Computer security cs 426 lecture 19
Download
1 / 26

Computer Security CS 426 Lecture 19 - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

Computer Security CS 426 Lecture 19. Discretionary Access Control. Reference monitor mediate all access to resources complete mediation : control all accesses to resources. Access control. Reference monitor. Resource. ?. User process. access request. policy. ACCESS MATRIX MODEL.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Security CS 426 Lecture 19' - osanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer security cs 426 lecture 19

Computer Security CS 426Lecture 19

Discretionary Access Control

Fall 2010/Lecture 19


Access control

Reference monitor mediate all access to resources

complete mediation: control all accesses to resources

Access control

Reference

monitor

Resource

?

User process

access request

policy

Fall 2010/Lecture 19


Access matrix model
ACCESS MATRIX MODEL

Objects (and Subjects)

G

F

r w

own

S

u

b

j

e

c

t

s

r

U

r w

own

V

rights

Fall 2010/Lecture 19


Implementation of an access matrix
IMPLEMENTATION OF AN ACCESS MATRIX

  • Access Control Lists

  • Capabilities

  • Access control triples

Fall 2010/Lecture 19


Access control lists acls
ACCESS CONTROL LISTS (ACLs)

each column of the access matrix is stored with the object corresponding to that column

F

U:r

U:w

U:own

G

U:r

V:r

V:w

V:own

Fall 2010/Lecture 19


Capability lists
CAPABILITY LISTS

each row of the access matrix is stored with the subject corresponding to that row

U F/r, F/w, F/own, G/r

V G/r, G/w, G/own

Fall 2010/Lecture 19


Access control triples
ACCESS CONTROL TRIPLES

Subject Access Object

U r F

U w F

U own F

U r G

V r G

V w G

V own G

commonly used in relational DBMS

Fall 2010/Lecture 19


Acl vs capabilities the confused deputy problem
ACL vs. CapabilitiesThe Confused Deputy Problem

User

System Admin

SYSX/FORT $OUTPUT

Compiler Program

Write to the bill file

Write output file

SYSX (Dir)

FORT

STAT

BILL

$Output

SYSX/BILL

Fall 2010/Lecture 19


Analysis of the confused deputy problem
Analysis of The Confused Deputy Problem

  • The compiler runs with authority from two sources

    • the invoker

    • the system admin (who installed the compiler and controls billing and other info)

  • It is the deputy of two masters

  • There is no way to tell which master the deputy is serving when performing a write

Fall 2010/Lecture 19


How the capability approach solves the confused deputy problem
How the Capability Approach Solves the Confused Deputy Problem

SYSX/FORT $OUTPUT

$OUTPUT

SYSX/ STAT

SYSX/ BILL

  • Invoker must pass in a capability for $OUTPUT, which is stored in slot 3.

  • Writing to output uses the capability in slot 3.

  • Invoker cannot pass a capability it doesn’t have.

Fall 2010/Lecture 19


Capabilities vs acl ambient authority
Capabilities vs. ACL: Ambient Authority Problem

  • Ambient authority means that a user’s authority is automatically exercised, without the need of being selected.

    • causes the confused deputy problem

  • No Ambient Authority in capability systems

Fall 2010/Lecture 19


Capability vs acl naming
Capability vs. ACL: Naming Problem

  • ACL systems need a namespace for objects

  • In capability systems, a capability can serve both to designate a resource and to provide authority.

  • ACLs also need a namespace for subjects

    • as they need to refer to subjects

  • Implications

    • the set of subjects cannot be too many or too dynamic

    • most ACL systems treat user accounts (principals) as subjects, and do not support fine-grained subjects

Fall 2010/Lecture 19


Capability vs acl authority management
Capability vs. ACL: Authority Management Problem

  • Subject-Aggregated Authority Management

  • In (almost) all ACL systems, the power to edit authorities is aggregated by resource

    • naturally compatible with Discretionary Access Control, where there is often the notion of an owner

  • In capabilities systems, the power to edit authorities is aggregated by subject

Fall 2010/Lecture 19


Acl s vs capabilities
ACL'S VS CAPABILITIES Problem

ACCESS REVIEW

  • ACL's provide for superior access review on a per-object basis

  • Capabilities provide for superior access review on a per-subject basis

    REVOCATION

  • ACL's provide for superior revocation facilities on a per-object basis

  • Capabilities provide for superior revocation facilities on a per-subject basis

Fall 2010/Lecture 19


Acl s vs capabilities1
ACL'S VS CAPABILITIES Problem

  • ACL's require authentication of subjects

  • Capabilities do not require authentication of subjects, but do require unforgeability and control of propagation of capabilities

Fall 2010/Lecture 19


Conjectures on why most real world os use acl rather than capabilities
Conjectures Problem on Why Most Real-world OS Use ACL, rather than Capabilities

  • Capability is more suitable for process level sharing, but not user-level sharing

    • user-level sharing is what is really needed

  • Processes are more tightly coupled in capability-based systems because the need to pass capabilities around

    • programming may be more difficult

Fall 2010/Lecture 19


Discretionary access control
Discretionary Access Control Problem

  • No precise definition. Basically, DAC allows access rights to be propagated at subject’s discretion

    • often has the notion of owner of an object

    • used in UNIX, Windows, etc.

  • "A means of restricting access to objects based on the identity and need-to-know of users and/or groups to which they belong. Controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject."

Fall 2010/Lecture 19


Mandatory access control
Mandatory Access Control Problem

  • Mandatory access controls (MAC) restrict the access of subjects to objects based on a system-wide policy

    • denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted

Fall 2010/Lecture 19


Multi level security mls
Multi-level Security (MLS) Problem

  • The capability of a computer system to carry information with different sensitivities (i.e. classified information at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization.

  • Typically use MAC

  • Primary Security Goal: Confidentiality

Fall 2010/Lecture 19


Inherent weakness of dac
INHERENT WEAKNESS OF DAC Problem

  • Unrestricted DAC allows information from an object which can be read to any other object which can be written by a subject

    • do not provide multi-level security

  • Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another.

Fall 2010/Lecture 19


Trojan horses
TROJAN HORSES Problem

  • A Trojan Horse is rogue software installed, perhaps unwittingly, by duly authorized users

  • A Trojan Horse does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach

Fall 2010/Lecture 19


Trojan horse example
TROJAN HORSE EXAMPLE Problem

ACL

File F

A:r

A:w

File G

B:r

A:w

Principal B cannot read file F

Fall 2010/Lecture 19


Trojan horse example1
TROJAN HORSE EXAMPLE Problem

Principal B can read contents of file F copied to file G

ACL

Principal A

executes

File F

A:r

A:w

read

Program Goodies

Trojan Horse

File G

B:r

A:w

write

Fall 2010/Lecture 19


Buggy software can become trojan horse
Buggy Software Can Become Trojan Horse Problem

  • When a buggy software is exploited, it execute the code/intention of the attacker, while using the privileges of the user who started it.

Fall 2010/Lecture 19


Readings for this lecture
Readings for This Lecture Problem

  • Wikipedia

    • Discretionary Access Control

  • The Confused Deputy by Norm Hardy

Fall 2010/Lecture 19


Coming attractions
Coming Attractions … Problem

  • The Bell LaPadula Model

Fall 2010/Lecture 19


ad