Protection and Security - 2

1

• Protection and Security - 2

2
(2) The Access Control List Method

• Each object o is assigned a list of pairs (s,
  Ps,o), for all subjects s that can access the
  object
• The access list for an object corresponds to the
  access rights contained in the column for object
  o in the access matrix
• Example

Smith
read, write, execute
Jones
read
Lee
write
3
(2) The Access Control List Method (cont.)

• Operation Subject s requests access ? to
  object o
• Search access control list of o for entry (s,
  ?)
• If entry exists, check if ? ? ?
• If yes, allow execution. Else, exception raised
• Advantages of access control lists
• Easy revocation of access rights from a subject
  to an object remove objects entry from the
  objects access control list
• Easy review of access rights of all subjects to a
  given object
• Note it is, however, difficult to determine for
  a given subject what objects it has access to

4
Issues with Access Control Lists

• Efficiency of execution
• Access control list needs to be searched for
  every access to an object!
• Option use shadow capability registers
• On first access by a subject, copy access rights
  from access control list to a shadow register
  with the subject
• The access rights in the shadow register acts as
  a capability
• Subsequent accesses by this subject use the
  shadow register
• Potential drawback
• Revocation of access rights becomes more
  difficult removing access rights from access
  control list is not sufficient, some access
  rights remain in shadow registers

5
Issues with Access Control Lists (cont)

• Efficiency of storage
• The list can be very large, containing the access
  rights of all subjects that can access this
  object
• Note the aggregate storage requirement is about
  the same as for capabilities
• Option use protection groups
• Subjects (users) divided into protection groups
• Access control list contains the names of groups
  and their access rights
• Operation subject gives its protection group and
  requested access
• Issue All subjects in a protection group have
  the same access rights to the object
• Authority to change an access control list
• Issue who can modify an access control list?
• Options
• Self control owner process (e.g., creator of the
  object) can modify list
• Hierarchical control
• When object created, owner process specifies what
  other processes can modify access control list
• Processes organized in a hierarchy a process can
  change the access control list of all processes
  below it in the hierarchy

6
Examples of Systems using Access Control Lists

• Multics
• Access control lists to control access to files
• Principle of least privilege
• Unix
• Access control list has three entries owner,
  group, and other
• Access rights read, write, execute

7
(3) The Lock-Key Method

• Principles
• Hybrid of capability-based method and access
  control list method
• Every subject has a capability list made of
  tuples (o, k) the subject can access object o
  using key k
• Every object has an access control list made of
  tuples (l, ?), called lock entries any subject
  that can open lock l can access the object with
  an access right contained in ?
• Operation
• Subject s makes request for access ? to
  object o
• The system locates tuple (o, k) in capability
  list of the subject
• If present, search access control list of object
  o for entry (l, ?), where k l and obtain ?
• Access allowed if ? ? ?

8
(3) The Lock-Key Method (cont.)

• Advantages
• Easy revocation of access rights to revoke the
  access rights of a subject to an object, delete
  the lock entry corresponding to the key of the
  subject
• Capability-based addressing can be used
• Disadvantages
• Access control list must be searched for every
  access
• Example
• IBM/360 storage keys protection method similar to
  lock-key method

9
Access Matrix Model Changing The Protection State

• Access matrix is itself a protected object
• Commands for changing protection state
• Set of commands C for changing protection state
  defined in the form of the following primitive
  operations
• enter r into P s, o
• delete r from P s, o
• create subject s
• create object o
• destroy subject s
• destroy object o
• Primitive operations define changes to be made
  to the access matrix P
• Example Primitive operation delete r from P s,
  o deletes access right r from the position P s,
  o in the access matrix, I.e., access right r of
  subject s to object o is withdrawn

10
Access Matrix Model Changing The Protection
State (cont.)

• Before the operation is performed (e.g., the
  delete in previous example), a verification
  should be made that the process has the right to
  perform this operation on the access matrix
• Command syntax
• command lt command id gt (ltformal
  parametersgt)
• if lt conditions gt
• then
• lt list of primitive
  operations gt
• end.
• Command execution
• All checks in the condition part are evaluated.
  The ltconditionsgt part has checks in the form r
  in Ps,o
• If all checks pass, primitive operations in ltlist
  of primitive operationsgt are executed

11
Access Matrix Model Changing The Protection
State (cont.)

• All accesses are validated by a mechanism called
  a reference monitor the reference monitor will
  reject an access not allowed by the access matrix
• Each object has an owner
• If s is the owner of o, then own ? P s, o
• The owner of an object can give (confer) a right
  to the object to another subject
• Example command to create a file and assign
  own and read rights to it
• command create-read (process, file)
• create object file
• enter own into P process, file
• enter read into P process, file
• end.

12
Access Matrix Model Changing The Protection
State (cont.)

• Example command owner of a file gives write
  access rights to another process
• command confer-write (owner, process,
  file)
• if own ? P owner, file
• then
• enter write into P process, file
• end.

13
Advanced Models of Protection The Take-Grant
Model

• Principles
• Uses directed graphs to model access control
• Protection state of system represented by
  directed graph
• More efficient than (sparsely populated) access
  matrix
• Model
• Graph nodes subjects and objects
• An edge from node x to node y indicates that
  subject x has an access right to the object
  y the edge is tagged with the corresponding
  access rights
• Access rights
• Read (r), write (w), execute (e)
• Special access rights for propagating access
  rights to other nodes
• Take If node x has access right take to node
  y, then subject x can take any access right
  that it has on y to another node
• Grant If node x has access right grant to node
  y, then the entity represented by node y can
  be granted any of the access rights that node x
  has

14
The Take-Grant Model (cont.)

• Example take operation
• Node x has take access to node y
• Node y has read and write access to node z
• Node x can take access right read from y and
  have this access right for object z a
  directed edge labeled r is added from node x
  to node z

x
y
z
15
The Take-Grant Model (cont.)

• Example grant operation
• Node x has grant access to node y and also
  has read and write access to node z
• Node x can grant read access for z to node
  y ( a directed edge labeled r from y to z
  is added in the graph)

16
The Take-Grant Model (cont.)

• State and state transitions
• The protection state of the system is represented
  by the directed graph
• System changes state (state transition) when the
  directed graph changes
• The directed graph changes with the following
  operations
• Take
• Grant
• Create A new node is added to the graph
• When node x creates a new node y, a directed
  edge is added from x to y
• Remove A node deletes some of its access rights
  to another node

17
Bell-LaPadula Model

• Used to control information flow
• Model components
• Subjects, objects, and access matrix
• Several ordered security levels
• Each subject has a (maximum) clearance and a
  current clearance level
• Each object has a classification (I.e., belongs
  to a security level)
• Subjects can have the following access rights to
  objects
• Read-only
• Append subject can only write object (no read
  permitted)
• Execute no read or write
• Read-write both read and write are permitted
• Subject that creates an object has control
  attribute to that object and is the controller of
  the object
• Subject can pass any of the four access rights of
  the controlled object to another subject

18
Bell-LaPadula Model (cont.)

• Restrictions on information flow and access
  control (reading down and writing up properties)
• 1. The simple security property
• A subject cannot have read access to an object
  with classification higher than the clearance
  level of the subject
• 2. The ?-property (star property)
• A subject has append (I.e., write) access only to
  objects which have classification (I.e., security
  level) higher than or equal to the current
  security clearance level of the subject
• A subject has read access only to objects which
  have classification (I.e., security level) lower
  than or equal to the current security clearance
  level of the subject
• A subject has read-write access only to objects
  which have classification (I.e., security level)
  equal to the current security clearance level of
  the subject

19
Bell-LaPadula Model (cont.)

Level n . . . Level i1
Level i-1 . . . Level 1
20
Case Studies Unix

• Subjects
• Each user identified by a a userid
• A user may belong to a group identified by
  groupid
• Userid and groupid are part of the process
  descriptor of the process running on behalf of
  the user and used to verify access rights
• Protected objects files and directories
• Each file has a unique owner (user who created
  the file)
• Each file has two access fields
• userid field file owner
• groupid field groupid of the group to which
  the file belongs

21
Case Studies Unix (cont.)

• Protection mechanism for files access control
  list with protection groups for access efficiency
• Protection groups owner, group, others
• Access rights for each group read, write,
  execute
• Three fields associated with each file of three
  bits each
• Only the owner of the file and the super user can
  change these bits (chmod command)
• Protection domain
• Associated with each user
• At login, user starts in a protection domain
  defining access rights
• Domain can be changed with su (set userid)
  command

22
The Hydra Kernel

• Kernel of a multiprocessor OS (Carnegie-Mellon
  U.)
• Provides mechanisms on which a large array of OSs
  can be built
• Supports capability-based protection
• An object (abstraction of a resource) is the
  unit of protection
• Procedure is an abstraction of an operation on
  an object
• Protection mechanism controls the invocation of
  procedures to instances of objects (i.e.,
  resources)
• Objects
• Each object has name, type, representation,
• Representation
• Data part can be accessed by programs with the
  right capability
• Capability part capabilities for other objects
  can be changed only by the kernel

23
The Hydra Kernel (cont.)

• Protection
• Elements objects (abstraction of resources) and
  capabilities (references to objects)
• Operation
• Process/user supplies capability for object
• Kernel validates access rights
• Access rights
• Kernel rights kernel supports the basic access
  rights (read, write, copy)
• Auxiliary rights user defined object operations
• User defines a new object type and associated
  operations
• Kernel treats these operations as auxiliary
  rights for the object
• For a user to perform these operations on the
  object, its capability must contain these
  auxiliary rights
• Kernel uses a 24-bit mask to encode access
  rights kernel rights have fixed positions

24
Amoeba

• Distributed OS (Tanenbaum)
• Object-based, client-server model
• Client processes request operations on objects by
  sending requests to server processes via RPCs
• Every object is managed by a server process
• Capabilities-based protection Capability
  structure
• Server port identity of server process that
  manages corresponding object
• Object number identifies specific object
• Rights access allowed
• Check protection against unauthorized changes
  (cryptographic technique)