CIS511 Class Notes, Jan 19, 2006
by Yu-Hua Chang and Kai Wang
Prof. Zdancewic Office Hours 9:30-10:30 R Levine511
TA Office Hours 12:00-1:00 MW TBA
Gold Standard (three concepts for setting security rules and enforcing security
policies)
- Authentication
- You often need to know the user, client, or principal before you implement the policy.
- This allows the system to know what principal to use.
- What is a principal? A principal is any entity that has a stake in the security of
the system.
- Different ways to identify a principal: user id, password...
- Audit
logging the activity:
- eg: Audit software so you can later reconstruct same situation
- filter the packets in the network at the firewall.
- Authorization
determine what actions are permissible
Access Control
Def: Give specific access rights to resources.
Access Control policy
- OS reinforce policy, ex: file system. in UNIX, the privilege type (rwx)
- java applet access restriction
Some Model of the System
ex: file system in unix, base on user (uid) and group (gid), policy is rwx
- Model
give some model of the system so that we can do something in the system.
- Subject
how we determine who should be applied to a policy.
- Object
what we can do to protect the system.
- Action
what we will do for one policy. Action can be performed on an object.
eg: a process can read or write a file. a java program can open the network...
- Right
Authority. Some action are permitted based on the policy.
eg: in UNIX, actions of each process can be limited. OS will check again wether it's
allowed.
mechanism should be general. Actually, it's a trade-off. The more complete, the
better.mechanism should be able to be applied to other situations
ex: Firewall decides which packet is allowed to pass through and which is dropped
depending on the policy defined in the filter rule.
Reference Monitors
monitor
/-----------------\ /----------------------\
| subject | | (?)look up the |
|(user, network, |-----------------+-> control policy --+---> deny
| process... )| request | to make decision |
\-----------------/ (action object) | | |
\----------+-----------/
|
V
granted (allow)
Reference monitor example:
- OS: file system
- OS: memory
eg: virtual memory; in UNIX, each virtual memory is treated as a file.
one process run on its own virtual memory space and cannot see other process' memory
space.
- Firewall: monitor network access.
- JVM
All of these operate at different levels of abstraction.
Access Control Matrix (design policy)
+-----------------------------------+
| | object (ex: files...) |
+-----------+-----------------------+
| subject | collection of right |
|(ex: user, | (privilege) |
| group)| |
+-----------+-----------------------+
Access Control Check
it's correct iff if (r belongs to A[S][O]) then granted,
else deny.
The only problem is space.
It's too large to store the entire matrix.
How do you compress this table?
Trick: make each entry of this table into an object; Make objects/subjects into
groups. ex: in UNIX, subject are divided into owner, group, and world New Subject
New Object New Right -> grant right r to subject S with respect object
O. Also called delegation.
TCB
Want to minimize it as much as you can.
- Correctness
- Complete Mediation
- Expressiveness
- How big and complicated is it
Software Mechanisms
- Interpreters
- Wrappers
how do you actually do the check.
- instruction
- link the program to an interface or library; wrap it and do the check.
ex: access control problem. a library that define which is safe and which is unsafe.
use the wrapper to check.
- OS
some system calls can't be used to protect security mechanism. eg: Kerberos (actually,
it implements the access control matrix)
- User Mode
check for user privilege.
- Kernel Mode
in this mode, no rules can be changed in case that the hacker changes the whole
security mechanism.
- Type Checking
ex: C doesn't do memory checking.
- Sandbox
run process in isolation. Simulate an environment to run.
- Software fault isolation
- user/kernel mode
only OS can run in kernel mode.
Matrix size depends on the number of user, the number of file, and the number of
process.
Since the matrix only stores non-empty entries, it is typically sparse.
Access Control Lists
gA -> v
gB -> x
if I belongs to gA and gB
can I access?
result: make a priority.
Make a priority access control list to handle this problem.
Authentication Critical
The most security way is to ask user id and password every time we need to check
security.
It's a kind of a trade-off.
Another way to simplify this is to make groups like using a PennCard to access
different areas.
eg: use a key to open different doors.
Capabilities
- A capability is an object/right pair
- should be unforgivable
- authentication takes place with the capabilities
- are granted
- harder to do revocation (must find all tickets)
- Easy to audit a subject. Hard to audit an object
Implementing Capability
- Identify the object of the system
name the object.
- unique identifiers
ex: uid, gid
- Pointer
ex: change name...
Unforgeability of Capabilities
- special hardware
- store the capabilities in protected address space
- use static scoping mechanism of safe programming language
- could use cryptographic techniques
secret key to let a file can't be copied.