463.9 Access Control MechanismsOverviewRequiredAccess Control MechanismsAccess Control ListsDefault PermissionsAbbreviationsACLs + AbbreviationsPermissions in IBM AIXACL ModificationPrivileged UsersConflictsHandling Default PermissionsRevocation QuestionWindows NT ACLsAccessing FilesCapability ListsSemantics*ImplementationTags / DescriptorsCryptographic TicketsDifferences*Slide 23RemediesRevocationACLs, Capabilities, and Least PrivilegeLeast Privilege ExampleConfused DeputyConfused Deputy ExampleAnalysis*Ambient AuthorityNon-ambient authorityObject Capability SystemsExampleObject Capability Systems*Object ProxiesSlide 37ACLs and CapabilitiesKey Points463.9 Access Control MechanismsUIUC CS463 Computer SecurityBased on slides provided by Matt Bishop for use with Computer Security: Art and Science2Overview•Access control lists•Capabilities•Object capabilities3Required•Reading: Sections 15.1 and 15.2•Exercises: Section 15.9 exercises 2 to 64Access Control Mechanisms•Most of security concerns controlling access•Three levels of access control–High-level policy (e.g. Chinese Wall, Biba, …)–Low-level policy (access control matrix)–Mechanism5Access Control Lists•Columns of access control matrix file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo wACLs:•file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) }•file2: { (Andy, r) (Betty, r) (Charlie, rwo) }•file3: { (Andy, rwo) (Charlie, w) }6Default Permissions•Normal: if not named, no rights over file–Principle of Fail-Safe Defaults•If many subjects, may use groups or wildcards in ACL–UNICOS: entries are (user, group, rights)•If user is in group, has rights over file•‘*’ is wildcard for user, group–(holly, *, r): holly can read file regardless of her group–(*, gleep, w): anyone in group gleep can write file7Abbreviations•ACLs can be long … so combine users–UNIX: 3 classes of users: owner, group, rest–rwx rwx rwxrestgroupowner–Ownership assigned based on creating process–Group set to current group of process•Can change it to any other group the user belongs to•Some systems: if directory has setgid permission, file group owned by group of directory (SunOS, Solaris)8ACLs + Abbreviations•Augment abbreviations with explicit ACLs•ACLs override abbreviations•Example: IBM AIX–Base permissions are abbreviations, extended permissions are ACLs with user, group–ACL entries can add rights, but on deny, access is denied9Permissions in IBM AIXattributes:base permissionsowner(bishop): rw-group(sys): r--others: ---extended permissions enabledspecify rw- u:hollypermit -w- u:heidi, g=syspermit rw- u:mattdeny -w- u:holly, g=faculty10ACL Modification•Who can do this?–Creator is given own right that allows this–System R provides a grant modifier (like a copy flag) allowing a right to be transferred, so ownership not needed•Transferring right to another modifies ACL•Before: File1: (Alice, rg), (Bob, rwo)•Alice grants her read right to Carol•After: File1: (Alice, rg), (Bob, rwo), (Carol, r)–Root can (usually) alter ACLs as well11Privileged Users•Do ACLs apply to privileged users (root)?–Solaris: abbreviated lists do not, but full-blown ACL entries do–Other vendors: varies•Used to restrict power of administrative user12Conflicts•Deny access if any entry would deny access–AIX: if any entry denies access, regardless of rights given so far, access is denied•Apply first entry matching subject–Cisco routers: run packet through access control rules (ACL entries) in order; on a match, stop, and forward the packet; if no matches, deny•Note default is deny so honors principle of fail-safe defaults13Handling Default Permissions•Apply ACL entry, and, if none, use defaults–Cisco router: apply matching access control rule, if any, otherwise, use default rule (deny)•Augment defaults with those in the appropriate ACL entry–AIX: extended permissions augment base permissions14Revocation Question•How do you remove subject’s rights to a file?–Owner deletes subject’s entries from ACL, or rights from subject’s entry in ACL•What if ownership not involved?–Depends on system–System R: restore protection state to what it was before right was given•May mean deleting descendent rights too …15Windows NT ACLs•Different sets of rights–Basic: read, write, execute, delete, change permission, take ownership–Generic: no access, read (read/execute), change (read/write/execute/delete), full control (all), special access (assign any of the basics)–Directory: no access, read (read/execute files in directory), list, add, add and read, change (create, add, read, execute, write files; delete subdirectories), full control, special access16Accessing Files•User not in file’s ACL nor in any group named in file’s ACL: deny access•ACL entry denies user access: deny access•Take union of rights of all ACL entries giving user access: user has this set of rights over file17Capability Lists•Rows of access control matrixC-Lists:•Andy: { (file1, rx) (file2, r) (file3, rwo) }•Betty: { (file1, rwxo) (file2, r) }•Charlie: { (file1, rx) (file2, rwo) (file3, w) }file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo w18Semantics*•Where are access rights stored–ACL: Each resource (file) has an access list–Capabilities: Each process has a capability list (C-list)•Note: In capabilities, subjects are processes –In ACLs, subjects are users•Capabilities act as “tickets”–Possession of capability implies access rights•Tickets must be unforgeable–Otherwise access control fails19Implementation•Tags / descriptors•Cryptographic tickets•Type system20Tags / Descriptors•Each process has a list of tickets (e.g. CAP system)–Tickets stored in a protected segment–Programs refer to tickets by pointers / indices–Operating system can add / remove tickets•Use file descriptors (e.g. UNIX)–UNIX access control a hybrid system: use ACLs to open a file and get a file descriptor, then use descriptor as a capability–More efficient since only need to check permissions on open21Cryptographic Tickets•Associate with each capability a cryptographic checksum enciphered using a key known to OS•When process presents capability, OS validates checksum•Example: Amoeba, a distributed capability-based system–Capability is (name, creating_server, rights, check_field) and is given to owner of object–check_field is 48-bit random number; also stored in
View Full Document