Access Control Mechanisms

1
Access Control Mechanisms

• CSSE 490 Computer Security
• Mark Ardis, Rose-Hulman Institute
• April 20, 2004

2
Overview

• Access Control Lists
• Capability Lists
• Locks and Keys
• Ring-Based Access Control

3
Access Control Lists

• Def Let S be a set of subjects, R a set of
  rights. An access control list (ACL) l is a set
  of pairs l (s, r) s ? S, r ? R
• We write acl(o) (si, ri) 1 ? r ? nto
  denote that subject si may access object o using
  any right in ri

4
Example ACL

• acl(file 1) (proc 1, r, w, own), (proc 2,
  a)
• acl(file 2) (proc 1, r), (proc 2, r, own)
• acl(proc 1) (proc 1, r, w, x, own), (proc 2,
  r)
• acl(proc 2) (proc 1, w), (proc 2, r, w, x,
  own)

5
Abbreviations of ACLs

• Unix
• 3 types of users for each file owner, group, all
  others
• 3 types of permission read, write, execute
• AFS
• ability to define access rights for any specific
  user or group
• 7 types of permission read, list, insert,
  delete, write, lock, administer

6
Capabilities

• Def Let O be a set of objects, R a set of
  rights. A capability list c is a set of pairs c
  (o, r) o ? O, r ? R
• We write cap(s) (oi, ri) 1 ? r ? nto
  denote that subject s may access object oi using
  any right in ri

7
Example Capability List

• cap(proc 1) (file 1, r, w, own), (file 2,
  r), (proc 1, r, w, x, own),
• (proc 2, w)
• cap(proc 2) (file 1, a), (file 2, r,
  own), (proc 1, r),
• (proc 2, r, w, x, own)

8
Locks and Keys

• Associate a piece of information (the lock) with
  each object.
• Associate a second piece of information (the key)
  with each subject allowed to access the object.
• May have multiple locks and keys for the same
  object
• or-access provide multiple locks (and keys)
• and-access lock multiple times

9
Type Checking a Form of Locks and Keys

• Unix prevents writing to a directory using normal
  file operations
• Might restrict read and write to data, execute to
  instructions
• PDP-11
• prevents buffer overflow
• DTEL policy language can enforce type checking

10
Sharing Secrets

• Problem Need to ensure that at least 3 senior
  officials agree that country is under attack
  before launching a counterstrike.
• Place 10 officials in different parts of the
  country, each official has a part of the key.
• How should the key be divided?

11
Threshold Schemes

• Def A (t, n)-threshold scheme is a cryptographic
  scheme in which a datum is divided into n parts,
  any t of which are sufficient to determine the
  original datum

12
Implementing Threshold Schemes

• Could use locks and keys
• combinations of or- and and-access could be used
• Could use polynomial of degree t-1 with n example
  evaluations
• requires t values to rederive the polynomial

13
Ring-Based Access Control (Multics)

• Data and procedures occupy different segments
• Segments have ACLs for r, w, x, a
• Protection rings
• procedure executes in ring r
• higher rings have fewer privileges

14
Access Brackets

• Each data segment has access bracket (a1, a2)
  with a1 ? a2
• Assume procedure executing in ring r
• r ? a1 all access permitted
• a1 lt r ? a2 r, x permitted, but w, a denied
• a2 lt r all accesses denied

15
Call Brackets

• Each procedure may have a call bracket (c1, c2)
  with c1 ? c2
• By convention c1 a2, so may write (a1, a2, a3)
  where (a1, a2) is access bracket and (a2, a3) is
  call bracket
• Assume procedure executing ring r
• r lt a1 access permitted, but ring fault occurs
• a1 ? r ? a2 all access permitted, no ring fault
• a2 lt r ? a3 access permitted through valid gate
• a3 lt r all access denied