CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 13 - Capability SystemsOctober 9, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Process-specific Permissions•Design the permissions of a process specific to its use•How do we change the permissions of a process in an ACL system?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Confused Deputy Problem•Imagine a multi-client server–Each client has a different set of objects that they can access•In an ACL system, the server always has access to all the objects–What happens if a client tricks the server into accessing into another client’s objects?–Shouldn’t the server only have access to that client’s objects for its requests?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Capabilities•A capability is the tuple (object, rights)•A capability system implements access control by checking if the process has an appropriate capability–Simple, right?–This is a little like a ticket in the Kerberos system•Q: Does this eliminate the need for authentication?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Capabilities •A: Well, yes and no …•Capabilities remove the overhead of managing per object rights, but add the overhead of managing capabilities•Moreover, to get any real security, they have to be unforgeable–Hardware tags (to protect capabilities)–Protected address space/registers–Language based techniques"•Enforce access restrictions on caps.–Cryptography •Make them unforgeableCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Real OS Capabilities•The OS kernel manages capabilities in the process table, out of reach of the process•Capabilities added by user requests (that comply with policy)Process Table...Process ZX CR DW E...C ListABCDRX RWCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page User space capability?•Well, what are the requirements?–Authenticity/integrity - do not want malicious process to forge capabilities•Start with the data itself: [object, rights]–Object is typically encoded with identifier, or by some other tag (capabilities are sometimes known as tags)–Rights are often fixed (read, modify, write, execute, etc.)•Now, do what you with any other data (assume the kernel has a secret key k)E(k, [Oi, r1, r2, … rn])•What’s wrong with this construction (I got it from the website of one of the experts in the area)?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page The right construction•Encryption does not provide authenticity/integrity, it provides confidentiality[Oi, r1, r2, … rn],HMAC(k, [Oi, r1, r2, … rn])•So how would you attack the preceding construction?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page A (fictional) Capability Example•We use the “ls -lt” command to view the contents of our home directory in a OS implementing capabilities:–Initially, our shell process has RWX capabilities for our home directory, and RX capabilities for all the directories to the root.–The “ls -lt” command is exec()ed, and the shell delegates the directory permissions by giving “ls” the capabilities •Note that the capabilities are _not_ tied to any subject–The “ls -lt” process exercises the rights to read the directories structure all the way down to the local–Of course, the “ls -lt” process now need to obtain read rights to the files (to get their specific meta-information), and obtains them by appealing to the security manager (in kernel) -- the request fulfills the policy, and they are added and exercised–The “ls -lt” uses access rights given to the terminal to write output•Note: there are many ways that the policy can be implemented, rights handed off, etc. We will talk about a couple in the following discussions.Page CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerProcedure-Level Protection Domains•HYDRA–Each procedure defines a new protection domain•Procedure –Code–Data–Capabilities to other objects•Caller-independent•Caller-dependent templates•Local Name Space–Capabilities are bound here –Record of a procedure invocation (procedure instance)•Process–Stack of LNSs10Page CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerHow HYDRA works•Q: Which object defines the protection domain?11Caller LNSCallee LNSKernelCall Callee+ CapabilitiesCreate CalleeLNSCaller ProcCallee ProcCapabilitiesCapabilities DataDataTemplateTemplateCaller-Dep CapabilitiesCaller-Dep CapabilitiesPage CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerImplications of Fine-Grained Protection•Programmer–Must define templates for procedure–Connect the procedure rights together•Performance Impact•Q: Do we need to manage rights at this level?12Page CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerLinden’s Capability View•Achieve flexible, effective security by–Small protection domains–Extensible set of types•Implies a capability system–Small protection domains with least privilege permissions–Extensible types enable composition of systems reliably–Capabilities can be passed among protection domains and into new subsystems•Protected Procedures–Like HYDRA–Change domain with each procedure invocation–New procedure is a new instance•Protection Domain switch time is key (high in modern processors)13Page CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCorrectness Claim•“It is far more difficult to build a 50,000 line program than 1,000 programs that are each 50 lines long.”–What is your opinion of this?–Is it just the procedure development that is important?•Two problems–Decomposition results in inefficiencies–Interactions between procedures are not captured14Page CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerFlexibility vs. Security•Small protection domains are desirable because:–Enables solving finer-grained problems–Less rigid protection–Independent accounting –Reliable and redundant security controls–Individual controls are easier to understand•Top-down vs. bottom-up; Fine vs coarse-grained15Page CSE543 Computer (and Network) Security -
View Full Document
Unlocking...