriented– Implementation too complex and compiler technology not
sufficiently smart– http://en.wikipedia.org/wiki/Intel_iAPX_432
• IBM System/38– From about the same time period– Also had hardware capabilities support
• Capability-Based Computer Systems by Henry N. Levy– http://www.cs.washington.edu/homes/levy/capabook/
![Page 33: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/33.jpg)
9/29/2010 Computer Security I 33
Protection Rings
• CS 15.4 – describes Multics implementation• Intel Pentium II Software Developer’s
Manual: Volume 3. Sections 4.5 through 4.8– http://developer.intel.com/design/processor/man
uals/253668.pdf
![Page 34: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/34.jpg)
9/29/2010 Computer Security I 34
Memory Protection Rings
• Originally in Multics
• In Intel arch since x386
![Page 35: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/35.jpg)
9/29/2010 Computer Security I 35
Privilege Levels
• CPU enforces constraints on memory access and changes of control between different privilege levels
• Similar in spirit to Bell-LaPadula access control restrictions
• Hardware enforcement of division between user mode and kernel mode in operating systems– Simple malicious code cannot jump into kernel space
![Page 36: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/36.jpg)
9/29/2010 Computer Security I 36
Data Access Rules
• Access allowed if– CPL <= DPL and RPL <= DPL
![Page 37: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/37.jpg)
9/29/2010 Computer Security I 37
Data Access Rules
• Three players– Code segment has a current privilege level CPL
– Operand segment selector has a requested privilege level RPL
– Data Segment Descriptor for each memory includes a data privilege level DPL
• Segment is loaded if CPL <= DPL and RPL <= DPL – i.e. both CPL and RPL are from more privileged rings
![Page 38: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/38.jpg)
9/29/2010 Computer Security I 38
Data Access Examples
![Page 39: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/39.jpg)
9/29/2010 Computer Security I 39
Direct Control Transfers
• For non-conforming code (the common case)– RPL <= CPL && CPL == DPL– Can only directly jump to code at same privilege level
![Page 40: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/40.jpg)
9/29/2010 Computer Security I 40
Calling Through Gates
DLP
![Page 41: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/41.jpg)
9/29/2010 Computer Security I 41
Call Gate Access Rules
• For Call– CPL <= CG DPL
– RPL <= CG DPL
– Dst CS DPL <= CPL
• Same for JMP but– Dst CS DPL == CPL
![Page 42: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/42.jpg)
9/29/2010 Computer Security I 42
Call Gate Examples
![Page 43: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/43.jpg)
9/29/2010 Computer Security I 43
Stack Switching
• Automatically performed when calling more privileged code– Prevents less privileged code from passing in short
stack and crashing more privileged code
– Each task has a stack defined for each privilege level
![Page 44: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/44.jpg)
9/29/2010 Computer Security I 44
Hardware Rings
• Only most basic features generally used– 2 rings– Installed base
• Time to adoption–Must wait for widespread system code, e.g.
Windows NT
![Page 45: Access Control in Practice CS461/ECE422 Fall 2010](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f4e5503460f94c6f93f/html5/thumbnails/45.jpg)
9/29/2010 Computer Security I 45
Key Points• Separation elements evolved in OS for
safety as much as security• Memory protections
– Segments and pages and rings– HW support
• Object access control– File ACLs– Capabilities