CMSC 414 Computer (and Network) Security Lecture 13 - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

CMSC 414 Computer (and Network) Security Lecture 13

Description:

If user not present in ACL, nor member of any group in ACL, deny access ... Note: an explicit deny overrides any permissions ... all access denied. Why brackets? ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 28
Provided by: jka9
Learn more at: http://www.cs.umd.edu
Category:

less

Transcript and Presenter's Notes

Title: CMSC 414 Computer (and Network) Security Lecture 13


1
CMSC 414Computer (and Network) SecurityLecture
13
  • Jonathan Katz

2
Midterm?
  • Will be held Oct 21, in class
  • Will cover everything up to and including the
    preceding lecture (Oct 16)
  • Includes all reading posted on the class syllabus!

3
Access control lists (ACLs)
  • Instead of storing central matrix, store each
    column with the object it represents
  • Stored as pairs (s, r)
  • Subjects not in list have no rights
  • Can use wildcards to give default rights

4
Example Unix
  • Unix divides users into three classes
  • Owner of the file
  • Group owner of the file
  • All other users
  • Note that this leaves little flexibility
  • Some systems have been extended to allow for more
    flexibility
  • Abbrev. ACLs overridden by explicit ACLs

5
Handling conflicts
  • Conflicts may arise if two entries give different
    permissions to a subject
  • Multiple ways of resolving this e.g.
  • Allow access if any entry gives rights
  • Allow access only if no entry denies rights
  • Apply first applicable entry

6
Default permissions?
  • Two approaches
  • Apply ACL entry, if it exists otherwise, apply
    default rule
  • I.e., ACL entries override default permissions
  • Augment the default permissions with those in the
    appropriate ACL entry
  • Example what if default allows read and ACL
    entry states write?

7
Revocation
  • How to handle revocation?
  • Easy to revoke all access with ACLs
  • Butwhat if two different users granted the same
    right to the same person?
  • E.g., both A and B give rights to C. Now A wants
    to revoke Cs rights. But B still wants to allow
    rights
  • Can store a history of ACL modifications

8
Example Windows NT
  • Rights
  • Read write execute delete own
  • Generic (groups of) rights
  • No access read change full
  • Also, a special access right (allows any
    combination of rights)

9
Example, continued
  • When user accesses a file
  • If user not present in ACL, nor member of any
    group in ACL, deny access
  • If user (or group containing user) is explicitly
    denied access in ACL, deny access
  • Else, user has union of all rights from each ACL
    entry for user (or group containing user)

10
Example, continued
  • Paul, Quentin are in group students
  • Quentin, Regina are in group staff
  • File with ACL (staff, full), (Quentin, change),
    (students, no access), (Paul, no access)
  • Regina has full access
  • Quentin has no access (since in students)
  • Paul has no access
  • Note an explicit deny overrides any permissions
  • Safer to explicitly disallow access when unwanted
  • E.g., in case students is later allowed access

11
Capabilities
  • The dual of ACLs
  • The row of an access control matrix is associated
    with the corresponding subject
  • More complex to implement securely than ACLs
  • A process must identify a capability
  • so must have some control over it
  • (In contrast, the OS controls files)

12
Protecting capabilities
  • Can tag capabilities so they can be read, but
    not modified, by processes
  • Or, store capabilities in protected memory
  • Can also use cryptography to ensure integrity of
    capabilities
  • Using a message authentication code, with a key
    known to the OS

13
Copying capabilities
  • Copying a capabilities implies giving rights
  • Copy flag is associated with capabilities
  • Process cannot copy the capability unless this
    flag is set

14
Revocation
  • How to revoke access to a file?
  • Would potentially require revoking all
    capabilities associated with that file
  • One solution indirection
  • Capabilities name an entry in a table, rather
    than an object itself
  • To revoke access to object, invalidate entry in
    table
  • Or, change random number associated with object
  • Difficult to revoke access by a single subject

15
Potential problems
  • What if one process gives capabilities to
    another? (Possibly indirectly)
  • Can lead to security violation
  • One solution assign security classifications to
    capabilities
  • E.g., when capability created, its classification
    is the same as the requesting process
  • Capability contains rights depending on the
    object to which it refers

16
ACLs vs. capabilities
  • Given a subject, what objects can it access?
    (capabilities)
  • Given an object, which subjects can access it?
    (ACLs)
  • Second question is asked more often than first
  • For incident response, capabilities may be
    preferable
  • What else did this subject access?

17
Locks and keys
  • Combines ACLs and capabilities
  • Lock associated with each object
  • Key associated with each subject authorized to
    access this object
  • When subject tries to access object, its set of
    keys is checked if it has a key corresponding to
    the objects lock, access allowed

18
Important distinction
  • ACLs and capabilities are static
  • Require manual intervention to change
  • Locks and keys are dynamic
  • May change on their own in response to changes in
    the system

19
Example
  • Cryptographic key used to encrypt a file
  • A file cannot be read unless the subject has
    the encryption key
  • Can also enforce that requests from n users are
    required in order to read data (and-access), or
    that any of n users are able to read data
    (or-access)

20
Cryptographic secret sharing
  • (t, n)-threshold scheme to share a key
  • Using this to achieve (t, n)-threshold encryption
  • Shamir secret sharing

21
Another example
  • Type checking
  • E.g., label memory locations as either data or
    instructions
  • Do not allow execution of type data
  • Can potentially be used to limit buffer overflows

22
Ring-based access control
  • Memory and files (e.g., disk space) are viewed as
    equivalent
  • E.g., a program is loaded into memory and run, or
    a file is loaded into RAM
  • Termed segments
  • Two types of segments data and procedure
  • ACLs specify rights on per-user basis
  • All procedures executed by a user have rights
    associated with that user

23
Ring-based access control
  • Sequence of 64 protection rings
  • Kernel in ring 0
  • Higher ring numbers have lower privileges
  • Proc. in ring r wants to access data segment
  • Data associated with access bracket (a, b)
  • If r ? a, access allowed
  • If r gt b, no access
  • Else, read allowed write denied

24
Ring-based access control
  • Procedure in ring r wants to execute another
    procedure segment
  • Procedure segment has access bracket (a, b), and
    also has call bracket (b, c)
  • If r lt a, access permitted but ring fault
    occurs and trap to kernel
  • If r lies between a and b, all access permitted
  • If r lies between b and c, access permitted via
    gate
  • If r gt c, all access denied

25
Why brackets?
  • In theory, a process or file should be assigned
    to one ring
  • However, this would require a call to the OS
    every time a process from another ring needed
    access access bracket fixes this problem
  • Call bracket allows user to execute programs in
    well-defined ways (i.e., via gates)

26
Propagated ACLs
  • Associated with data, not the object holding the
    data
  • Prevents one user from copying data in a file to
    a new file, thereby giving access to the data
  • When a subject reads from an object, the
    subjects PACL is updated
  • When an object is created, the object takes on
    the PACL of the creator

27
Example
  • A creates file f, and allows B, D to access it
  • After B reads f, PACLnew(B) PACLold(B) ?
    PACL(A)
  • If B creates new file f, this file is assigned
    PACLnew(B)
  • User U can access f only if U is in both
    PACLold(B) and PACL(A)
Write a Comment
User Comments (0)
About PowerShow.com