Access Control
1
Given Credit Where It Is Due
Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH
Some slides are from Prof. Kenneth Chiu at SUNY Binghamton
I have modified them and added new slides
2
3
Access Control
Once a client and a server have established a secure channel, the client can issue requests to the server
Requests can only be carried out if the client has sufficient access rights
The verification of access rights is access control, and the granting of access rights is authorization
These two terms are often used interchangeably
4
The Basic Model for Access Control
This model is generally used to help understand the various issues involved in access control
The subject issues requests to access the object, and protection is enforced by a reference monitor that knows which subjects are allowed to issue which requests
5
Access Control Matrix
The access control matrix is a matrix with each subject represented by a row, and each object represented by a column
The entry M[s, o] lists the operations that subject s may carry out on object o
Is this matrix a good way to represent access rights
Of course, we don’t really want to implement it as a matrix in any system of reasonable size, because there would be a whole lot of wasted space…
?
?
6
Access Control Matrix
There are two main approaches that are used instead of an actual matrix:
Each object can maintain a list, the access control list, of the access rights of subjects that want to access that object - this effectively distributes the matrix column-wise, leaving out empty entries
Each subject can maintain a list of capabilities for objects - this effectively distributes the matrix row-wise, leaving out empty entries
Of course, capabilities can’t be totally maintained by the subjects - they must be given to the subjects by some other trusted entity (like the reference monitor)
7
Access Control Lists vs. Capabilities
Access Matrix
Access Control List
Capability Lists
11
Protection Domains
ACLs and capabilities help to efficiently implement the access control matrix, but can still become quite cumbersome
A protection domain is a set of (object, access rights) pairs, where each pair specifies for a given object exactly what operations can be carried out
By associating a protection domain with each request, we can cut down on redundant information in access control lists
12
Protection Domains
One approach to using protection domains is to construct groups of users
Another approach is to use roles instead of groups
Roles: head of a department, manager of a project, member of a personnel search committee
13
Firewalls
We can use encryption to protect the files that make up the access control matrix, and various secure channel protocols to communicate that information to the objects that need it
This works well, as long as all the components in the system play by the same sets of rules - but that might not always be the case…
14
Firewalls - Example
Take the idea of an NFS server, which uses UNIX user and group IDs to control access to files
This works great on a private network where you can guarantee that none of the machines’ local user and group databases will be tampered with
If I tamper with a machine, create a new user with some existing user ID in my password file, and then hop onto the NFS server, I can access all that user’s files and exercise all his rights!
15
Firewalls
A firewall is a special kind of reference monitor that inspects packets traveling into and out of a private network to ensure that they aren’t harmful
There are two main types: Packet-filtering gateways inspect only the headers of
packets travelling on the network, for example, based on the source and destination addresses
Application-level gateways inspect the contents of the packets as well, for example, spam email filters
16
Secure Mobile Code
Code migration: It’s important to protect hosts against malicious mobile agents, and also to protect the mobile agents against malicious hosts
Much more attention has been paid to the former, because the latter is in a sense impossible - even if you protect the agent from tampering with various cryptographic techniques, nothing prevents a host from simply keeping the agent a prisoner forever
17
Secure Mobile CodeProtecting the Host
One approach to protecting the host is to build a sandbox, which allows the execution of a downloaded agent to be fully controlled
If the agent attempts to execute an instruction that the host doesn’t like, it can be terminated by the host
Implementing a sandbox is nontrivial
Probably the best known example is the Java sandbox model
18
Secure Mobile CodeThe Java Sandbox Model
The Java sandbox model consists of several components:
Class Loaders
Byte Code Verifier
Security Manager
19
Secure Mobile CodeThe Java Sandbox Model
Class loaders are responsible for fetching classes from servers and installing them in the host’s JVM
Only trusted class loaders are used - a Java program can’t circumvent the sandbox by creating some special kind of class loader
A byte code verifier checks whether downloaded classes obey the sandbox’s security rules
In particular, it checks to see if the code contains illegal instructions or instructions that could corrupt the stack or memory
20
Secure Mobile CodeThe Java Sandbox Model
A security manager performs checks at runtime to ensure that mobile code doesn’t break any rules
For instance, downloaded code cannot write to the filesystem unless given special permission to do so
In the original Java security model, the security manager was very strict and didn’t distinguish programs from different servers- Java’s current security model is much more flexible
21
Secure Mobile CodePlaygrounds
An alternative model is to designate a single machine on the local network as a playground in which mobile code can run
Resources local to the playground are available to code running in the playground, while resources local to other machines are isolated from the playground
22
Secure Mobile CodeSandboxes vs. Playgrounds
(a) illustrates a sandbox-based system, while (b) illustrates a playground-based one
Distributed Denial of Service
DDoS Can be classified into two kinds, roughly. Bandwidth depletion and
server resource depletion. How does a typical DDoS work? How can we protect against them?
Distributed Denial of Service
No single way to protect, need comprehensive plan
Protect machines from getting taken over.
Monitor egress routers.
Monitor ingress (how well does this work?)
Monitor overall network.