Presentation is loading. Please wait.

Presentation is loading. Please wait.

Semantics of the Password-Capability System Dan Mossop and Ronald Pose School of Computer Science & Software Engineering Monash University, Australia.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Semantics of the Password-Capability System Dan Mossop and Ronald Pose School of Computer Science & Software Engineering Monash University, Australia."— Presentation transcript:

1 Semantics of the Password-Capability System Dan Mossop and Ronald Pose School of Computer Science & Software Engineering Monash University, Australia. {dgm,rdp}@csse.monash.edu.au http://www.csse.monash.edu.au/~rdp/research

2 Overview Background Introduction to the system System state State operations Security analysis

3 Background (1) What is the Password-Capability System?  Operating system kernel designed and implemented at Monash University  Capability-based access control  Global persistent address space  Formed the bases of other systems such as Walnut (Monash University), Mungi (UNSW), Opal (University of Washington) Why do we need it?  Allows for ease of sharing and access of objects throughout the world in a highly secure manner

4 Background (2) Conventional systems:  Have coarse-grained access control typically based on a form of access control list  Are complex and hard to analyse  Don’t support mechanisms such as process confinement or per-use charging for resources and services The Password-Capability System  Has fine-grained access control  Is compact and amenable to analysis  Supports process confinement  Incorporates a fully integrated economic model for resource allocation and management as well as service provision

5 Virtual Memory (1) Data, files, processes and programs all considered as ‘objects’ Objects reside in a persistent global virtual memory Virtual memory divided into volumes Each object has an object name (v, s)  v is the volume number  s is the object serial number Object name is unique

6 Virtual Memory (2) Objects in virtual memory: e.g. assuming a 32 bit volume number Note that a volume number identifies a volume, typically a storage device, but not its geographic location Vol 0 Vol 1 … Vol 2Vol 2 32 -1 … Obj (0, 82644) Obj (2, 94837) Obj (2, 29372)

7 Password-Capabilities (1) Access is controlled by password-capabilities A password-capability is a value Denoted (v, s, p1, p2), where:  v,s name the object to which access is allowed  p1,p2 are two halves of a random password The randomly generated password protects against forgery Each capability defined for an object affords a set of access rights that may be the same or different to those of other capabilities for the object

8 Password-Capabilities (2) A password-capability: Obj (2, 29372) 2293721,394,506,7123,403,294,157 vsp1p2

9 Access Rights A password-capability affords access rights such as: Read, Write, Execute a range of words of the object Start, Suspend an object that is a process Deposit, Withdraw funds from the bank account that is intrinsic to all objects Rights to derive new capabilities or to Delete existing capabilities

10 Capability Hierarchy When an object is created, a capability is returned affording all access rights ever possible for that object This is the ‘master’ capability New capabilities can be derived from existing ones These ‘derivatives’ have a subset of the rights of their parent Deletion of a capability deletes all its derivatives as well Thus each object has defined a singly-rooted tree of capabilities affording various access rights Access to an object is only possible via a capability

11 Confinement (1) Each process has a 64-bit lockword that cannot be read Prior to checking the validity of a capability, the system first XORs the P1,P2 fields with the current lockword of the process A zero (default) lockword thus has no effect however a non- zero lockword in effect ‘locks’ the process so that it cannot use normal capabilities. If a process’s lockword is set the process will only be allowed to use capabilities whose use cannot allow the system’s state to be changed. One can allow a locked process to access objects by first XORing the password fields of the capabilities with the lock value. This will cancel out the System’s XOR and allow normal operation.

12 Confinement (2) An unconfined capability: 2293721,394,506,7123,403,294,157 229372 1,394,506,712 xor L1 3,403,294,157 xor L2 System tries to check the password after XORing with the process’s lockword (L1,L2). The result is not a valid capability, so it cannot be used. Note that the capability presented to the system will be allowed to be used without the XOR if it does not allow the system state to be changed.

13 Confinement (3) A ‘confined’ capability: 229372 2 1,394,506,712 xor L1 3,403,294,157 xor L2 System tries to decrypt the password by the process’s lockword. The result is a valid capability, so it can be used. 3,403,294,1571,394,506,712

14 Type Management (1) A type manager can create objects and XOR capability passwords before giving to clients The clients can’t alter the objects directly – they must use the type manager Operations (such as derive a new capability) which do not alter the object’s contents can be carried out without consulting the type manager

15 Type Management (2) Type management 229372 2 1,394,506,712 3,403,294,157 xor K The type manager knows K, so it can recover the above capability. This capability is valid and can be used on behalf of the client. 3,403,294,1571,394,506,712 Client is given the above capability, but can’t use it as p2 is invalid. Instead it must pass it to the type manager.

16 Money (1) The system has a mechanism for paying for resource usage Objects act as stores of ‘money’ Processes have an amount of ‘cash’ from which usage payment is taken Processes can deposit cash in objects and/or withdraw it Processes can send cash to one another

17 Money (2) The monetary mechanism System Process Object Send Receive Deposit Withdraw Pay for resource usage

18 System State (1) The state, S, of the virtual memory is determined by the state of all the volumes: S = {V v : v is a volume number} With V v giving the state of the volume with volume number v. The state of a volume V v is given by: V v = {O v,s : (v,s) is an object name} With O v,s being the state of the object, (v,s).

19 System State (2) The state of an object O v,s is: O v,s = {data v,s, caps v,s, status v,s } data v,s is the state of the object’s user data caps v,s is the state of the hierarchy of capabilities existing for the object status v,s is the information used when the object is seen as a process

20 State Operations (1) There are different types of operations which use the virtual memory:  Object operations  Data operations  Capability operations  Status operations

21 State Operations (2) Object Operations  Make_obj – creates a new object Note: Objects are deleted when there are no extant capabilities defined for them

22 State Operations (3) Data Operations  Read – read data from the object  Write – write data to the object  Execute – execute instructions in an object

23 State Operations (4) Capability Operations  Cap_info – get information about a capability  Derive_cap – derive a new capability  Delete_cap – delete a capability  Rename_obj – delete all capabilities for an object and create a new master capability

24 State Operations (5) Status Operations  Withdraw – withdraw money from an object  Deposit – deposit money into an object  Suspend – suspend a process  Resume – resume a process  Lock – confine a process  Send – send a message to another process  Receive – retrieve a message  Wait – wait for a message

25 Security Analysis (1) The Password-Capability System seems secure, but can we convince ourselves? The semantics presented give a foundation for doing a thorough security analysis There are a number of security aspects we are interested in analysing

26 Security Analysis (2) How well do capability passwords protect against forgery?  Subtleties in the use of passwords introduce some interesting properties  Does this reduce their security?  How long should passwords be to prevent forgery?  Current proposed password length is 64-bits  Initial analysis suggests 128 or 256-bits needed  Can modifying the system reduce this length?

27 Security Analysis (3) Is the confinement mechanism secure?  Can we prove no covert channels exist?  Which rights can change the system state?  Is there any way for a process to discover its lock?

28 Security Analysis (4) Can the system support arbitrary security policies?  How can this be achieved?  Are any modifications to the system necessary?

29 Formal Semantic Analysis (1) No operation occurs without a capability and money to pay for it pays() A capability exists only if its password is associated with the object check_pass() A capability defines access rights to an object that are not encoded in the password has() Access rights may operate on a subset of the words in an object can_see()

30 Formal Semantic Analysis (2)

31 Conclusion We have presented the Password-Capability System Outlined a formal specification of its semantics This can be extended to a formal analysis of the security

32 Questions?

Download ppt "Semantics of the Password-Capability System Dan Mossop and Ronald Pose School of Computer Science & Software Engineering Monash University, Australia."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
System Integration and Performance

System Integration and Performance
CSC 360- Instructor: K. Wu Overview of Operating Systems.

CSC 360- Instructor: K. Wu Overview of Operating Systems.
Metering and Licensing of Resources: Kala ’ s General Purpose Approach by Sergiu S. Simmel and Ivan Godard Review by Seung Jun Lee ABSTRACT “ This paper.

Metering and Licensing of Resources: Kala ’ s General Purpose Approach by Sergiu S. Simmel and Ivan Godard Review by Seung Jun Lee ABSTRACT “ This paper.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
 Introduction  Fundamentals  Capability Security  Challenges in Secure Capability Systems  Revoking Capabilities  Conclusion.

 Introduction  Fundamentals  Capability Security  Challenges in Secure Capability Systems  Revoking Capabilities  Conclusion.
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
Process Description and Control Module 1.0. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor.

Process Description and Control Module 1.0. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor.
File Management Systems

File Management Systems
G22.3250-001 Robert Grimm New York University Opal.

G Robert Grimm New York University Opal.
Process Description and Control Chapter 3. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor.

Process Description and Control Chapter 3. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor.
CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.

CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.
1 Process Description and Control Chapter 3. 2 Process Management—Fundamental task of an OS The OS is responsible for: Allocation of resources to processes.

1 Process Description and Control Chapter 3. 2 Process Management—Fundamental task of an OS The OS is responsible for: Allocation of resources to processes.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Chapter 9 Virtual Memory Produced by Lemlem Kebede Monday, July 16, 2001.

Chapter 9 Virtual Memory Produced by Lemlem Kebede Monday, July 16, 2001.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Chapter 11 Operating Systems

Chapter 11 Operating Systems
Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp. 588-605, February.

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.

Similar presentations

Ads by Google