390 likes | 526 Views
463.9 Access Control Mechanisms. UIUC CS463 Computer Security. Based on slides provided by Matt Bishop for use with Computer Security: Art and Science. Overview. Access control lists Capabilities Object capabilities. Required. Reading: Sections 15.1 and 15.2
E N D
463.9 Access Control Mechanisms UIUC CS463 Computer Security Based on slides provided by Matt Bishop for use with Computer Security: Art and Science
Overview • Access control lists • Capabilities • Object capabilities
Required • Reading: Sections 15.1 and 15.2 • Exercises: Section 15.9 exercises 2 to 6
Access Control Mechanisms • Most of security concerns controlling access • Three levels of access control • High-level policy (e.g. Chinese Wall, Biba, …) • Low-level policy (access control matrix) • Mechanism
Access Control Lists • Columns of access control matrix file1file2file3 Andy rx r rwo Betty rwxo r Charlie rx rwo w ACLs: • file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } • file2: { (Andy, r) (Betty, r) (Charlie, rwo) } • file3: { (Andy, rwo) (Charlie, w) }
Default Permissions • Normal: if not named, no rights over file • Principle of Fail-Safe Defaults • If many subjects, may use groups or wildcards in ACL • UNICOS: entries are (user, group, rights) • If user is in group, has rights over file • ‘*’ is wildcard for user, group • (holly, *, r): holly can read file regardless of her group • (*, gleep, w): anyone in group gleep can write file
Abbreviations • ACLs can be long … so combine users • UNIX: 3 classes of users: owner, group, rest • rwxrwxrwx rest group owner • Ownership assigned based on creating process • Group set to current group of process • Can change it to any other group the user belongs to • Some systems: if directory has setgid permission, file group owned by group of directory (SunOS, Solaris)
ACLs + Abbreviations • Augment abbreviations with explicit ACLs • ACLs override abbreviations • Example: IBM AIX • Base permissions are abbreviations, extended permissions are ACLs with user, group • ACL entries can add rights, but on deny, access is denied
Permissions in IBM AIX attributes: base permissions owner(bishop): rw- group(sys): r-- others: --- extended permissions enabled specify rw- u:holly permit -w- u:heidi, g=sys permit rw- u:matt deny -w- u:holly, g=faculty
ACL Modification • Who can do this? • Creator is given own right that allows this • System R provides a grant modifier (like a copy flag) allowing a right to be transferred, so ownership not needed • Transferring right to another modifies ACL • Before: File1: (Alice, rg), (Bob, rwo) • Alice grants her read right to Carol • After: File1: (Alice, rg), (Bob, rwo), (Carol, r) • Root can (usually) alter ACLs as well
Privileged Users • Do ACLs apply to privileged users (root)? • Solaris: abbreviated lists do not, but full-blown ACL entries do • Other vendors: varies • Used to restrict power of administrative user
Conflicts • Deny access if any entry would deny access • AIX: if any entry denies access, regardless of rights given so far, access is denied • Apply first entry matching subject • Cisco routers: run packet through access control rules (ACL entries) in order; on a match, stop, and forward the packet; if no matches, deny • Note default is deny so honors principle of fail-safe defaults
Handling Default Permissions • Apply ACL entry, and, if none, use defaults • Cisco router: apply matching access control rule, if any, otherwise, use default rule (deny) • Augment defaults with those in the appropriate ACL entry • AIX: extended permissions augment base permissions
Revocation Question • How do you remove subject’s rights to a file? • Owner deletes subject’s entries from ACL, or rights from subject’s entry in ACL • What if ownership not involved? • Depends on system • System R: restore protection state to what it was before right was given • May mean deleting descendent rights too …
Windows NT ACLs • Different sets of rights • Basic: read, write, execute, delete, change permission, take ownership • Generic: no access, read (read/execute), change (read/write/execute/delete), full control (all), special access (assign any of the basics) • Directory: no access, read (read/execute files in directory), list, add, add and read, change (create, add, read, execute, write files; delete subdirectories), full control, special access
Accessing Files • User not in file’s ACL nor in any group named in file’s ACL: deny access • ACL entry denies user access: deny access • Take union of rights of all ACL entries giving user access: user has this set of rights over file
Capability Lists • Rows of access control matrix C-Lists: • Andy: { (file1, rx) (file2, r) (file3, rwo) } • Betty: { (file1, rwxo) (file2, r) } • Charlie: { (file1, rx) (file2, rwo) (file3, w) }
Semantics* • Where are access rights stored • ACL: Each resource (file) has an access list • Capabilities: Each process has a capability list (C-list) • Note: In capabilities, subjects are processes • In ACLs, subjects are users • Capabilities act as “tickets” • Possession of capability implies access rights • Tickets must be unforgeable • Otherwise access control fails
Implementation • Tags / descriptors • Cryptographic tickets • Type system
Tags / Descriptors • Each process has a list of tickets (e.g. CAP system) • Tickets stored in a protected segment • Programs refer to tickets by pointers / indices • Operating system can add / remove tickets • Use file descriptors (e.g. UNIX) • UNIX access control a hybrid system: use ACLs to open a file and get a file descriptor, then use descriptor as a capability • More efficient since only need to check permissions on open
Cryptographic Tickets • Associate with each capability a cryptographic checksum enciphered using a key known to OS • When process presents capability, OS validates checksum • Example: Amoeba, a distributed capability-based system • Capability is (name, creating_server, rights, check_field) and is given to owner of object • check_field is 48-bit random number; also stored in table corresponding to creating_server • To validate, system compares check_field of capability with that stored in creating_server table • Vulnerable if capability disclosed to another process
Differences* • Descriptors - managed by the operating system • Crypto tickets - managed by the process • Copying • Descriptors - possible (e.g. UNIX fd passing), but regulated by the OS • Tickets - arbitrary copying possible
*-Property • Problem with cryptographic tickets C-List Heidi (high) read lough write lough lough (Low) Lou (low) C-List write lough write lough The capability to write file lough is Low, and Heidi is High so she reads (copies) the capability; now she can write to a Low file, violating the *-property!
Remedies • Label capability itself • Rights in capability depends on relation between its compartment and that of object to which it refers • In example, as as capability copied to High, and High dominates object compartment (Low), write right removed • Check to see if passing capability violates security properties • In example, it does, so copying refused • Distinguish between “read” and “copy capability” • Take-Grant model can do this (“read” vs. “take”)
Revocation • Scan all C-lists, remove relevant capabilities • Tags / descriptors - too expensive • Crypto tickets - impossible • Use indirection • Each object has entry in a global object table • Names in capabilities name the entry, not the object • To revoke, zap the entry in the table • Example: Amoeba: owner requests server change random number in server table • All capabilities for that object now invalid • Can have multiple entries for a single object to allow control of different sets of rights and/or groups of users for each object
ACLs, Capabilities, and Least Privilege • Principle of least privilege • “subject should be given only those privileges that it needs in order to complete the task” • Granularity of subjects controls how small “least” is • Capabilities better enforce least privilege • Subjects are processes, not users, can be more restrictive • ACLs with roles form a middle ground
Least Privilege Example • Carol wants to use gcc to compile her file • gcc may (does) have bugs in it • ACLs: gcc runs with Carol’s authority • Can overwrite any of Carol’s files • Roles: Carol can have separate roles • Mail role, development role, browsing role • gcc in development role cannot overwrite other files • Capabilities • Carol gives gcc capabilities to read (particular) source files, write (particular) object files • All other files are safe
Confused Deputy • The confused deputy problem is an attack in which a principal requests an action by a deputy and exploits the authorizations of the deputy to perform actions not allowed for the principal or anticipated for the legitimate mission of the deputy.
Confused Deputy Example • Compilation costs money • Compiler writes accounting information to a file called “BILL” • Compiler given permission to write to “BILL” • Using roles, setuid, … • Compiler takes an optional argument with a file where to write debugging output • “gcc -d debugfile foo.c” • User runs: “gcc -d BILL foo.c” • Destroys billing information
Analysis* • Compiler given authority to write to BILL • Used it for the wrong purpose • How to solve? • In UNIX, access() system call checks permission of caller • Awkward, error-prone • Real problem: ambient authority
Ambient Authority • Permission checks not controlled by user / program • Authority exercised automatically • Doors that magically recognize users, instead of using keys • ACLs have ambient authority • Capability systems can have ambient authority, most do not • POSIX capabilities an exception
Non-ambient authority • User / program chooses which authority to use • E.g. billing capability • open(“BILL”, bill_cap) • open(debug_file, debug_cap) • Will fail if debug_file == “BILL” • Better yet, combine designation and authority
Object Capability Systems • Objects are used as “capabilities” • In effect, the type system and memory model use abstraction to limit the privileges of objects • Examples: KeyKOS and EROS
Example class Compiler { static private File billFile; public void compile(File debugFile) { billFile.append(billing entry); debugFile.write(debug info); } } • Permissions enforced by type system • No way to write to a file without a reference
Object Capability Systems* • Object references are capabilities • Requires memory safety • Both names the object and grants access • Objects are accessed through methods • Methods mediate access • Execution model and access model unified • Objects are subjects as well • Low granularity subjects • Dynamic subject creation
Object Proxies • Most policies enforced by proxy object • E.g. read-only file access class ReadOnlyFile { private File myFile; public ReadOnlyFile(File f) { myFile = f; } public read() { return myFile.read() } } • Compiler.compile(ReadOnlyFile(sourceFile))
Revocation class Caretaker { Object target; public Caretaker(Object o) { this.target = o; } class Revocable { match(verb, args) { call(target, verb, args); } } revoke() { target = null; } } }; Caretaker caretaker(object); Bob.pass(caretaker.Revocable()); … caretaker.revoke();
ACLs and Capabilities • ACLs: Answers “Who can access this file?” • Useful when formulating policies • C-List: Answers “What files can this process access” • Useful in investigation • Object capabilities: Answers: “Which methods/objects are accessible in this code?”
Key Points • Access control mechanisms provide enforcement strategies for high-level policies and their low-level instances • Three key techniques described here • Access Control Lists (ACLs) • Capabilities • Type-based privileges