CMSC 414Computer (and Network) Security

Lecture 13

Jonathan Katz

Midterm?

Will be held Oct 21, in class

Will cover everything up to and including the preceding lecture (Oct 16)

Includes all reading posted on the class syllabus!

Access control lists (ACLs)

Instead of storing central matrix, store each column with the object it represents– Stored as pairs (s, r)

Subjects not in list have no rights– Can use wildcards to give default rights

Example: Unix

Unix divides users into three classes:– Owner of the file– Group owner of the file– All other users

Note that this leaves little flexibility…

Some systems have been extended to allow for more flexibility– Abbrev. ACLs overridden by explicit ACLs

Handling conflicts

Conflicts may arise if two entries give different permissions to a subject– Multiple ways of resolving this; e.g.:

• Allow access if any entry gives rights

• Allow access only if no entry denies rights

• Apply first applicable entry

Default permissions?

Two approaches– Apply ACL entry, if it exists; otherwise, apply

default rule• I.e., ACL entries override default permissions

– Augment the default permissions with those in the appropriate ACL entry

– Example: what if default allows “read” and ACL entry states “write”?

Revocation

How to handle revocation?– Easy to revoke all access with ACLs– But…what if two different users granted the

same right to the same person?• E.g., both A and B give rights to C. Now A wants to

revoke C’s rights. But B still wants to allow rights…

– Can store a history of ACL modifications

Example: Windows NT

Rights:– Read; write; execute; delete; own

Generic (groups of) rights:– No access; read; change; full– Also, a “special access” right (allows any

combination of rights)

Example, continued…

When user accesses a file– If user not present in ACL, nor member of any

group in ACL, deny access– If user (or group containing user) is explicitly

denied access in ACL, deny access– Else, user has union of all rights from each

ACL entry for user (or group containing user)

Example, continued…

Paul, Quentin are in group “students”

Quentin, Regina are in group “staff”

File with ACL: (staff, full), (Quentin, change), (students, no access), (Paul, no access)– Regina has full access

– Quentin has no access (since in “students”)

– Paul has no access

– Note: an explicit deny overrides any permissions

– Safer to explicitly disallow access when unwanted• E.g., in case “students” is later allowed access

Capabilities

The “dual” of ACLs– The row of an access control matrix is

associated with the corresponding subject

More complex to implement securely than ACLs– A process must identify a capability…– …so must have some control over it– (In contrast, the OS controls files)

Protecting capabilities

Can “tag” capabilities so they can be read, but not modified, by processes

Or, store capabilities in protected memory

Can also use cryptography to ensure integrity of capabilities– Using a message authentication code, with a

key known to the OS

Copying capabilities

Copying a capabilities implies giving rights– Copy flag is associated with capabilities– Process cannot copy the capability unless this

flag is set

Revocation

How to revoke access to a file?– Would potentially require revoking all capabilities

associated with that file

One solution: indirection– Capabilities name an entry in a table, rather than an

object itself

– To revoke access to object, invalidate entry in table

– Or, change random number associated with object

Difficult to revoke access by a single subject

Potential problems

What if one process gives capabilities to another? (Possibly indirectly)– Can lead to security violation

One solution: assign security classifications to capabilities– E.g., when capability created, its classification

is the same as the requesting process– Capability contains rights depending on the

object to which it refers

ACLs vs. capabilities

Given a subject, what objects can it access? (capabilities)

Given an object, which subjects can access it? (ACLs)– Second question is asked more often than first

For incident response, capabilities may be preferable– “What else did this subject access?”

“Locks and keys”

Combines ACLs and capabilities– “Lock” associated with each object– “Key” associated with each subject authorized

to access this object– When subject tries to access object, its set of

keys is checked; if it has a key corresponding to the object’s lock, access allowed

Important distinction

ACLs and capabilities are “static”– Require manual intervention to change

Locks and keys are “dynamic”– May change on their own in response to

changes in the system

Example

Cryptographic key used to encrypt a file– A file cannot be “read” unless the subject has

the encryption key– Can also enforce that requests from n users are

required in order to read data (and-access), or that any of n users are able to read data (or-access)

Cryptographic secret sharing

(t, n)-threshold scheme to share a “key”

Using this to achieve (t, n)-threshold encryption

Shamir secret sharing

Another example

Type checking

E.g., label memory locations as either “data” or “instructions”– Do not allow execution of type “data”– Can potentially be used to limit buffer

overflows

Ring-based access control

Memory and files (e.g., disk space) are viewed as equivalent– E.g., a program is loaded into memory and run,

or a file is loaded into RAM– Termed “segments”

Two types of segments: data and procedure

ACLs specify rights on per-user basis– All procedures executed by a user have rights

associated with that user

Ring-based access control

Sequence of 64 “protection rings”– Kernel in ring 0– Higher ring numbers have lower privileges

Proc. in ring r wants to access data segment– Data associated with access bracket (a, b)– If r a, access allowed– If r > b, no access– Else, read allowed; write denied

Ring-based access control

Procedure in ring r wants to execute another procedure segment– Procedure segment has access bracket (a, b),

and also has call bracket (b, c)• If r < a, access permitted but “ring fault” occurs and

trap to kernel

• If r lies between a and b, all access permitted

• If r lies between b and c, access permitted via “gate”

• If r > c, all access denied

Why brackets?

In theory, a process or file should be assigned to one ring– However, this would require a call to the OS

every time a process from another ring needed access; access bracket fixes this problem

– Call bracket allows user to execute programs in well-defined ways (i.e., via gates)

Propagated ACLs

Associated with data, not the object holding the data– Prevents one user from copying data in a file to

a new file, thereby giving access to the data– When a subject reads from an object, the

subject’s PACL is updated– When an object is created, the object takes on

the PACL of the creator

Example…

A creates file f, and allows B, D to access it

After B reads f, PACLnew(B) = PACLold(B) PACL(A)

If B creates new file f’, this file is assigned PACLnew(B)

User U can access f’ only if U is in both PACLold(B) and PACL(A)