Capability Based SecurityAccess Control IssuesMethods of Access ControlLampson Access MatrixWhy the Lampson Equivelency Model isn’t exactly accurateTrojan Horse Attack on an ACL systemACL view of attackThe DilemaCapabilitiesCapability DelegationDelegation cont.ACL DiagramCapability DiagramWhy are ACL’s the normEROS a capability based OSHow is EROS different from other OS designsOS PersistenceWhy is persistence necessaryHow is EROS initializedHow does persistence workWhat to save and whereWhat if?SummaryCapability Based SecurityCapability Based SecurityBy Zachary WalkerCS265Section 1Access Control IssuesAccess Control IssuesPreventing Access–Prevent users form accessing privileged data or resourcesLimiting Access–Need to allow some access but not full accessGranting Access–Give new access or greater access.Revoking Access–Take back some or all of granted access.Methods of Access ControlMethods of Access ControlAccess Control Lists–Access control associated with the resource–Can prevent and revoke access–Cannot limit or grant accessCapability Lists–Access control associated with the user–Can prevent , limit , and grant access–Can revoke but not like expected ( more later )Lampson Access MatrixLampson Access MatrixNetwork AccessBank RecordsAccounting ProgramBilly the CEORead/Write Read ExecuteJoe the CFORead/Write Read/Write ExecuteAccounting ProgramRead/WriteWhy the Lampson Why the Lampson Equivelency Model isn’t Equivelency Model isn’t exactly accurateexactly accurateWhat happens if an attacker somehow slips a Trojan Horse virus into the system with the intent to steal funds via the accounting programWe examine the differences between the cases where the CEO and the CFO are attacked by the Trojan HorseTrojan Horse Attack on an Trojan Horse Attack on an ACL systemACL systemThe CEO gets the virus–The Trojan horse is run by the CEO–The CEO lacks access to write to bank records–The Trojan horse in unsuccessful in stealing moneyThe CFO gets the virus–The Trojan horse is run by the CFO–The CFO has access to write bank records–The Trojan horse is successful in stealing money from the companyACL view of attackACL view of attackOS checks the the bank records ACL to see if write is authorizedIt is the CFO. No ProblemCFOTrojan HorseBank RecordsWriteACLThe DilemaThe DilemaThe CFO needs write access to the Bank RecordsAnyone with write access to the bank records will be susceptible to the Trojan HorseWhat is the solution?CapabilitiesCapabilitiesWith capabilities write access to the Bank Records are not implicit even if the CFO mistakenly downloads and runs the Trojan HorseThe CFO would have to grant the Trojan horse the write capability to the Bank Records for the attack to be successfulCapability DelegationCapability DelegationThe CFO has capabilities to both the Trojan Horse and the Bank RecordsHowever, the Trojan horse has no notion of the Bank RecordsCFOTrojan HorseBank RecordsDelegation cont.Delegation cont.For the attack to succeed the CFO would have to explicitly pass the capability (yellow arrow) to the Trojan horse.CFOTrojan HorseBank RecordsACL DiagramACL DiagramArrows go from resources to subjectsCapability DiagramCapability DiagramArrows go from subjects to resourcesWhy are ACL’s the normWhy are ACL’s the normWhen UNIX was being developed ACL’s and C-lists were both viable.C-lists were known to be more secure but also more complexACL’s provided better performance and were deemed secure enough for the current computing environmentEROS a capability based OSEROS a capability based OSEROS stands for “Extremely Reliable Operating System”EROS is not the first capability based OSMultics, KeyKOS, and Mach are example of previous attempts at capability based OS designsEarlier systems have been criticized for being extremely slow.How is EROS different from How is EROS different from other OS designsother OS designsAccess control handled by capabilitiesAll data and processes are persistent throughout power cyclesOS PersistenceOS PersistencePersistence means the state of the system is maintained even when powered off.All registers, processes, memory contents, and of course disk data are stored when powered down.Persistence is actually a necessity of capability based systemsWhy is persistence necessaryWhy is persistence necessaryIt is a “Chicken or the Egg” issueSuppose the system isn’t persistentWhen the system is started where would the startup process get it’s capabilities from?There is no simple answer to this question and the startup condition is one of the most vexing in capability-based OS designHow is EROS initializedHow is EROS initializedEvery resource in the system is allocated an atomic level primitive objectThere are Pages, Nodes, and Numbers at the lowest level.The OS creates capabilities for every primitive objectEvery capability every used in the system will be a composition of these base level capabilitiesHow does persistence workHow does persistence workIn EROS a snapshot of the system is taken every 5 minutes.long enough to minimize the overhead required for repeated savesshort enough to minimize loss in the case of a system failureWhat to save and whereWhat to save and whereUser dataProcess ListList of open filesSave them in a partitioned section of disk set aside for persistent dataNote that network connections and open streams are not saved and must be re-establishedWhat if?What if?System crashes during a save?–The data is actually saved to a look ahead log–If the save is interrupted there is an older version to revert to–Consequence is that there must be two sets of persistence data maintainedSummarySummaryCapabilities provide much more granularity of control than ACL’sCapabilities solve security issues unsolvable with ACL’sACL’s are much simpler to implement and provide for a faster
View Full Document