1 Access Control Mechanisms CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 20, 2004

2 Overview Access Control Lists Capability Lists Locks and Keys Ring-Based Access Control

3 Access Control Lists Def: Let S be a set of subjects, R a set of rights. An access control list (ACL) l is a set of pairs l = {(s, r): s  S, r  R} We write acl(o) = {(s i, r i ): 1  r  n} to denote that subject s i may access object o using any right in r i

4 Example ACL acl(file 1) = {(proc 1, {r, w, own}), (proc 2, {a})} acl(file 2) = {(proc 1, {r}), (proc 2, {r, own})} acl(proc 1) = {(proc 1, {r, w, x, own}), (proc 2, {r})} acl(proc 2) = {(proc 1, {w}), (proc 2, {r, w, x, own})} file 1file 2proc 1proc 2 proc 1r, w, ownrr, w, x, ownw proc 2ar, ownrr, w, x, own

5 Abbreviations of ACLs Unix 3 types of users for each file: owner, group, all others 3 types of permission: read, write, execute AFS ability to define access rights for any specific user or group 7 types of permission: read, list, insert, delete, write, lock, administer

6 Capabilities Def: Let O be a set of objects, R a set of rights. A capability list c is a set of pairs c = {(o, r): o  O, r  R} We write cap(s) = {(o i, r i ): 1  r  n} to denote that subject s may access object o i using any right in r i

7 Example Capability List cap(proc 1) = {(file 1, {r, w, own}), (file 2, {r}), (proc 1, {r, w, x, own}), (proc 2, {w})} cap(proc 2) = {(file 1, {a}), (file 2, {r, own}), (proc 1, {r}), (proc 2, {r, w, x, own})} file 1file 2proc 1proc 2 proc 1r, w, ownrr, w, x, ownw proc 2ar, ownrr, w, x, own

8 Locks and Keys Associate a piece of information (the lock) with each object. Associate a second piece of information (the key) with each subject allowed to access the object. May have multiple locks and keys for the same object or-access: provide multiple locks (and keys) and-access: lock multiple times

9 Type Checking: a Form of Locks and Keys Unix prevents writing to a directory using normal file operations Might restrict read and write to data, execute to instructions PDP-11 prevents buffer overflow DTEL policy language can enforce type checking

10 Sharing Secrets Problem: Need to ensure that at least 3 senior officials agree that country is under attack before launching a counterstrike. Place 10 officials in different parts of the country, each official has a part of the key. How should the key be divided?

11 Threshold Schemes Def: A (t, n)-threshold scheme is a cryptographic scheme in which a datum is divided into n parts, any t of which are sufficient to determine the original datum

12 Implementing Threshold Schemes Could use locks and keys combinations of or- and and-access could be used Could use polynomial of degree t-1 with n example evaluations requires t values to rederive the polynomial

13 Ring-Based Access Control (Multics) Data and procedures occupy different segments Segments have ACLs for r, w, x, a Protection rings: procedure executes in ring r higher rings have fewer privileges

14 Access Brackets Each data segment has access bracket (a 1, a 2 ) with a 1  a 2 Assume procedure executing in ring r r  a 1 : all access permitted a 1 < r  a 2 : r, x permitted, but w, a denied a 2 < r: all accesses denied

15 Call Brackets Each procedure may have a call bracket (c 1, c 2 ) with c 1  c 2 By convention c 1 = a 2, so may write (a 1, a 2, a 3 ) where (a 1, a 2 ) is access bracket and (a 2, a 3 ) is call bracket Assume procedure executing ring r r < a 1 : access permitted, but ring fault occurs a 1  r  a 2 : all access permitted, no ring fault a 2 < r  a 3 : access permitted through valid gate a 3 < r: all access denied