CMSC 414 Computer and Network Security Lecture 11 - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

CMSC 414 Computer and Network Security Lecture 11

Description:

Equivalence myth: ACLs and capabilities are 'just' two views of ... Capabilities can also expire with time. If OS stores capabilities, can delete upon request ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 30
Provided by: jka9
Learn more at: http://www.cs.umd.edu
Category:

less

Transcript and Presenter's Notes

Title: CMSC 414 Computer and Network Security Lecture 11


1
CMSC 414Computer and Network SecurityLecture 11
  • Jonathan Katz

2
Announcements
  • Midterm
  • Closed book, closed notes
  • Covers material through todays lecture
  • Everything linked from the course syllabus
  • HW2 out

3
Capability myths
  • Equivalence myth ACLs and capabilities are
    just two views of the AC matrix
  • Confinement myth Capability systems cannot
    enforce confinement
  • That is, cannot restrict delegation
  • Irrevocability myth Capabilities cannot be
    revoked

4
Equivalence myth
  • ACLs have arrows from objects to subjects
    capabilities have arrows from subjects to
    objects
  • Capabilities do not require subjects to know
    object names a priori
  • Capabilities do not require subjects to know
    whether they have authority
  • They have authority by virtue of the fact that
    they have a capability!
  • In contrast, with ACLs how do I obtain a list of
    all files I am allowed to read?

5
Equivalence myth
  • Capabilities allow for finer-grained treatment of
    subjects
  • Processes rather than user accounts
  • ACLs potentially require objects to be aware of
    all subjects
  • Capabilities allow greater flexibility to
    delegate permissions
  • In ACLs, usually all-or-nothing
  • In capability-based systems, can delegate a
    subset of the rights you have

6
Confinement myth
  • Myth Capabilities can be delegated at will and
    therefore cannot be confined
  • Butcan be set up so that A can delegate a
    capability to B only if A is authorized to pass
    capabilities to B
  • If B is untrusted, then the latter capability
    will not exist

7
Origin of confinement myth
  • Mistaken assumption that the ability to
    write/read files translates into the ability to
    read/write capabilities
  • Capabilities should not be viewed as just
    files they can be typed by the OS

8
Revocation
  • One solution indirection
  • Capabilities name an entry in a table, rather
    than the object itself
  • To revoke access to object, invalidate or change
    the entry in the table
  • Difficult to revoke access of a single user
  • Capabilities can also expire with time
  • If OS stores capabilities, can delete upon
    request
  • Requires object to recall to whom capabilities
    given

9
Advantages of capabilities
  • Better at enforcing principle of least
    privilege
  • Provide access to minimal resources, to the
    minimal set of subjects
  • We have seen already that capabilities allow much
    finer-grained control over subjects
    (process-level instead of user-level)

10
Advantages
  • Avoiding confused deputy problem
  • Deputy program managing authorities from
    multiple sources
  • In the example we have seen, the problem was not
    the compiler having the wrong authority, but of
    exercising its authority for the wrong purpose

11
Confused deputy
  • Capabilities give the ability to identify the
    authority a subject is using
  • Can designate use of the authority for a specific
    purpose
  • Capabilities also tie together designation and
    authority
  • Dont know about a resource if you dont have
    the capability to access it!
  • Any request to access a resource must include the
    necessary authority to do so --- deputy can now
    examine the context of the request

12
Disadvantages of capabilities
  • Overhead
  • Revocation more difficult
  • Controlling delegation more difficult
  • Making files world-readable more difficult
    (impossible?)

13
Mandatory access control
14
Military security policy
  • Primarily concerned with secrecy
  • Objects given classification (rank
    compartments)
  • Subjects given clearance (rank compartments)
  • Need to know basis
  • Subject with clearance (r, C) dominates object
    with classification (r, C) only if r ? r and
    C ? C
  • Defines a lattice classifications/clearance not
    necessarily hierarchical

15
Security models
  • Bell-LaPadula model
  • Identifies allowable communication flows
  • Concerned primarily with ensuring secrecy
  • Biba model
  • Concerned primarily with trustworthiness/integri
    ty of data
  • Chinese wall
  • Developed for commercial applications

16
Bell-LaPadula model
  • Simple security condition S can read O if and
    only if lo ? ls
  • -property S can write O if and only if ls ? lo
  • Why?
  • Read down write up
  • Information flows upward

17
Dynamic rights
  • Could consider dynamic rights
  • Once a process reads a file at one security
    level, cannot write to any file at a lower
    security level

18
Basic security theorem
  • If a system begins in a secure state, and always
    preserves the simple security condition and the
    -property, then the system will always remain
    in a secure state
  • I.e., information never flows down

19
Communicating down
  • How to communicate from a higher security level
    to a lower one?
  • Max. security level vs. current security level
  • Maximum security level must always dominate the
    current security level
  • Reduce security level to write down
  • Security theorem no longer holds
  • Must rely on users to be security-conscious

20
Commercial vs. military systems
  • The Bell-LaPadula model does not work well for
    commercial systems
  • Users given access to data as needed
  • Discretionary access control vs. mandatory access
    control
  • Would require large number of categories and
    classifications
  • Centralized handling of security clearances

21
Biba model
  • Concerned with integrity
  • Dual of Bell-LaPadula model
  • The higher the level, the more confidence
  • More confidence that a program will act correctly
  • More confidence that a subject will act
    appropriately
  • More confidence that data is trustworthy
  • Integrity levels may be independent of security
    classifications
  • Confidentiality vs. trustworthiness
  • Information flow vs. information modification

22
Biba model
  • Simple integrity condition S can read O if and
    only if Is ? Io
  • Is, Io denote the integrity levels
  • (Integrity) -property S can write O if and only
    if Io ? Is
  • Why?
  • The information obtained from a subject cannot be
    more trustworthy than the subject itself
  • Read up write down
  • Information flows downward

23
Security theorem
  • An information transfer path is a sequence of
    objects o1, , on and subjects s1, , sn-1, such
    that, for all i, si can read oi and write to oi1
  • Information can be transferred from o1 to on via
    a sequence of read-write operations
  • Theorem If there is an information transfer path
    from o1 to on, then I(on) ? I(o1)
  • Informally information transfer does not
    increase the trustworthiness of the data
  • Note says nothing about secrecy

24
Low-water-mark policy
  • Variation of pure Biba model
  • If s reads o, then the integrity level of s is
    changed to min(Io, Is)
  • The subject may be relying on data less
    trustworthy than itself
  • So, its integrity level is lowered
  • Drawback the integrity level of a subject is
    non-increasing!

25
Chinese wall
  • Intended to prevent conflicts of interest
  • Rights are dynamically updated based on actions
    of the subjects

26
Chinese wall -- basic setup
Company datasets
Bank A
Bank B
School 1
School 2
School 3
Conflict of interest (CI) class
files
27
Chinese wall rules
  • Subject S is allowed to read from at most one
    company dataset in any CI class
  • This rule is dynamically updated as accesses
    occur
  • See next slide

28
Example
Bank A
Bank B
School 1
School 2
School 3
read
read
29
Chinese wall rules II
  • S can write to O only if
  • S can read O and
  • All objects that S can read are in the same
    dataset as O
  • This is intended to prevent an indirect flow of
    information that would cause a conflict of
    interest
  • E.g., S reads from Bank A and writes to School 1
    S can read from School 1 and Bank B
  • S may find out information about Banks A and B!
  • Note that S can write to at most one dataset
Write a Comment
User Comments (0)
About PowerShow.com