Download
1 / 15
150 likes | 477 Views
Access Control Mechanisms. CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 20, 2004. Overview. Access Control Lists Capability Lists Locks and Keys Ring-Based Access Control. Access Control Lists.
E N D
Access Control Mechanisms CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 20, 2004
Overview • Access Control Lists • Capability Lists • Locks and Keys • Ring-Based Access Control
Access Control Lists • Def: Let S be a set of subjects, R a set of rights. An access control list (ACL) l is a set of pairsl= {(s, r): s S, r R} • We writeacl(o) = {(si, ri): 1 r n}to denote that subject si may access object o using any right in ri
Example ACL acl(file 1) = {(proc 1, {r, w, own}), (proc 2, {a})} acl(file 2) = {(proc 1, {r}), (proc 2, {r, own})} acl(proc 1) = {(proc 1, {r, w, x, own}), (proc 2, {r})} acl(proc 2) = {(proc 1, {w}), (proc 2, {r, w, x, own})}
Abbreviations of ACLs • Unix • 3 types of users for each file: owner, group, all others • 3 types of permission: read, write, execute • AFS • ability to define access rights for any specific user or group • 7 types of permission: read, list, insert, delete, write, lock, administer
Capabilities • Def: Let O be a set of objects, R a set of rights. A capability listc is a set of pairsc= {(o, r): o O, r R} • We writecap(s) = {(oi, ri): 1 r n}to denote that subject s may access object oi using any right in ri
Example Capability List cap(proc 1) = {(file 1, {r, w, own}), (file 2, {r}), (proc 1, {r, w, x, own}), (proc 2, {w})} cap(proc 2) = {(file 1, {a}), (file 2, {r, own}), (proc 1, {r}), (proc 2, {r, w, x, own})}
Locks and Keys • Associate a piece of information (the lock) with each object. • Associate a second piece of information (the key) with each subject allowed to access the object. • May have multiple locks and keys for the same object • or-access: provide multiple locks (and keys) • and-access: lock multiple times
Type Checking: a Form of Locks and Keys • Unix prevents writing to a directory using normal file operations • Might restrict read and write to data, execute to instructions • PDP-11 • prevents buffer overflow • DTEL policy language can enforce type checking
Sharing Secrets • Problem: Need to ensure that at least 3 senior officials agree that country is under attack before launching a counterstrike. • Place 10 officials in different parts of the country, each official has a part of the key. • How should the key be divided?
Threshold Schemes • Def: A (t, n)-threshold scheme is a cryptographic scheme in which a datum is divided into n parts, any t of which are sufficient to determine the original datum
Implementing Threshold Schemes • Could use locks and keys • combinations of or- and and-access could be used • Could use polynomial of degree t-1 with n example evaluations • requires t values to rederive the polynomial
Ring-Based Access Control (Multics) • Data and procedures occupy different segments • Segments have ACLs for r, w, x, a • Protection rings: • procedure executes in ring r • higher rings have fewer privileges
Access Brackets • Each data segment has access bracket (a1, a2) with a1 a2 • Assume procedure executing in ring r r a1: all access permitted a1 < r a2: r, x permitted, but w, a denied a2 < r: all accesses denied
Call Brackets • Each procedure may have a call bracket (c1, c2) with c1 c2 • By convention c1 = a2, so may write (a1, a2, a3) where (a1, a2) is access bracket and (a2, a3) is call bracket • Assume procedure executing ring r r < a1: access permitted, but ring fault occurs a1 r a2: all access permitted, no ring fault a2 < r a3: access permitted through valid gate a3 < r: all access denied
