Outline
• ACL
• DAC
• RBAC
• MAC
Discretionary Access Control (DAC)
•
DAC
is the way to go to let people manage the
content they own. It might sound obvious, but
for instance DAC is very good to let users of an
online social network choose who accesses
their data. It allows people to revoke or
Role Based Access Control (RBAC)
• RBAC is a form of access control which as you said is suitable to separate
responsibilities in a system where multiple roles are fulfilled. This is
obviously true in corporations (often along with compartmentalization) but can also be used on a single user operating system. RBAC is designed for
separation of duties by letting users select the roles they need for a specific task. The key question is whether you use roles to represent tasks
performed on your system and assign roles in a central authority (in which case RBAC is a form of MAC); or if you use roles to let users control
Mandatory Access Control (MAC)
• MAC in itself is vague, there are many many ways
to implement it for many systems. In practice, you'll often use a combination of different
paradigms. For instance, a UNIX system mostly uses DAC but the root account bypasses DAC
In the Beginning...
• The program owned the machine
– Access all power of the hardware – Could really mess things up
• Executives emerged
– Gather common functionality
• Multi-user systems required greater separation
– Multics, the source of much early OS development
Protecting objects
•
Desire to protect logical entities
– Memory
– Files or data sets – Executing program – File directory
Access Control Matrix
•
Access Control Matrix (ACM) and related
concepts provides very basic abstraction
– Map different systems to a common form for
comparison
Definitions
•
Protection state of system
– Describes current settings, values of system
relevant to protection
•
Access control matrix
– Describes protection state precisely – Matrix describing rights of subjects
Description
objects (entities) su bj ec ts s1 s2 … sno1 … om s1 … sn • Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[s
i, oj]
R• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry
Practical object access control
•
Can slice the logical ACM two ways
– By row: Store with subject – By column: Store with object
objects (entities)
su
bj
ec
ts
s1 s2
…
sn
Access Control List
•
Slice by Object
– Used by Multics and most modern OS's
•
Let S be set of subjects and R set of rights in
system
– Access Control List (ACL) l is set of pairs
– acl(o) = { (s
i, ri) : 1 ≤ i ≤ n } means any si can
Example 1
•
Processes
p
,
q
•
Files
f
,
g
•
Rights
r
,
w
,
x
,
a
,
o
f g p q
p
rwo r
rwxo w
Unix Access Control
•
Three permission octets associated with each
file and directory
– Owner, group, and other – Read, write, execute
•
For each file/directory
– Can specify RWX permissions for one owner, one
Windows NT ACLs
• Different sets of rights
Basic: read, write, execute, delete, change permission,
take ownership
Generic: no access, read (read/execute), change
(read/write/execute/delete), full control (all), special access(assign any of the basics)
Directory: no access, read (read/execute files in
Windows ACL
•
Actually two ACL's per file
– System ACL (SACL) – controls auditing and now
integrity controls
– Discretionary ACL (DACL) – controls object
access
•
Windows ACLs apply to all named objects
ACL Distinctions
•
What subjects can modify an object's ACL?
•
If there is a privileged user, do the ACLs apply to
that user?
•
Does the ACL support groups or wildcards?
•
How are contradictory access control
permissions handled?
•
If a default permission is allowed, do the ACL
Revoking rights with ACLs
•
Revoking rights for subject
s
to a particular
object
o
straightforward
– Remove s from ACL(o)
– Make sure s has a negative entry in the ACL(o)
•
Example: Alice removes all of Bob's rights to
f
ACL Scaling
•
Groups of users
•
Role Base Access Control
– Users can take on role at a time
Accessing Files
•
User not in file’s ACL nor in any group named
in file’s ACL: deny access
•
ACL entry denies user access: deny access
•
Take union of rights of all ACL entries
Practical object access control
•
Can slice the logical ACM two ways
– By row: Store with subject – By column: Store with object
objects (entities)
su
bj
ec
ts
s1 s2
…
sn
Capability List
•
Slice by Subject
– Experimented with in the 80's. Often with
object-oriented systems.
•
Let O be set of objects and R set of rights in
system
– Capability list (C-List) c is a set of pairs
•
– cap(s) = { (o
i, ri) : 1 ≤ i ≤ n } means s can access oi
Example 1
•
Processes
p
,
q
•
Files
f
,
g
•
Rights
r
,
w
,
x
,
a
,
o
f g p q
p
rwo r
rwxo w
Capability Integrity
•
Subject presents capability to access object
– Capability encapsulates object ID with allowed
rights.
•
Unlike ACLs, capabilities are not completely
contained by the OS
•
Capability integrity is a big concern
– Tagged memory
– Segmented memory
ACLs vs. Capabilities
• Both theoretically equivalent; consider 2 questions
– 1. Given a subject, what objects can it access, and how? – 2. Given an object, what subjects can access it, and how?
• ACLs answer second easily; C-Lists, first
• Suggested that the second question, which in the past
has been of most interest, is the reason ACLbased systems more common than capabilitybased systems
• As first question becomes more important (in
CISCO Route ACL
•
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
!--- The access-list 101 denies icmp from any to any network !--- but permits IP traffic from any to any network.
router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
router(config)#access-list 101 deny icmp any any
router(config)#access-list 101 permit ip any any
router(config)#^Z
router#show access-list
Extended IP access list 101
deny icmp any any permit ip any any
router# *Mar 9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by console router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
router(config)#no access-list 101 deny icmp any any
router(config)#
Locks and Keys
•
Associate information (
lock
) with object,
information(
key
) with subject
– Latter controls what the subject can access and how – Subject presents key; if it corresponds to any of the
locks on the object, access granted
• This can be dynamic
– ACLs, C-Lists static and must be manually changed – Locks and keys can change based on system
Cryptographic Implementation
•
Enciphering key is lock; deciphering key is key
– Encipher object o; store Ek(o)
– Use subject’s key k′ to compute Dk′(Ek(o)) – Any of n can access o: store
o′ = (E1(o), …, En(o))
– Requires consent of all n to access o: store
Type Checking
•
Lock is type, key is operation
– Example: UNIX system call write can’t work on
directory object but does work on file
– Example: split I&D space of PDP-11
– Example: countering buffer overflow attacks on
the stack by putting stack on non-executable pages/segments
• Then code uploaded to buffer won’t execute
Type Checking cont..
•
LOCK system:
– Compiler produces “data”
– Trusted process must change this type to “executable”
before program can be executed
•
Sidewinder firewall
– Subjects assigned domain, objects assigned type • Example: ingress packets get one type, egress packets
another
– All actions controlled by type, so ingress packets
PACL Cont..
• Propagated Access Control List
– Implements ORGON
• Creator kept with PACL, copies
– Only owner can change PACL
– Subject reads object: object’s PACL associated with
subject
– Subject writes object: subject’s PACL associated with
Object
Ring-Based Access Control
• Process (segment) accesses another segment
– Read – Execute
• Gate is an entry point for calling segment Rights:
– r read
– w write
– a append – e execute
• Procedure executing in ring r
• Data segment with access bracket (a1, a2)
• Mandatory access rule
– r ≤ a1 allow access
– a1 < r ≤ a2 allow r access; not w, a access – a2 < r deny all access