Protection and Security - 2
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
1
(2) The Access Control List Method
Each object ‘o’ is assigned a list of pairs (s, P[s,o]), for all subjects ‘s’ that can
access the object
• The access list for an object corresponds to the access rights contained in the
column for object ‘o’ in the access matrix
•
•
Example:
Subjects
Access rights
Smith
read, write, execute
Jones
read
Lee
write
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
2
(2) The Access Control List Method (cont.)
•
Operation: Subject ‘s’ requests access ‘’ to object ‘o’
–
–
–
•
Search access control list of ‘o’ for entry (s, )
If entry exists, check if   
If yes, allow execution. Else, exception raised
Advantages of access control lists
–
–
–
Easy revocation of access rights from a subject to an object: remove
object’s entry from the object’s access control list
Easy review of access rights of all subjects to a given object
Note: it is, however, difficult to determine for a given subject what
objects it has access to
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
3
Issues with Access Control Lists
•Efficiency
–
–
of execution
Access control list needs to be searched for every access to an object!
Option: use shadow capability registers




On first access by a subject, copy access rights from access control list to a
shadow register with the subject
The access rights in the shadow register acts as a capability
Subsequent accesses by this subject use the shadow register
Potential drawback:
–
Revocation of access rights becomes more difficult: removing access rights
from access control list is not sufficient, some access rights remain in shadow
registers
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
4
Issues with Access Control Lists (cont)
• Efficiency of storage
–
–
–
The list can be very large, containing the access rights of all subjects that can
access this object
Note: the aggregate storage requirement is about the same as for capabilities
Option: use protection groups




Subjects (users) divided into protection groups
Access control list contains the names of groups and their access rights
Operation: subject gives its protection group and requested access
Issue: All subjects in a protection group have the same access rights to the object
• Authority to change an access control list
–
–
Issue: who can modify an access control list?
Options:


Self control: owner process (e.g., creator of the object) can modify list
Hierarchical control:
–
–
When object created, owner process specifies what other processes can modify access
control list
Processes organized in a hierarchy: a process can change the access control list of all
processes below it in the hierarchy
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
5
Examples of Systems using Access Control Lists
•
Multics
–
–
•
Access control lists to control access to files
Principle of least privilege
Unix
–
–
Access control list has three entries: owner, group, and other
Access rights: read, write, execute
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
6
(3) The Lock-Key Method
•
Principles
–
–
–
•
Hybrid of capability-based method and access control list method
Every subject has a capability list made of tuples (o, k): the subject can
access object ‘o’ using key ‘k’
Every object has an access control list made of tuples (l, ), called lock
entries: any subject that can open lock ‘l’ can access the object with an
access right contained in ‘’
Operation
–
–
–
–
Subject ‘s’ makes request for access ‘’ to object ‘o’
The system locates tuple (o, k) in capability list of the subject
If present, search access control list of object ‘o’ for entry (l, ), where
k = l and obtain 
Access allowed if   
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
7
(3) The Lock-Key Method (cont.)
• Advantages:
•
–
Easy revocation of access rights: to revoke the access rights of a subject
to an object, delete the lock entry corresponding to the key of the subject
–
Capability-based addressing can be used
Disadvantages:
–
•
Access control list must be searched for every access
Example
–
IBM/360 storage keys protection method similar to lock-key method
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
8
Access Matrix Model: Changing The Protection State
• Access
matrix is itself a protected object
• Commands for changing protection state
–
–
–
Set of commands ‘C’ for changing protection state defined in the form of
the following primitive operations
enter r into P [s, o]
delete r from P [s, o]
create subject s
create object o
destroy subject s
destroy object o
Primitive operations: define changes to be made to the access matrix P
Example: Primitive operation delete r from P [s, o] deletes access right r
from the position P [s, o] in the access matrix, I.e., access right r of
subject s to object o is withdrawn
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
9
Access Matrix Model: Changing The Protection State (cont.)
• Before the operation is performed (e.g., the delete in previous example), a
verification should be made that the process has the right to perform this operation
on the access matrix:
• Command syntax:
command < command id > (<formal parameters>)
if < conditions >
then
< list of primitive operations >
end.
• Command execution
–
–
All checks in the condition part are evaluated. The <conditions> part has checks
in the form ‘r in P[s,o]’
If all checks pass, primitive operations in <list of primitive operations> are
executed
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
10
Access Matrix Model: Changing The Protection State (cont.)
• All accesses are validated by a mechanism called a reference monitor: the
reference monitor will reject an access not allowed by the access matrix
• Each object has an owner
–
If ‘s’ is the owner of ‘o’, then own  P [ s, o ]
–
The owner of an object can give (confer) a right to the object to another
subject
• Example: command to create a file and assign ‘own’ and ‘read’ rights to it
command create-read (process, file)
create object file
enter own into P [process, file]
enter read into P [process, file]
end.
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
11
Access Matrix Model: Changing The Protection State (cont.)
•Example:
command owner of a file gives ‘write’ access rights to another process
command confer-write (owner, process, file)
if own  P [ owner, file ]
then
enter write into P [process, file]
end.
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
12
Advanced Models of Protection: The Take-Grant Model
•
Principles:
–
–
–
•
Uses directed graphs to model access control
Protection state of system represented by directed graph
More efficient than (sparsely populated) access matrix
Model:
–
–
–
Graph nodes: subjects and objects
An edge from node ‘x’ to node ‘y’ indicates that subject ‘x’ has an access right to
the object ‘y’: the edge is tagged with the corresponding access rights
Access rights
Read (r), write (w), execute (e)
Special access rights for propagating access rights to other nodes


–
–
Take: If node ‘x’ has access right take to node ‘y’, then subject ‘x’ can take any
access right that it has on ‘y’ to another node
Grant: If node ‘x’ has access right grant to node ‘y’, then the entity represented
by node ‘y’ can be granted any of the access rights that node ‘x’ has
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
13
The Take-Grant Model (cont.)
•
Example: take operation
–
–
–
Node ‘x’ has take access to node ‘y’
Node ‘y’ has read and write access to node ‘z’
Node ‘x’ can take access right read from ‘y’ and have this access right for
object ‘z’ : a directed edge labeled ‘r’ is added from node ‘x’ to node ‘z’
x
t
y
r, w
z
x
t
r
y
r, w
z
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
14
The Take-Grant Model (cont.)
•
Example: grant operation
–
–
Node ‘x’ has grant access to node ‘y’ and also has read and write access
to node ‘z’
Node ‘x’ can grant read access for ‘z’ to node ‘y’ ( a directed edge
labeled ‘r’ from ‘y’ to ‘z’ is added in the graph)
g
x
y
r, w
z
g
x
y
r
r, w
z
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
15
The Take-Grant Model (cont.)
•
State and state transitions:
–
–
–
The protection state of the system is represented by the directed graph
System changes state (state transition) when the directed graph changes
The directed graph changes with the following operations



Take
Grant
Create: A new node is added to the graph
–

When node ‘x’ creates a new node ‘y’, a directed edge is added from ‘x’ to ‘y’
Remove: A node deletes some of its access rights to another node
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
16
Bell-LaPadula Model
Used to control information flow
• Model components
•
–
–
Subjects, objects, and access matrix
Several ordered security levels


–
Subjects can have the following access rights to objects




–
Each subject has a (maximum) clearance and a current clearance level
Each object has a classification (I.e., belongs to a security level)
Read-only
Append: subject can only write object (no read permitted)
Execute: no read or write
Read-write: both read and write are permitted
Subject that creates an object has control attribute to that object and is
the controller of the object

Subject can pass any of the four access rights of the controlled object to
another subject
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
17
Bell-LaPadula Model (cont.)
Restrictions on information flow and access control (reading down and writing up
properties):
1. The simple security property
•
–
A subject cannot have read access to an object with classification higher than the
clearance level of the subject
2. The -property (star property)
–
–
–
A subject has append (I.e., write) access only to objects which have classification
(I.e., security level) higher than or equal to the current security clearance level of
the subject
A subject has read access only to objects which have classification (I.e., security
level) lower than or equal to the current security clearance level of the subject
A subject has read-write access only to objects which have classification (I.e.,
security level) equal to the current security clearance level of the subject
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
18
Bell-LaPadula Model (cont.)
Level n
can write
.
.
.
Level i+1
Level i
Level i-1
.
.
.
Level 1
can read
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
19
Case Studies: Unix
•
Subjects:
–
–
–
•
Each user identified by a a ‘userid’
A user may belong to a group identified by ‘groupid’
‘Userid’ and ‘groupid’ are part of the process descriptor of the process
running on behalf of the user and used to verify access rights
Protected objects: files and directories
–
–
Each file has a unique owner (user who created the file)
Each file has two access fields


‘userid’ field: file owner
‘groupid’ field: ‘groupid” of the group to which the file belongs
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
20
Case Studies: Unix (cont.)
Protection mechanism for files: access control list with protection
groups for access efficiency
•
–
–
Protection groups: owner, group, others
Access rights for each group: read, write, execute


•
Three fields associated with each file of three bits each
Only the owner of the file and the super user can change these bits (‘chmod’
command)
Protection domain
–
–
–
Associated with each user
At login, user starts in a protection domain defining access rights
Domain can be changed with ‘su’ (set userid) command
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
21
The Hydra Kernel
•
Kernel of a multiprocessor OS (Carnegie-Mellon U.)
–
–
Provides mechanisms on which a large array of OSs can be built
Supports capability-based protection
• An
object (abstraction of a resource) is the unit of protection
• Procedure is an abstraction of an operation on an object
• Protection mechanism controls the invocation of procedures to
instances of objects (i.e., resources)
• Objects
–
Each object has: name, type, representation,

Representation
–
–
Data part: can be accessed by programs with the right capability
Capability part: capabilities for other objects can be changed only by the kernel
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
22
The Hydra Kernel (cont.)
•
Protection:
–
–
Elements: objects (abstraction of resources) and capabilities (references
to objects)
Operation:


• Access
–
–
rights:
Kernel rights: kernel supports the basic access rights (read, write, copy)
Auxiliary rights: user defined object operations



–
Process/user supplies capability for object
Kernel validates access rights
User defines a new object type and associated operations
Kernel treats these operations as auxiliary rights for the object
For a user to perform these operations on the object, its capability must
contain these auxiliary rights
Kernel uses a 24-bit mask to encode access rights: kernel rights have
fixed positions
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
23
Amoeba
• Distributed OS (Tanenbaum)
• Object-based, client-server model
–
–
•
Client processes request operations on objects by sending requests to
server processes via RPCs
Every object is managed by a server process
Capabilities-based protection: Capability structure
server port
–
–
–
–
object number
rights
check
Server port: identity of server process that manages corresponding object
Object number: identifies specific object
Rights: access allowed
Check: protection against unauthorized changes (cryptographic
technique)
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
24