CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 10 - Access ControlSeptember 27, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trusted Computing Base•The trusted computing base is the infrastructure that you assume will behave correctly–Hardware (keyboard, monitor, …)–Operating Systems–Implementations–Local networks–Administrators–Other users on the same system•Axiom: the larger the TCB, the more assumptions you must make (and hence, the more opportunity to have your assumptions violated).CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Blindly Following Policy•First, what is a policy?–Some statement of secure procedure or configuration that parameterizes the operation of a system–Example: Airport Policy–Take off your shoes –No bottles that could contain > 3 ozs •Empty bottles are OK?–You need to put your things through X-ray machine–Laptops by themselves–Metal detector•Purpose: to prevent someone from bringing in a (metal) weapon …CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page … when policy goes wrong•Driving license test: take until you pass–Mrs. Miriam Hargrave of Yorkshire, UK failed her driving test 39 times between 1962 and 1970!!!!–… she had 212 driving lessons ….–She finally got it on the 40th try.–Some years later, she was quoted as saying, “sometimes I still have trouble turning right”CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control/Authorization•An access control system determines what rights a particular entity has for a set of objects•It answers the question–E.g., do you have the right to read /etc/passwd–Does Alice have the right to view the EECS website?–Do students have the right to share project data?–Does Dr. Jaeger have the right to change your grades?•An Access Control Policy answers these questionsCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Simplified Access Control•Subjects are the active entities that do things–E.g., you, Alice, students, Dr. Jaeger •Objects are passive things that things are done to–E.g., /etc/passwd, CSE website, project data, grades•Rights are actions that are taken–E.g., read, view, share, changeCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerProtection domainProtection DomainsProgram AFiles•The protection domain restricts access of external parties to our computing system’s resources•How is this done today?•Memory protection•E.g., UNIX protected memory, file-system permissions (rwx…)•A protection state describes access of all programs7MemoryCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control Policy•“A policy is a set of acceptable behaviors.”- F. Schneider •An access control policy is a function:P(S,O,R) -> { accept, deny }–Where, set S=subjects, O=objects, R=rights•The policy is a lot of these tuples, whether explicitly represented that way or not. •There are many, many ways to represent these.CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page The Access Matrix•An access matrix is one way to represent policy.–Frequently used mechanism for describing policy•Columns are objects, subjects are rows.•To determine if Si has right to access object Oj, find the appropriate entry.•Succinct descriptor for O(|S|*|O|) entries•Matrix for each right.O1O2O3S1YYNS2NYNS3NYYCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Designing an access control system•Separation of policy from mechanism–A mechanism is the tool we use to enforce policy, e.g., the filesystem interfaces, etc.–Policy is that which details rights•Idea: separation gives us the ability to chance the meaning of policy or the enforcement of it quickly “Let me try to explain to you, what to my taste is characteristic for all intelligent thinking. It is, that one is willing to study in depth an aspect of one’s subject matter in isolation for the sake of its own consistency, all the time knowing that one is occupying oneself only with one of the aspects. We know that a program must be correct and we can study it from that viewpoint only; we also know that is should be efficient and we can study its efficiency on another day. But nothing is gained on the contrary by tackling these various aspects simultaneously. It is what I sometimes have called the separation of concerns.”DijkstraCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Policy Enforcement•A protection state defines what each subject can do–E.g., in an access matrix•A reference monitor enforces the protection state–A service that responds to the query...•P(S,O,R) -> { accept, deny }• A correct reference monitor implementation meets the following guarantees– Tamperproof– Complete Mediation– Simple enough to verify• A protection system consists of a protection state, operations to modify that state, and a reference monitor to enforce that stateCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control •Reference Monitor is Central to Authorization•Consider the Trust and Threat Models in AuthorizationTrusted Computing BaseProcess ProcessReferenceMonitor InterfaceReferenceMonitorProtectionStateCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control•Suppose the private key file for J is object O1–Only J can read•Suppose the public key file for J is object O2–All can read, only J can modify•Suppose all can read and write from object O3•What’s the access matrix?O1O2O3J???S2???S3???CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trusted Processes•Does it matter if we do not trust some of J’s processes?O1O2O3JRRWRWS2NRRWS3NRRWCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Secrecy •Does the following protection state ensure the secrecy of J’s private key in O1?O1O2O3JRRWRWS2NRRWS3NRRWCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Integrity•Does the following access matrix protect the integrity of J’s public key file O2?O1O2O3JRRWRWS2NRRWS3NRRWCSE543 Computer (and Network) Security - Fall 2007 - Professor
View Full Document
Unlocking...