CS530AuthorizationBill Chenghttp://merlot.usc.edu/cs530-s10 CSCI 530, Spring 2010 Copyright © William C. Cheng T1CSCI 530, Spring 2010 Copyright © William C. Cheng T2Authorization: Two MeaningsIs principal P permitted to perform action A on object U?Determining permissionP is now permitted to perform action A on object UAdding permissionIn this course, we use the first senseCSCI 530, Spring 2010 Copyright © William C. Cheng T3Access Controlcolumns indexed by principalWho is permitted to perform which actions on what objects?Access Control Matrix (ACM)rows indexed by objectselements are arrays of permissions indexed by actionIn practice, ACMs are abstract (not realizable) objectsACM is huge and sparseACM is often distributedinstantiationsACLscapabilitiesCSCI 530, Spring 2010 Copyright © William C. Cheng T4Instantiations of ACMsfor each object, list principals and actions permitted onthat objectAccess Control Lists (ACLs)corresponds to rows of ACMe.g., Kerberos admin systemCapabilitiesfor each principal, list objects and actions permitted forthat principalcorresponds to columns of ACMe.g., Kerberos restricted proxiesThe Unix file system is an example of...?can be compacted (null entries removed)it is easy to delegate capabilitiese.g., I’m authorized to transfer money from A to BCSCI 530, Spring 2010 Copyright © William C. Cheng T5ProblemstimePermissions may need to be determined dynamicallysystem loadrelationship with other objectssecurity status of hoste.g., can only write to this file if this other file is presente.g., only administrators are allowed to login if thesystem is under attackmust have a revokation list to be checked whencapabilities are presentedACLs need to be replicated or centralizedcapabilities don’t, but they’re harder to revokee.g., yellow pages on Solaris CSCI 530, Spring 2010 Copyright © William C. Cheng T6Problems (Cont...)Distributed nature of systems may aggravate thisGAA (next lecture)Approachesagent-based authorizationmobile piece of code that acts on behalf of aprincipleproblem with centralized approach is that you have tocontact the server to determine permissions on everyaccess, distributed is more efficienta live object carries capabilities in memoryCSCI 530, Spring 2010 Copyright © William C. Cheng T7Agent-Based Authorizationeither directly, or through agent serverWhen object created on a host H, agent Q created along with itAgents distributed to clientsClient on host G instantiates agent for principal P, submits itto H as Q/P@G Q acts on behalf of P at Gagent aids in making authorization decisionsAdvantages:dynamic evaluation of policiesdistributed controlgranularity specific to an objectease of administrationCSCI 530, Spring 2010 Copyright © William C. Cheng T8Agent-Based Authorization (Cont...)needs to be integrity-protectedRelieves scaling issues with ACLsQ is typically mobile code and datamay be confidentiality-protectedagent environment on H must be trustedCSCI 530, Spring 2010 Copyright © William C. Cheng T9Revocation in Agent-Based Systemshosts must send CRLs (certificate revocation lists) to otherhosts and/or principalsTimeout-basedHarder for malicious agentsmust maintain their own CRL to restrict or deny
View Full Document
Unlocking...