270 likes | 413 Views
CMSC 414 Computer (and Network) Security Lecture 13. Jonathan Katz. Midterm?. Will be held Oct 21, in class Will cover everything up to and including the preceding lecture (Oct 16) Includes all reading posted on the class syllabus!. Access control lists (ACLs).
E N D
CMSC 414Computer (and Network) SecurityLecture 13 Jonathan Katz
Midterm? • Will be held Oct 21, in class • Will cover everything up to and including the preceding lecture (Oct 16) • Includes all reading posted on the class syllabus!
Access control lists (ACLs) • Instead of storing central matrix, store each column with the object it represents • Stored as pairs (s, r) • Subjects not in list have no rights • Can use wildcards to give default rights
Example: Unix • Unix divides users into three classes: • Owner of the file • Group owner of the file • All other users • Note that this leaves little flexibility… • Some systems have been extended to allow for more flexibility • Abbrev. ACLs overridden by explicit ACLs
Handling conflicts • Conflicts may arise if two entries give different permissions to a subject • Multiple ways of resolving this; e.g.: • Allow access if any entry gives rights • Allow access only if no entry denies rights • Apply first applicable entry
Default permissions? • Two approaches • Apply ACL entry, if it exists; otherwise, apply default rule • I.e., ACL entries override default permissions • Augment the default permissions with those in the appropriate ACL entry • Example: what if default allows “read” and ACL entry states “write”?
Revocation • How to handle revocation? • Easy to revoke all access with ACLs • But…what if two different users granted the same right to the same person? • E.g., both A and B give rights to C. Now A wants to revoke C’s rights. But B still wants to allow rights… • Can store a history of ACL modifications
Example: Windows NT • Rights: • Read; write; execute; delete; own • Generic (groups of) rights: • No access; read; change; full • Also, a “special access” right (allows any combination of rights)
Example, continued… • When user accesses a file • If user not present in ACL, nor member of any group in ACL, deny access • If user (or group containing user) is explicitly denied access in ACL, deny access • Else, user has union of all rights from each ACL entry for user (or group containing user)
Example, continued… • Paul, Quentin are in group “students” • Quentin, Regina are in group “staff” • File with ACL: (staff, full), (Quentin, change), (students, no access), (Paul, no access) • Regina has full access • Quentin has no access (since in “students”) • Paul has no access • Note: an explicit deny overrides any permissions • Safer to explicitly disallow access when unwanted • E.g., in case “students” is later allowed access
Capabilities • The “dual” of ACLs • The row of an access control matrix is associated with the corresponding subject • More complex to implement securely than ACLs • A process must identify a capability… • …so must have some control over it • (In contrast, the OS controls files)
Protecting capabilities • Can “tag” capabilities so they can be read, but not modified, by processes • Or, store capabilities in protected memory • Can also use cryptography to ensure integrity of capabilities • Using a message authentication code, with a key known to the OS
Copying capabilities • Copying a capabilities implies giving rights • Copy flag is associated with capabilities • Process cannot copy the capability unless this flag is set
Revocation • How to revoke access to a file? • Would potentially require revoking all capabilities associated with that file • One solution: indirection • Capabilities name an entry in a table, rather than an object itself • To revoke access to object, invalidate entry in table • Or, change random number associated with object • Difficult to revoke access by a single subject
Potential problems • What if one process gives capabilities to another? (Possibly indirectly) • Can lead to security violation • One solution: assign security classifications to capabilities • E.g., when capability created, its classification is the same as the requesting process • Capability contains rights depending on the object to which it refers
ACLs vs. capabilities • Given a subject, what objects can it access? (capabilities) • Given an object, which subjects can access it? (ACLs) • Second question is asked more often than first • For incident response, capabilities may be preferable • “What else did this subject access?”
“Locks and keys” • Combines ACLs and capabilities • “Lock” associated with each object • “Key” associated with each subject authorized to access this object • When subject tries to access object, its set of keys is checked; if it has a key corresponding to the object’s lock, access allowed
Important distinction • ACLs and capabilities are “static” • Require manual intervention to change • Locks and keys are “dynamic” • May change on their own in response to changes in the system
Example • Cryptographic key used to encrypt a file • A file cannot be “read” unless the subject has the encryption key • Can also enforce that requests from n users are required in order to read data (and-access), or that any of n users are able to read data (or-access)
Cryptographic secret sharing • (t, n)-threshold scheme to share a “key” • Using this to achieve (t, n)-threshold encryption • Shamir secret sharing
Another example • Type checking • E.g., label memory locations as either “data” or “instructions” • Do not allow execution of type “data” • Can potentially be used to limit buffer overflows
Ring-based access control • Memory and files (e.g., disk space) are viewed as equivalent • E.g., a program is loaded into memory and run, or a file is loaded into RAM • Termed “segments” • Two types of segments: data and procedure • ACLs specify rights on per-user basis • All procedures executed by a user have rights associated with that user
Ring-based access control • Sequence of 64 “protection rings” • Kernel in ring 0 • Higher ring numbers have lower privileges • Proc. in ring r wants to access data segment • Data associated with access bracket (a, b) • If r a, access allowed • If r > b, no access • Else, read allowed; write denied
Ring-based access control • Procedure in ring r wants to execute another procedure segment • Procedure segment has access bracket (a, b), and also has call bracket (b, c) • If r < a, access permitted but “ring fault” occurs and trap to kernel • If r lies between a and b, all access permitted • If r lies between b and c, access permitted via “gate” • If r > c, all access denied
Why brackets? • In theory, a process or file should be assigned to one ring • However, this would require a call to the OS every time a process from another ring needed access; access bracket fixes this problem • Call bracket allows user to execute programs in well-defined ways (i.e., via gates)
Propagated ACLs • Associated with data, not the object holding the data • Prevents one user from copying data in a file to a new file, thereby giving access to the data • When a subject reads from an object, the subject’s PACL is updated • When an object is created, the object takes on the PACL of the creator
Example… • A creates file f, and allows B, D to access it • After B reads f, PACLnew(B) = PACLold(B) PACL(A) • If B creates new file f’, this file is assigned PACLnew(B) • User U can access f’ only if U is in both PACLold(B) and PACL(A)