Computer Security 463'5 Access Control Mechanisms

1
Computer Security463.5 Access Control Mechanisms

• Fall 2005

Based on slides provided by Matt Bishop for use
with Computer Security Art and Science
2
Overview

• Access control lists
• Capability lists
• Locks and keys

3
Required

• Reading Sections 15.1 to 15.3
• Exercises Section 15.9 exercises 1 to 7

4
Access Control Mechanisms

• Most of security concerns controlling access
• Three levels of access control
• High-level policy (e.g. C-W, Biba, )
• Low-level policy (access control matrix)
• Mechanism

5
Access Control Lists

• Columns of access control matrix
• file1 file2 file3
• Andy rx r rwo
• Betty rwxo r
• Charlie rx rwo w
• ACLs
• file1 (Andy, rx) (Betty, rwxo) (Charlie, rx)
• file2 (Andy, r) (Betty, r) (Charlie, rwo)
• file3 (Andy, rwo) (Charlie, w)

6
Default Permissions

• Normal if not named, no rights over file
• Principle of Fail-Safe Defaults
• If many subjects, may use groups or wildcards in
  ACL
• UNICOS entries are (user, group, rights)
• If user is in group, has rights over file
• is wildcard for user, group
• (holly, , r) holly can read file regardless of
  her group
• (, gleep, w) anyone in group gleep can write
  file

7
Abbreviations

• ACLs can be long so combine users
• UNIX 3 classes of users owner, group, rest
• rwx rwx rwx
• rest
• group
• owner
• Ownership assigned based on creating process
• Group set to current group of process
• Can change it to any other group the user belongs
  to
• Some systems if directory has setgid permission,
  file group owned by group of directory (SunOS,
  Solaris)

8
ACLs Abbreviations

• Augment abbreviated lists with ACLs
• Intent is to shorten ACL
• ACLs override abbreviations
• Exact method varies
• Example IBM AIX
• Base permissions are abbreviations, extended
  permissions are ACLs with user, group
• ACL entries can add rights, but on deny, access
  is denied

9
Permissions in IBM AIX

• attributes
• base permissions
• owner(bishop) rw-
• group(sys) r--
• others ---
• extended permissions enabled
• specify rw- uholly
• permit -w- uheidi, gsys
• permit rw- umatt
• deny -w- uholly, gfaculty

10
ACL Modification

• Who can do this?
• Creator is given own right that allows this
• System R provides a grant modifier (like a copy
  flag) allowing a right to be transferred, so
  ownership not needed
• Transferring right to another modifies ACL
• Before File1 (Alice, rg), (Bob, rwo)
• Alice grants her read right to Carol
• After File1 (Alice, rg), (Bob, rwo), (Carol, r)
• Root can (usually) alter ACLs as well

11
Privileged Users

• Do ACLs apply to privileged users (root)?
• Solaris abbreviated lists do not, but full-blown
  ACL entries do
• Other vendors varies
• Used to restrict power of administrative user

12
Groups and Wildcards

• Classic form no in practice, usually
• AIX base perms gave group sys read only. The
  line
• permit -w- uheidi, gsys
• adds write permission for heidi when in that
  group
• UNICOS
• holly gleep r
• user holly in group gleep can read file
• holly r
• user holly in any group can read file
• gleep r
• any user in group gleep can read file

13
Conflicts

• Deny access if any entry would deny access
• AIX if any entry denies access, regardless of
  rights given so far, access is denied
• Apply first entry matching subject
• Cisco routers run packet through access control
  rules (ACL entries) in order on a match, stop,
  and forward the packet if no matches, deny
• Note default is deny so honors principle of
  fail-safe defaults

14
Handling Default Permissions

• Apply ACL entry, and, if none, use defaults
• Cisco router apply matching access control rule,
  if any, otherwise, use default rule (deny)
• Augment defaults with those in the appropriate
  ACL entry
• AIX extended permissions augment base permissions

15
Revocation Question

• How do you remove subjects rights to a file?
• Owner deletes subjects entries from ACL, or
  rights from subjects entry in ACL
• What if ownership not involved?
• Depends on system
• System R restore protection state to what it was
  before right was given
• May mean deleting descendent rights too

16
Windows NT ACLs

• Different sets of rights
• Basic read, write, execute, delete, change
  permission, take ownership
• Generic no access, read (read/execute), change
  (read/write/execute/delete), full control (all),
  special access (assign any of the basics)
• Directory no access, read (read/execute files in
  directory), list, add, add and read, change
  (create, add, read, execute, write files delete
  subdirectories), full control, special access

17
Accessing Files

• User not in files ACL nor in any group named in
  files ACL deny access
• ACL entry denies user access deny access
• Take union of rights of all ACL entries giving
  user access user has this set of rights over file

18
Capability Lists

• Rows of access control matrix
• C-Lists
• Andy (file1, rx) (file2, r) (file3, rwo)
• Betty (file1, rwxo) (file2, r)
• Charlie (file1, rx) (file2, rwo) (file3, w)

19
Semantics

• Where are access rights stored
• ACL Each resource (file) has an access list
• Capabilities Each process has a capability list
  (C-list)
• Note In capabilities, subjects are processes
• In ACLs, subjects are users (why?)
• Capabilities act as a ticket
• Possession of capability implies access rights
• Tickets must be unforgeable
• Otherwise access control fails

20
Implementation

• Tags / descriptors
• Cryptographic tickets
• Type system

21
Tags / descriptors

• Each process has a list of tickets
• Tickets stored in a protected segment
• Programs refer to tickets by pointers / indices
• Operating system can add / remove tickets
• E.g. CAP system
• E.g. UNIX file descriptors
• UNIX access control a hybrid system use ACLs to
  open a file and get a file descriptor, then use
  fd as a capability
• More efficient since only have to check
  permissions on open

22
Cryptographic tickets

• Cryptography
• Associate with each capability a cryptographic
  checksum enciphered using a key known to OS
• When process presents capability, OS validates
  checksum
• Example Amoeba, a distributed capability-based
  system
• Capability is (name, creating_server, rights,
  check_field) and is given to owner of object
• check_field is 48-bit random number also stored
  in table corresponding to creating_server
• To validate, system compares check_field of
  capability with that stored in creating_server
  table
• Vulnerable if capability disclosed to another
  process

23
Differences

• Descriptors - managed by the operating system
• Crypto tickets - managed by the process
• Copying
• Descriptors - possible (e.g. UNIX fd passing),
  but regulated by the OS
• Tickets - arbitrary copying possible

24
-Property

• Problem with cryptographic tickets

C-List
Heidi (high)
read lough
write lough
lough (Low)
write lough
Lou (low)
C-List
write lough
The capability to write file lough is Low, and
Heidi is High so she reads (copies) the
capability now she can write to a Low file,
violating the -property!
25
Remedies

• Label capability itself
• Rights in capability depends on relation between
  its compartment and that of object to which it
  refers
• In example, as as capability copied to High, and
  High dominates object compartment (Low), write
  right removed
• Check to see if passing capability violates
  security properties
• In example, it does, so copying refused
• Distinguish between read and copy capability
• Take-Grant Protection Model does this (read,
  take)

26
Revocation

• Scan all C-lists, remove relevant capabilities
• Tags / descriptors - too expensive
• Crypto tickets - impossible
• Use indirection
• Each object has entry in a global object table
• Names in capabilities name the entry, not the
  object
• To revoke, zap the entry in the table
• Example Amoeba owner requests server change
  random number in server table
• All capabilities for that object now invalid
• Can have multiple entries for a single object to
  allow control of different sets of rights and/or
  groups of users for each object

27
ACLs, Capabilities, and POLP

• Principle of least privilege
• subject should be given only those privileges
  that it needs in order to complete the task
• Granularity of subjects controls how small
  least is
• Capabilities better enforce least privilege
• Subjects are processes, not users, can be more
  restrictive
• ACLs with roles form a middle ground

28
Least privilege example

• Carol wants to use gcc to compile her file
• gcc may (does) have bugs in it
• ACLs gcc runs with Carols authority
• Can overwrite any of Carols files
• Roles Carol can have separate roles
• Mail role, development role, browsing role
• gcc in development role cannot overwrite other
  files
• Capabilities
• Carol gives gcc capabilities to read (particular)
  source files, write (particular) object files
• All other files are safe

29
cp example

• Consider unix command cp
• cp file1 file2
• Whats the least authority that cp needs to run?
• Read and write any file the user owns
• What about cat?
• cat lt file1 gt file2
• file1 and file2 passed as file descriptors

30
Confused Deputy Problem

• Compilation costs money
• Compiler writes accounting information to a file
  called BILL
• Compiler given permission to write to BILL
• Using roles, setuid,
• Compiler takes an optional argument with a file
  where to write debugging output
• gcc -d debugfile foo.c
• User runs gcc -d BILL foo.c
• Destroys billing information

31
What went wrong?

• Compiler given authority to write to BILL
• Used it for the wrong purpose
• How to solve?
• In UNIX, access() system call checks permission
  of caller
• Awkward, error-prone
• Real problem ambient authority

32
Ambient Authority

• Permission checks not controlled by user /
  program
• Authority exercised automatically
• Doors that magically recognize users, instead of
  using keys
• ACLs have ambient authority
• Capability systems can have ambient authority,
  most dont
• POSIX Capabilities an exception

33
Non-ambient authority

• User / program chooses which authority to use
• E.g. billing capability
• open(BILL, bill_cap)
• open(debug_file, debug_cap)
• Will fail if debug_file BILL
• Better yet, combine designation and authority

34
Object Capability Systems

• class Compiler
• static private File billFile
• public void compile(File debugFile)
• billFile.append(billing entry)
• debugFile.write(debug info)
• Permissions enforced by type system
• No way to write to a file without a reference

35
Object Capability Systems

• Object references are capabilities
• Requires memory safety (why?)
• Both names the object and grants access
• Objects are accessed through methods
• Methods mediate access
• Execution model and access model unified
• Objects are subjects as well
• Low granularity subjects
• Dynamic subject creation

36
Object Proxies

• Most policies enforced by proxy object
• E.g. read-only file access
• class ReadOnlyFile
• private File myFile
• public ReadOnlyFile(File f)
• myFile f
• public read()
• return myFile.read()
• Compiler.compile(ReadOnlyFile(sourceFile))

37
Revocation

• class Caretaker
• Object target
• public Caretaker(Object o) this.target o
• class Revocable
• match(verb, args) call(target, verb, args)
  
• revoke() target null
• Caretaker caretaker(object)
• Bob.pass(caretaker.Revocable())
• caretaker.revoke()

38
Copying

• Copying is done by passing references to object
  methods
• Method argument types are enforced
• Copying data ! copying references
• -property is possible
• File.write() cannot take a capability

39
-property example
read cap
read data
Alice
HIGH CAPS
HIGH DATA
write cap
write data
read data
read cap
Bob
LOW DATA
LOW CAPS
write data
write cap
40
ACLs and Capabilities

• ACLs Answer to who can access this file
• Useful when formulating policies
• C-List Answer to what files can this process
  access
• Useful in investigation
• Object capabilities dont answer either question,
  but integrate authorization decisions in the
  design

41
Locks and Keys

• Associate information (lock) with object,
  information (key) with subject
• Latter controls what the subject can access and
  how
• Subject presents key if it corresponds to any of
  the locks on the object, access granted
• This can be dynamic
• ACLs, C-Lists static and must be manually changed
• Locks and keys can change based on system
  constraints, other factors (not necessarily
  manual)

42
Example IBM

• IBM 370 process gets access key pages get
  storage key and fetch bit
• Fetch bit clear read access only
• Fetch bit set, access key 0 process can write to
  (any) page
• Fetch bit set, access key matches storage key
  process can write to page
• Fetch bit set, access key non-zero and does not
  match storage key no access allowed

43
Example Cisco Router

• Dynamic access control lists
• access-list 100 permit tcp any host 10.1.1.1 eq
  telnet
• access-list 100 dynamic test timeout 180 permit
  ip any host \
• 10.1.2.3 time-range my-time
• time-range my-time
• periodic weekdays 900 to 1700
• line vty 0 2
• login local
• autocommand access-enable host timeout 10
• Limits external access to 10.1.2.3 to 9AM5PM
• Adds temporary entry for connecting host once
  user supplies name, password to router
• Connections good for 180 minutes
• Drops access control entry after that

44
Type Checking

• Lock is type, key is operation
• Example UNIX system call write cant work on
  directory object but does work on file
• Example split ID space of PDP-11
• Example countering buffer overflow attacks on
  the stack by putting stack on non-executable
  pages/segments
• Then code uploaded to buffer wont execute
• Does not stop other forms of this attack, though

45
More Examples

• LOCK system
• Compiler produces data
• Trusted process must change this type to
  executable before program can be executed
• Sidewinder firewall
• Subjects assigned domain, objects assigned type
• Example ingress packets get one type, egress
  packets another
• All actions controlled by type, so ingress
  packets cannot masquerade as egress packets (and
  vice versa)

46
Sharing Secrets

• Implements separation of privilege
• Use (t, n)-threshold scheme
• Data divided into n parts
• Any t parts sufficient to derive original data
• Or-access and and-access can do this
• Increases the number of representations of data
  rapidly as n, t grow
• Cryptographic approaches more common

47
Shamirs Scheme

• Goal use (t, n)-threshold scheme to share
  cryptographic key encoding data
• Based on Lagrange polynomials
• Idea take polynomial p(x) of degree t1, set
  constant term (p(0)) to key
• Compute value of p at n points, excluding x 0
• By algebra, need values of p at any t distinct
  points to derive polynomial, and hence constant
  term (key)

48
Ring-Based Access Control

• Process (segment) accesses
• another segment
• Read
• Execute
• Gate is an entry point for
• calling segment
• Rights
• r read
• w write
• a append
• e execute

Privileges increase

n
0
1
49
Reading/Writing/Appending

• Procedure executing in ring r
• Data segment with access bracket (a1, a2)
• Mandatory access rule
• r a1 allow access
• a1 lt r a2 allow r access not w, a access
• a2 lt r deny all access

50
Executing

• Procedure executing in ring r
• Call procedure in segment with access bracket
  (a1, a2) and call bracket (a2, a3)
• Often written (a1, a2 , a3 )
• Mandatory access rule
• r lt a1 allow access ring-crossing fault
• a1 r a2 allow access no ring-crossing fault
• a2 lt r a3 allow access if through valid gate
• a3 lt r deny all access

51
Versions

• Multics
• 8 rings (from 0 to 7)
• Digital Equipments VAX
• 4 levels of privilege user, monitor, executive,
  kernel
• Older systems
• 2 levels of privilege user, supervisor

52
Gates

• Gates allow lower privilege code calls into
  higher privilege ones
• Why are gates needed?
• Low privilege code needs to call higher privilege
  library / kernel
• Arbitrary access would lead to security holes
• Gates enforce checks, making sure access is safe

53
Amplifying

• Temporary increase of privilege for modular calls
• module stack
• int buffer
• end module
• Only stack module can read / write buffer
• module foo
• var x stack
• x.push(1)
• end module
• Module foo cannot access buffer, but needs rights
  when calling stack
• Solution give process required rights when it is
  in module

54
Examples

• HYDRA templates
• Associated with each procedure, function in
  module
• Adds rights to process capability while the
  procedure or function is being executed
• Rights deleted on exit
• Intel iAPX 432 access descriptors for objects
• These are really capabilities
• 1 bit in this controls amplification
• When ADT constructed, permission bits of type
  control object set to what procedure needs
• On call, if amplification bit in this permission
  is set, the above bits ored with rights in
  access descriptor of object being passed

55
Java stack inspection

• Java permissions based on author of the code
• Code authorship determined by class loader
• Permissions of caller must also be checked
• Untrusted.applet -gt System.FileInputStream -gt
  File.open should fail, even though System can
  open the file

56
Walk the stack

• Walk stack upwards, checking for permissions
• If any stack frame is unauthorized, reject
  permission

57
Trusted Libraries

• Library code
• Nikita.Library()
• tmpFile FileInputStream.open(/home/nikita/fo
  o)
• tmpFile.close()
• We want it to be OK to use Nikita.Library() in
  untrusted applets

58
enablePrivilege()

• Nikita.Library()
• enablePrivilege()
• tmpFile FileInputStream.open(/home/nikita/fo
  o)
• tmpFile.close()
• enablePrivilege() stops stack frame walk

59
enablePrivilege()
60
Key Points

• Access control mechanisms provide controls for
  users accessing files
• Many different forms
• ACLs, capabilities, locks and keys
• Type checking too
• Ring-based mechanisms (Mandatory)
• PACLs (ORCON)

61
PACLs

• Propagated Access Control List
• Implements ORCON
• Creator kept with PACL, copies
• Only owner can change PACL
• Subject reads object objects PACL associated
  with subject
• Subject writes object subjects PACL associated
  with object
• Notation PACLs means s created object PACL(e)
  is PACL associated with entity e

62
Multiple Creators

• Betty reads Anns file dates
• PACL(Betty) PACLBetty ? PACL(dates)
• PACLBetty ? PACLAnn
• Betty creates file dc
• PACL(dc) PACLBetty ? PACLAnn
• PACLAnn Betty, Dorothy, June
• PACLBetty Carol, June
• PACLBetty allows Carol to access objects, but
  PACLAnn does not both allow June to access
  objects
• June can read dc
• Carol cannot read dc