CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz ACLs vs. capabilities With capabilities, subjects are explicitly aware of the permissions they hold – Generally a good thing – But difficult to make a file world-readable Capabilities allow fine-grained treatment of processes as subjects – I.e., caller can invoke a process with arbitrary subset of its rights – With ACLs, processes by default run with the same permissions as the caller ACLs vs. capabilities Capabilities allow for easier delegation – Even of subsets of rights Revocation is easier with ACLs – Though still possible with capabilities Trade-off: finding all subjects who have access to some object, vs. finding all objects that some subject can access Confinement myth Myth: Capabilities can be delegated “at will” and therefore cannot be confined Mistaken assumption that the ability to write/read files translates into the ability to read/write capabilities – Capabilities are not “just” files; they can be typed by the OS Can be set up so that A can delegate a capability to B only if A is authorized to pass capabilities to B Revoking capabilities Revocation of access to a file is more difficult with capabilities than with ACLs… One solution: indirection – Capabilities name an entry in a table, rather than the object itself – To revoke access to object, invalidate the entry in the table – Difficult to revoke access of just one user Capabilities can also expire with time If OS stores capabilities, can delete upon request – Requires object to recall to whom capabilities given Access control policies Access control policies Discretionary access control (DAC) – Owners of objects can set permissions arbitrarily (subject to what is supported by the system) Mandatory access control (MAC) – System determines access control Role-based access control (RBAC) – Access determined by users’ roles Not necessarily mutually exclusive – May use different mechanisms for different resources – Or, apply two policies; allow access only if both allow Mandatory access control Security models Multilevel security (military applications) – Bell-LaPadula model • Identifies allowable communication flows • Concerned primarily with ensuring secrecy – Biba model • Concerned primarily with “trustworthiness”/ integrity Multilateral security (corporate application) – Chinese wall • Concerned with preventing conflicts of interest Security levels A multilevel security model assumes that every subject and object is assigned a security level These security levels are arranged in a lattice – I.e., a DAG that defines a partial ordering on the security levels (note that some levels may be incomparable) “Military security policy” A particular example of a lattice Objects given “classification” (rank; compartments) Subjects given “clearance” (rank; compartments) “Need to know” basis – Subject with clearance (r, C) dominates object with classification (r’, C’) only if r’ ≤ r and C’ C – Defines a partial order … classifications/clearance not necessarily hierarchical Bell-La Padula model Simple security condition: S can read O if and only if lO lS *-property: S can write O’ if and only if lS lO “Read down; write up” – Information flows upward Why? – Information flow – Could be due to a malicious insider, or a benign mistake Basic security theorem If the Bell–La Padula rules are enforced, then no information in an object at level lO can leak into an object at level lO’ < lO Communicating down… How to communicate from a higher security level to a lower one? – (Not necessarily declassification; instead, moving unclassified data from a classified machine to an unclassified machine) Max. security level vs. current security level – Maximum security level must always dominate the current security level – Reduce security level to write down… • Security theorem no longer holds • Must rely on users to be security-conscious Commercial vs. military systems The Bell-LaPadula model does not work well for commercial systems – Users should be given access to data as needed • Discretionary access control vs. mandatory access control – Would require using a large number of categories and classifications – Requires centralized handling of “security clearances” – Poor usability Biba model Concerned with integrity – “Dual” of Bell-LaPadula model The higher the level, the more confidence – More confidence that a program will act correctly – More confidence that a subject will act appropriately – More confidence that data is trustworthy Integrity levels may be independent of security levels – Confidentiality vs. trustworthiness – Information flow vs. information modification Biba model IS, IO denote integrity levels (Integrity) *-property: S can write O iff IO IS – The information obtained from a subject cannot be more trustworthy than the subject itself Simple integrity condition: S can read O iff IS IO – S should depend on higher-quality sources only “Read up; write down” – Information flows downward Security theorem An information transfer path is a sequence of objects o1, …, on and subjects s1, …, sn-1, such that, for all i, si can read oi and write to oi+1 – Information can be transferred from o1 to on via a sequence of read-write operations Theorem: If there is an information transfer path from o1 to on, then I(on) I(o1) – Informally: information transfer does not increase the trustworthiness of the data Note: says nothing about secrecy… Chinese wall Intended to prevent conflicts of interest – E.g., consulting firms Rights are dynamically updated based on actions of the subjects Chinese wall Objects are grouped into datasets (e.g., all files associated with some client) Datasets are groups into conflict-of-interest (CoI) classes (e.g., all datasets related to banks) Chinese wall -- basic setup Company datasets Bank A Bank B School 1 School 2 School 3 Conflict of interest (CoI) class files Chinese wall rules Subject S is allowed to read from at most one company dataset in any CoI class – This rule is dynamically updated as accesses occur – See next slide… Formally: S can read from dataset X iff it has not previously read from any other dataset in the same CoI class as X Example Bank A Bank B School 1 School 2 School 3 read read Chinese wall rules II S can write to dataset X only if – S can only read from dataset X Note: either S cannot write at all, or can only write to one dataset This is intended to prevent an indirect flow of information that would cause a conflict of interest – E.g., S reads from Bank A and writes to School 1; S’ can read from School 1 and Bank B – S’ may find out information about Banks A and B!