bracket capability for distributed systems security
TRANSCRIPT
Talal A. Alsubaie
Presenting “Evereds” Paper (2001)
Talal A. Alsubaie1
Bracket Capability for Distributed Systems Security
Overview
Talal A. Alsubaie2
Protection in Operating SystemDistributed System SecurityAccess ControlAccess control listsCapabilitiesCase StudyBracket CapabilitiesBracket Capabilities Implementation
Protection in Operating System
Protection features are provided by O.S.
There are many controlling access approaches to control access to objects:Access Control Matrix, ACL, Capabilities
Most of security concerns about “Controlling Access”.
Talal A. Alsubaie3
Protection in Operating SystemEntities that can perform actions in the system are
called subjects i.e. (Ahmed account).
Entities representing resources to which access may need to be controlled are called objects i.e. (xyz file).
Talal A. Alsubaie4
Object Subject
Access
Protected ObjectsTypical Objects We Desire to Protect:
MemoryDisk and tape drivesPrintersProgramsNetworksData…
Talal A. Alsubaie5
Distributed System SecurityComponents of a distributed system can be viewed as
objects according to the object-oriented paradigm.
One advantage of an object-oriented approach is that the security can be based on the interface methods of an object.
In this presentation, well talk about Object Oriented Programming Access Control.
Talal A. Alsubaie6
Access ControlIs the ability to permit or deny the use of a particular
resource by a particular entity.Access control mechanisms can be used in managing
Physical resourcesAccessing the University.
Logical resources Banking Account.
Digital resources Text document.
We’ll have an example of a Banking System
Talal A. Alsubaie7
Access Control
Talal A. Alsubaie8
Request for Operation
Authorize Request
Imagine a server with a number of entities (which we will call objects) under its control.
Requests come in, but are allowed only if the sender has sufficient access rights.
Access control is how to verify rights.
Access Control List (ACL)
Talal A. Alsubaie9
Access Control List (ACL)A list of permissions attached to an object.The list specifies who is allowed to access the object
and what operations are allowed to be performed on the object.
Each entry in the list specifies a subject and an operation.Example: (Ahmed, Write)
(Saleh, Read) (Mohammed, Read/Write)
on XYZ file.
Talal A. Alsubaie10
General SchemaOne list for each object.Shows all users who have access. Shows what access each user has. Can have default entries for any users.
Specific users have explicit rights and all other users have default rights.
Objects can be shared by all possible users.
Talal A. Alsubaie11
Ahmed R
Mohammed R/W
Talal W
Omar Deny
How does ACL Works?
Talal A. Alsubaie12
Create Request (r) as Subject (s)
(r, s)
ObjectACL
If ( s appears in ACL) if( r appears in ACL[s] ) grant access;
Capabilities
Talal A. Alsubaie13
Capabilities A capability is a token(or ticket or key) which :
Gives the possessor certain rights to an object.Must be unforgeable.May grant transfer(or propagate) rights
Something like delegation of authority.A right to pass copies of capabilities to others.Also should be able to revoke the capability.
User holds a “ticket” for each resource. Example: (XYZ , delete) , hold by Ahmed
Talal A. Alsubaie14
How does Capabilities Works?
Talal A. Alsubaie15
(r, o)
Object
if( r appears in C) grant access;
(C)
Create Request (r) for object (o)
Pass capability (C)
Case StudyE-Banking System using Java
Talal A. Alsubaie16
Java InterfaceAn interface is a contract between a class and the
outside world.When a class implements an interface, it promises to
provide the behavior published by that interface.
Talal A. Alsubaie17
interface Bicycle { void changeGear(int newValue);void speedUp(int increment); void applyBrakes(int decrement);}
class MyBicycle implements Bicycle { // remainder of this class}
Banking System
Talal A. Alsubaie18
A Bank Account object
Account Object
Talal A. Alsubaie19
Class Accounts {void new(Key newKey, String name);void deposit(Key key, Currency amount);void withdraw(Key key, Currency amount)Currency balance(Key key);String getName(Key key);void setInterest(Percent rate);void transfer(Key fromKey, Key toKey,Currency amount)}
Semantic Role-based Access ControlAccess rights can be granted
on the basis of the roles of the users.
A bank teller may have access to the deposit and withdraw methods.
Talal A. Alsubaie20
Teller
Semantic Role-based Access ControlAccess rights can be granted
on the basis of the roles of the users.
A bank teller may have access to the deposit and withdraw methods.
While the bank manager may also have access to the method for setting the interest rate.
Talal A. Alsubaie21
Bank Manager
Semantic Role-based Access ControlIn terms of per-method access control, the previous
mechanism is not ideal.All the methods of the object are still known to all the users even if
they cannot be called
Ideally, in a need-to-know security environment, someone who is not allowed to invoke a method should not KNOW of the existence of that method
Talal A. Alsubaie22
Extending Role-based SecurityATM machine only requires access to the withdraw
and balance methods of an Accounts object.Define a view for the ATMAccount.
Talal A. Alsubaie23
interface ATMAccounts {void withdraw(Key key, Currency amount)Currency balance(Key key);
}
Extending Role-based SecurityWhat access to an Accounts object should be given to
the owner of an individual account?We must ensure that only the right account is being
accessed.This means that the Key parameter of balance and
getName and the fromKey parameter of transfer must be restricted to a particular value (Owners’ Account
#).
Talal A. Alsubaie24
Extending Role-based SecurityWould like the account owner to view the object as if
it had the type:
MyAccount object can be seen as a virtual object.
Talal A. Alsubaie25
interface MyAccount {Currency balance();String getName();void transfer(Key toKey,Currency amount)
}
Bracket Capabilities
Talal A. Alsubaie26
Bracket CapabilitiesTo gain access to an object, the object is “opened”
using a capability. For example:
Where c is a variable of type Capability.
Talal A. Alsubaie27
Accounts acc= c.open();
Bracket CapabilitiesEach persistent object, as well as implementing an
interface such as Accounts also implements the standard interface Persistent which includes methods such as deleteObject, deleteCapability and refine.
Call refine method when the possessor of a capability wishes to grant a more restricted view of the object to other users in the system.
The refine method is called as:
Talal A. Alsubaie28
x = c.open();Capability cref = x.refine(interface, class);
Bracket Capabilities
Talal A. Alsubaie29
Capability C
Capability Cerf
Interface
x = c.open();Capability cref = x.refine(interface, class);
BracketingObject
Bracket CapabilitiesIt can be seen that calls using the capability cref are
directed through a kind of proxy or bracketing object.
Talal A. Alsubaie30
Capability C
Capability Cerf
Interface
BracketingObject
Bracket Capabilities Implementation
Talal A. Alsubaie31
acc = objc.open();Capability AtmCap =
acc.refine(ATMAccounts , Account);
Capability objc
Capability AtmCap
ATMAccount
Bracket Capabilities Implementation
Talal A. Alsubaie32
Capability objc
Capability AtmCap
ATMAccount
The result of a further 'refine' operation
Capability cerf2
Interface2
33
Talal A. AlsubaieeMail: [email protected]: www.talals.net