CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 2 (2) The Access Control List Method Each object ‘o’ is assigned a list of pairs (s, P[s,o]), for all subjects ‘s’ that can access the object The access list for an object corresponds to the access rights contained in the column for object ‘o’ in the access matrix Example: Smithread, write, execute Jonesread Lee write

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 3 (2) The Access Control List Method (cont.) Operation: Subject ‘s’ requests access ‘  ’ to object ‘o’ – Search access control list of ‘o’ for entry (s,  ) – If entry exists, check if    – If yes, allow execution. Else, exception raised Advantages of access control lists – Easy revocation of access rights from a subject to an object: remove object’s entry from the object’s access control list – Easy review of access rights of all subjects to a given object – Note: it is, however, difficult to determine for a given subject what objects it has access to

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 4 Issues with Access Control Lists Efficiency of execution – Access control list needs to be searched for every access to an object! – Option: use shadow capability registers u On first access by a subject, copy access rights from access control list to a shadow register with the subject u The access rights in the shadow register acts as a capability u Subsequent accesses by this subject use the shadow register u Potential drawback: – Revocation of access rights becomes more difficult: removing access rights from access control list is not sufficient, some access rights remain in shadow registers

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 5 Issues with Access Control Lists (cont) Efficiency of storage – The list can be very large, containing the access rights of all subjects that can access this object – Note: the aggregate storage requirement is about the same as for capabilities – Option: use protection groups u Subjects (users) divided into protection groups u Access control list contains the names of groups and their access rights u Operation: subject gives its protection group and requested access u Issue: All subjects in a protection group have the same access rights to the object Authority to change an access control list – Issue: who can modify an access control list? – Options: u Self control: owner process (e.g., creator of the object) can modify list u Hierarchical control: – When object created, owner process specifies what other processes can modify access control list – Processes organized in a hierarchy: a process can change the access control list of all processes below it in the hierarchy

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 6 Examples of Systems using Access Control Lists Multics – Access control lists to control access to files – Principle of least privilege Unix – Access control list has three entries: owner, group, and other – Access rights: read, write, execute

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 7 (3) The Lock-Key Method Principles – Hybrid of capability-based method and access control list method – Every subject has a capability list made of tuples (o, k): the subject can access object ‘o’ using key ‘k’ – Every object has an access control list made of tuples (l,  ), called lock entries: any subject that can open lock ‘l’ can access the object with an access right contained in ‘  ’ Operation – Subject ‘s’ makes request for access ‘  ’ to object ‘o’ – The system locates tuple (o, k) in capability list of the subject – If present, search access control list of object ‘o’ for entry (l,  ), where k = l and obtain  – Access allowed if   

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 8 (3) The Lock-Key Method (cont.) Advantages: – Easy revocation of access rights: to revoke the access rights of a subject to an object, delete the lock entry corresponding to the key of the subject – Capability-based addressing can be used Disadvantages: – Access control list must be searched for every access Example – IBM/360 storage keys protection method similar to lock-key method

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 9 Access Matrix Model: Changing The Protection State Access matrix is itself a protected object Commands for changing protection state – Set of commands ‘C’ for changing protection state defined in the form of the following primitive operations enter r into P [s, o] delete r from P [s, o] create subject s create object o destroy subject s destroy object o – Primitive operations: define changes to be made to the access matrix P – Example: Primitive operation delete r from P [s, o] deletes access right r from the position P [s, o] in the access matrix, I.e., access right r of subject s to object o is withdrawn

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 10 Access Matrix Model: Changing The Protection State (cont.) Before the operation is performed (e.g., the delete in previous example), a verification should be made that the process has the right to perform this operation on the access matrix: Command syntax: command ( ) if then end. Command execution – All checks in the condition part are evaluated. The part has checks in the form ‘r in P[s,o]’ – If all checks pass, primitive operations in are executed

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 11 Access Matrix Model: Changing The Protection State (cont.) All accesses are validated by a mechanism called a reference monitor: the reference monitor will reject an access not allowed by the access matrix Each object has an owner – If ‘s’ is the owner of ‘o’, then own  P [ s, o ] – The owner of an object can give (confer) a right to the object to another subject Example: command to create a file and assign ‘own’ and ‘read’ rights to it command create-read (process, file) create object file enter own into P [process, file] enter read into P [process, file] end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 12 Access Matrix Model: Changing The Protection State (cont.) Example: command owner of a file gives ‘write’ access rights to another process command confer-write (owner, process, file) if own  P [ owner, file ] then enter write into P [process, file] end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 13 Advanced Models of Protection: The Take-Grant Model Principles: – Uses directed graphs to model access control – Protection state of system represented by directed graph – More efficient than (sparsely populated) access matrix Model: – Graph nodes: subjects and objects – An edge from node ‘x’ to node ‘y’ indicates that subject ‘x’ has an access right to the object ‘y’: the edge is tagged with the corresponding access rights – Access rights u Read (r), write (w), execute (e) u Special access rights for propagating access rights to other nodes – Take: If node ‘x’ has access right take to node ‘y’, then subject ‘x’ can take any access right that it has on ‘y’ to another node – Grant: If node ‘x’ has access right grant to node ‘y’, then the entity represented by node ‘y’ can be granted any of the access rights that node ‘x’ has

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 14 Example: take operation – Node ‘x’ has take access to node ‘y’ – Node ‘y’ has read and write access to node ‘z’ – Node ‘x’ can take access right read from ‘y’ and have this access right for object ‘z’ : a directed edge labeled ‘r’ is added from node ‘x’ to node ‘z’ xy z xy z The Take-Grant Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 15 The Take-Grant Model (cont.) Example: grant operation – Node ‘x’ has grant access to node ‘y’ and also has read and write access to node ‘z’ – Node ‘x’ can grant read access for ‘z’ to node ‘y’ ( a directed edge labeled ‘r’ from ‘y’ to ‘z’ is added in the graph) x z y x z y

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 16 State and state transitions: – The protection state of the system is represented by the directed graph – System changes state (state transition) when the directed graph changes – The directed graph changes with the following operations u Take u Grant u Create: A new node is added to the graph – When node ‘x’ creates a new node ‘y’, a directed edge is added from ‘x’ to ‘y’ u Remove: A node deletes some of its access rights to another node The Take-Grant Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 17 Bell-LaPadula Model Used to control information flow Model components – Subjects, objects, and access matrix – Several ordered security levels u Each subject has a (maximum) clearance and a current clearance level u Each object has a classification (I.e., belongs to a security level) – Subjects can have the following access rights to objects u Read-only u Append: subject can only write object (no read permitted) u Execute: no read or write u Read-write: both read and write are permitted – Subject that creates an object has control attribute to that object and is the controller of the object u Subject can pass any of the four access rights of the controlled object to another subject

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 18 Bell-LaPadula Model (cont.) Restrictions on information flow and access control (reading down and writing up properties): 1. The simple security property – A subject cannot have read access to an object with classification higher than the clearance level of the subject 2. The  -property (star property) – A subject has append (I.e., write) access only to objects which have classification (I.e., security level) higher than or equal to the current security clearance level of the subject – A subject has read access only to objects which have classification (I.e., security level) lower than or equal to the current security clearance level of the subject – A subject has read-write access only to objects which have classification (I.e., security level) equal to the current security clearance level of the subject

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 19 Level n. Level i+1 Level i-1. Level 1 Bell-LaPadula Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 20 Case Studies: Unix Subjects: – Each user identified by a a ‘userid’ – A user may belong to a group identified by ‘groupid’ – ‘Userid’ and ‘groupid’ are part of the process descriptor of the process running on behalf of the user and used to verify access rights Protected objects: files and directories – Each file has a unique owner (user who created the file) – Each file has two access fields u ‘userid’ field: file owner u ‘groupid’ field: ‘groupid” of the group to which the file belongs

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 21 Case Studies: Unix (cont.) Protection mechanism for files: access control list with protection groups for access efficiency – Protection groups: owner, group, others – Access rights for each group: read, write, execute u Three fields associated with each file of three bits each u Only the owner of the file and the super user can change these bits (‘chmod’ command) Protection domain – Associated with each user – At login, user starts in a protection domain defining access rights – Domain can be changed with ‘su’ (set userid) command

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 22 The Hydra Kernel Kernel of a multiprocessor OS (Carnegie-Mellon U.) – Provides mechanisms on which a large array of OSs can be built – Supports capability-based protection An object (abstraction of a resource) is the unit of protection Procedure is an abstraction of an operation on an object Protection mechanism controls the invocation of procedures to instances of objects (i.e., resources) Objects – Each object has: name, type, representation, u Representation – Data part: can be accessed by programs with the right capability – Capability part: capabilities for other objects can be changed only by the kernel

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 23 The Hydra Kernel (cont.) Protection: – Elements: objects (abstraction of resources) and capabilities (references to objects) – Operation: u Process/user supplies capability for object u Kernel validates access rights Access rights: – Kernel rights: kernel supports the basic access rights (read, write, copy) – Auxiliary rights: user defined object operations u User defines a new object type and associated operations u Kernel treats these operations as auxiliary rights for the object u For a user to perform these operations on the object, its capability must contain these auxiliary rights – Kernel uses a 24-bit mask to encode access rights: kernel rights have fixed positions

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 24 Amoeba Distributed OS (Tanenbaum) Object-based, client-server model – Client processes request operations on objects by sending requests to server processes via RPCs – Every object is managed by a server process C apabilities-based protection: Capability structure – Server port: identity of server process that manages corresponding object – Object number: identifies specific object – Rights: access allowed – Check: protection against unauthorized changes (cryptographic technique) server portobject numberrightscheck