Lec 10 ACL

Outline

• _ACL

• DAC

• _RBAC

• _MAC

Discretionary Access Control (DAC)

•

DAC

is the way to go to let people manage the

content they own. It might sound obvious, but

for instance DAC is very good to let users of an

online social network choose who accesses

their data. It allows people to revoke or

Role Based Access Control (RBAC)

• _{RBAC is a form of access control which as you said is suitable to separate}

responsibilities in a system where multiple roles are fulfilled. This is

obviously true in corporations (often along with compartmentalization) but can also be used on a single user operating system. RBAC is designed for

separation of duties by letting users select the roles they need for a specific task. The key question is whether you use roles to represent tasks

performed on your system and assign roles in a central authority (in which case RBAC is a form of MAC); or if you use roles to let users control

Mandatory Access Control (MAC)

• _{MAC in itself is vague, there are many many ways}

to implement it for many systems. In practice, you'll often use a combination of different

paradigms. For instance, a UNIX system mostly uses DAC but the root account bypasses DAC

In the Beginning...

• _{The program owned the machine}

– _{Access all power of the hardware} – _{Could really mess things up}

• _{Executives emerged}

– _{Gather common functionality}

• _{Multi-user systems required greater separation}

– _{Multics, the source of much early OS development}

Protecting objects

•

Desire to protect logical entities

– _Memory

– _{Files or data sets} – _{Executing program} – _{File directory}

Access Control Matrix

•

Access Control Matrix (ACM) and related

concepts provides very basic abstraction

– _{Map different systems to a common form for}

comparison

Definitions

•

Protection state of system

– _{Describes current settings, values of system}

relevant to protection

•

Access control matrix

– _{Describes protection state precisely} – _{Matrix describing rights of subjects}

Description

o₁ … o_m s₁ … s_n • Subjects S = { s₁,…,s_n }

• Objects O = { o₁,…,o_m }

• Rights R = { r₁,…,r_k }

• _{Entries A[s}

i, oj] 



• A[s_i, o_j] = { r_x, …, r_y } means subject s_i has rights r_x, …, r_y

Practical object access control

•

Can slice the logical ACM two ways

– _{By row: Store with subject} – _{By column: Store with object}

objects (entities)

su

bj

ec

ts

s₁ s₂

…

s_n

Access Control List

•

Slice by Object

– _{Used by Multics and most modern OS's}

•

Let S be set of subjects and R set of rights in

system

– _{Access Control List (ACL) l is set of pairs}

– _{acl(o) = { (s}

i, ri) : 1 ≤ i ≤ n } means any si can

Example 1

•

Processes

p

,

q

•

Files

f

,

g

•

Rights

r

,

w

,

x

,

a

,

o

f g p q

p

rwo r

rwxo w

Unix Access Control

•

Three permission octets associated with each

file and directory

– _{Owner, group, and other} – _{Read, write, execute}

•

For each file/directory

– _{Can specify RWX permissions for one owner, one}

Windows NT ACLs

• Different sets of rights

 _{Basic: read, write, execute, delete, change permission,}

take ownership

 _{Generic: no access, read (read/execute), change}

(read/write/execute/delete), full control (all), special access(assign any of the basics)

 _{Directory: no access, read (read/execute files in}

Windows ACL

•

Actually two ACL's per file

– _{System ACL (SACL) – controls auditing and now}

integrity controls

– _{Discretionary ACL (DACL) – controls object}

access

•

Windows ACLs apply to all named objects

ACL Distinctions

•

What subjects can modify an object's ACL?

•

If there is a privileged user, do the ACLs apply to

that user?

•

Does the ACL support groups or wildcards?

•

How are contradictory access control

permissions handled?

•

If a default permission is allowed, do the ACL

Revoking rights with ACLs

•

Revoking rights for subject

s

to a particular

object

o

straightforward

– _{Remove s from ACL(o)}

– _{Make sure s has a negative entry in the ACL(o)}

•

Example: Alice removes all of Bob's rights to

f

ACL Scaling

•

Groups of users

•

Role Base Access Control

– _{Users can take on role at a time}

Accessing Files

•

User not in file’s ACL nor in any group named

in file’s ACL: deny access

•

ACL entry denies user access: deny access

•

Take union of rights of all ACL entries

Practical object access control

•

Can slice the logical ACM two ways

– _{By row: Store with subject} – _{By column: Store with object}

objects (entities)

su

bj

ec

ts

s₁ s₂

…

s_n

Capability List

•

Slice by Subject

– _{Experimented with in the 80's. Often with}

object-oriented systems.

•

Let O be set of objects and R set of rights in

system

– _{Capability list (C-List) c is a set of pairs}

•

– _{cap(s) = { (o}

i, ri) : 1 ≤ i ≤ n } means s can access oi

Example 1

•

Processes

p

,

q

•

Files

f

,

g

•

Rights

r

,

w

,

x

,

a

,

o

f g p q

p

rwo r

rwxo w

Capability Integrity

•

Subject presents capability to access object

– _{Capability encapsulates object ID with allowed}

rights.

•

Unlike ACLs, capabilities are not completely

contained by the OS

•

Capability integrity is a big concern

– _{Tagged memory}

– _{Segmented memory}

ACLs vs. Capabilities

• _{Both theoretically equivalent; consider 2 questions}

– _{1. Given a subject, what objects can it access, and how?} – _{2. Given an object, what subjects can access it, and how?}

• _{ACLs answer second easily; C-Lists, first}

• _{Suggested that the second question, which in the past}

has been of most interest, is the reason ACLbased systems more common than capabilitybased systems

• _{As first question becomes more important (in}

CISCO Route ACL

•

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

!--- The access-list 101 denies icmp from any to any network !--- but permits IP traffic from any to any network.

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.

router(config)#access-list 101 deny icmp any any

router(config)#access-list 101 permit ip any any

router(config)#^Z

router#show access-list

Extended IP access list 101

deny icmp any any permit ip any any

router# *Mar 9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by console router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.

router(config)#no access-list 101 deny icmp any any

router(config)#

Locks and Keys

•

Associate information (

lock

) with object,

information(

key

) with subject

– _{Latter controls what the subject can access and how} – _{Subject presents key; if it corresponds to any of the}

locks on the object, access granted

• This can be dynamic

– ACLs, C-Lists static and must be manually changed – Locks and keys can change based on system

Cryptographic Implementation

•

Enciphering key is lock; deciphering key is key

– Encipher object o; store Ek(o)

– Use subject’s key k′ to compute Dk′(Ek(o)) – Any of n can access o: store

o′ = (E1(o), …, En(o))

– Requires consent of all n to access o: store

Type Checking

•

Lock is type, key is operation

– _{Example: UNIX system call write can’t work on}

directory object but does work on file

– _{Example: split I&D space of PDP-11}

– _{Example: countering buffer overflow attacks on}

the stack by putting stack on non-executable pages/segments

• Then code uploaded to buffer won’t execute

Type Checking cont..

•

LOCK system:

– _{Compiler produces “data”}

– _{Trusted process must change this type to “executable”}

before program can be executed

•

Sidewinder firewall

– _{Subjects assigned domain, objects assigned type} • _{Example: ingress packets get one type, egress packets}

another

– _{All actions controlled by type, so ingress packets}

PACL Cont..

• _{Propagated Access Control List}

– _{Implements ORGON}

• _{Creator kept with PACL, copies}

– _{Only owner can change PACL}

– _{Subject reads object: object’s PACL associated with}

subject

– _{Subject writes object: subject’s PACL associated with}

Object

Ring-Based Access Control

• Process (segment) accesses another segment

– _Read – Execute

• Gate is an entry point for calling segment Rights:

– r read

– w write

– _{a append} – e execute

• _{Procedure executing in ring r}

• Data segment with access bracket (a1, a2)

• _{Mandatory access rule}

– r ≤ a1 allow access

– a1 < r ≤ a2 allow r access; not w, a access – a2 < r deny all access