Role of Access Control • Before closing “back doors” we need to close “front doors” • Access control: determines access to files & processes in OS Fall 2008 • We will return to these themes throughout the course Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334: Computer Security 2 Classic Models of Security Corresponding Access Control • Computer security has its origin in • Classic model → Mandatory Access military models of security Control (MAC) – (we also use the abbreviation MAC for • Different levels of secrecy “message authentication code”) – e.g. classified/secret/top secret • User controlled security → Discretionary • Compartmentalized security Access Control (DAC) – e.g. nuclear, communications, etc. – TS/SCI (top secret/ sensitive compartmented information) Fall 2008 CS 334: Computer Security 3 Fall 2008 CS 334: Computer Security 4 Subjects and Objects Read and Write are Different • Subjects do things Note that some things • Access types can be distinguished by – users, processes … can be both whether they pass information • Objects have things done to them – files, processes … • Generally “write” passes information (to another subject) • Access types are the things that are done • Generally “read” does not pass – read, write, append, list, detect, remove, information (to another subject) execute … Fall 2008 CS 334: Computer Security 5 Fall 2008 CS 334: Computer Security 6 1
General Access Control General Access Control • Control of access to memory relatively easy: • Memory relatively easy: all accesses to memory through a program, so we can refer to program (or programmer) every access guaranteed to go through certain as accessing agent points in hardware • With general objects: • With general objects: – User (or subject) could be: – Number of access points may be large • Person who uses computing system • Program – May be no central authority through which • Programmer all accesses pass • Another object – Access may not be limited to read, write, or • Something else that seeks to use an object execute Fall 2008 CS 334: Computer Security 7 Fall 2008 CS 334: Computer Security 8 Access Control Goals General Access Control Mechanisms • Check every access – May want to revoke users privilege to access an object (I.e. no indefinite access to object) • Directory – May want to prevent further access immediately after revocation • Access control matrix • Enforce Least Privilege • Access control list – Subject should have access to least number of objects necessary to perform task, even if extra information • Capability appears to be useless or harmless. • Verify Acceptable Usage – Access to object may be yes-no decision, but equally important to check activity to be performed on object is appropriate – E.g. Stack: only push, pop, clear, etc. are acceptable Fall 2008 CS 334: Computer Security 9 Fall 2008 CS 334: Computer Security 10 Directory Directory • Works like a file directory • Every file (object) has a unique owner who controls access rights (including the right to declare who has what access) and controls revocation of those rights Fall 2008 CS 334: Computer Security 11 Fall 2008 CS 334: Computer Security 12 2
Directory Directory • Difficulties • Advantages – Access revocation – Easy to implement • One list per user, listing all accesses • If A passes access right for object F to B, then entry for F is created in B’s directory • Difficulties • Revocation of access rights for everyone requires search of each individual directory entry for right to F – List becomes too large if many shared objects are (could be 10,000 directories) accessible to all users • Directory of each user must have entry for each such shared object (even if user never uses object) • And B may have passed access rights for F to another • Deletion of object must be reflected in all directories user, so user can’t be counted on to know that this new user’s rights should be revoked Fall 2008 CS 334: Computer Security 13 Fall 2008 CS 334: Computer Security 14 Thorny Directory Problem Access Control Matrix • User S has trouble remembering contents of F from the name, so wants to rename it. • Each row represents a subject, each column • So subject S is allowed to rename file to any name an object. unique to the directory of S. So F from A could be – Entries are access rights for specific subject to called Q to S. specific object • S later forgets that Q is F from A, and so requests access again from A for F. • But now A may have more trust in S, so it grants greater access rights • Leaves open the possibility that S may have two different sets of access rights to F, one under the name F, one under the name Q. Thus pseudonyms can lead to multiple (and inconsistent) permissions for a given object Bottom line: too simple for most object protection situations! Fall 2008 CS 334: Computer Security 15 Fall 2008 CS 334: Computer Security 16 Sparse Matrix Representations Problems with Access Control Matrix • Access Control Lists (ACLs) • In general a sparse matrix (most subjects – objects lists subjects and access types don’t have access rights to many objects) – example: this file can be modified by Alice – Can be implemented as a list of <subject, object, and read by Charlie rights> triples, though rarely done because of inefficiency of searching a large number of such triples. • Capabilities • Hard to manage – subjects have particular “permissions” • Who can manage different entries? – example: Bob is allowed to modify files • What if we need to give “temporary rights”? • Common entries? • Hybrid models also exist Fall 2008 CS 334: Computer Security 17 Fall 2008 CS 334: Computer Security 18 3
Consider subjects A and S, both with access rights to F. The OS maintains a single access list for F, showing access rights for A and S. List can contain default rights for some users, custom Access Control List rights for others. So, public object can be shared by all possible users of system without need for object entry in individual directory of each user. • One such list for each object – Shows all subjects who should have access to the object and what their access is • Different from directory because one access control list per object ; whereas a directory is created for each subject • This may seem trivial, but it provides some significant advantages: Fall 2008 CS 334: Computer Security 19 Fall 2008 CS 334: Computer Security 20 Capability ACLs & Capabilities: Equivalent? • Subject can create object and specify operations • In representative power, yes allowed on that object (e.g., read, write, execute permissions on files, subprocesses, data segments) – Both are sparse matrix representations of the Access Control Matrix • User can also define completely new objects (e.g., new • In philosophy, no data structure) and can define types of accesses previously unknown to OS. – Often come with particular features & OS philosophy • One possible access right to object is transfer or – Capabilities often appeal to researchers propogate • Subject with this right can pass copies of capabilities to other – But capability systems often work poorly subjects – Perennial claim: Capability lists are coming • These passed capabilities has a list of permitted access types, one of which might also be transfer back! Fall 2008 CS 334: Computer Security 21 Fall 2008 CS 334: Computer Security 22 Who Determines Identity? Where is ACL Applied? • In (non-distributed) multi-user systems, usually OS • Some systems: on the file – Login • In distributed systems – Sometimes a central authority • Some systems: on the directory – (trusted third party, e.g., Kerberos) • Single login • Some systems: combination – Sometimes knowledge of a password – (e.g., ssh or “guest” file sharing in Windows) • Remote login Fall 2008 CS 334: Computer Security 23 Fall 2008 CS 334: Computer Security 24 4
Who is Allowed to Modify ACL? Fine-Grained Control • In some systems, the “owner” of the • But we need options other than “world file/process/directory access” or “owner-only access” • Example: chmod command in UNIX • General ACLs allow arbitrary access, but hard to manage – World access: read/write/execute • For directories: read = list items; • execute = “enter” directory • Solution: groups – Owner access: read/write/execute Fall 2008 CS 334: Computer Security 25 Fall 2008 CS 334: Computer Security 26 Groups More on UNIX chmod • A group is a single id such as • World: read/write/execute – “Richmond-undergrads” • Group: read/write/execute – “friends of Cosmin” • Owner: read/write/execute – “administrative access” • Can change owner using chown • A group administrator maintains group command membership list Fall 2008 CS 334: Computer Security 27 Fall 2008 CS 334: Computer Security 28 Temporary Access Procedure-Oriented Access Control • This is an area where capabilities systems excel • We run a program to determine access – “transferring a capability” – Sometimes like giving a reference • Example: Web server access • ACL systems need special mechanism – UNIX: “setuid” – Windows NT/XP: “run as” Fall 2008 CS 334: Computer Security 29 Fall 2008 CS 334: Computer Security 30 5
Recommend
More recommend