Download - Capability Based Security
Capability Based SecurityCapability Based Security
By Zachary Walker
CS265
Section 1
Access Control IssuesAccess Control Issues
Preventing Access– Prevent users form accessing privileged data or
resources Limiting Access
– Need to allow some access but not full access Granting Access
– Give new access or greater access. Revoking Access
– Take back some or all of granted access.
Methods of Access ControlMethods of Access Control
Access Control Lists– Access control
associated with the resource
– Can prevent and revoke access
– Cannot limit or grant access
Capability Lists– Access control
associated with the user
– Can prevent , limit , and grant access
– Can revoke but not like expected ( more later )
Lampson Access MatrixLampson Access Matrix
Network Access
Bank Records
Accounting Program
Billy the CEO
Read/Write Read Execute
Joe the CFO
Read/Write Read/Write Execute
Accounting Program
Read/Write
Why the Lampson Why the Lampson Equivelency Model isn’t Equivelency Model isn’t
exactly accurateexactly accurateWhat happens if an attacker somehow slips
a Trojan Horse virus into the system with the intent to steal funds via the accounting program
We examine the differences between the cases where the CEO and the CFO are attacked by the Trojan Horse
Trojan Horse Attack on an Trojan Horse Attack on an ACL systemACL system
The CEO gets the virus– The Trojan horse is run
by the CEO– The CEO lacks access
to write to bank records
– The Trojan horse in unsuccessful in stealing money
The CFO gets the virus– The Trojan horse is run
by the CFO– The CFO has access to
write bank records– The Trojan horse is
successful in stealing money from the company
ACL view of attackACL view of attack
OS checks the the bank records ACL to see if write is authorized
It is the CFO. No Problem
CFO
Trojan Horse
Bank Records
Write
ACL
The DilemaThe Dilema
The CFO needs write access to the Bank Records
Anyone with write access to the bank records will be susceptible to the Trojan Horse
What is the solution?
CapabilitiesCapabilities
With capabilities write access to the Bank Records are not implicit even if the CFO mistakenly downloads and runs the Trojan Horse
The CFO would have to grant the Trojan horse the write capability to the Bank Records for the attack to be successful
Capability DelegationCapability Delegation
The CFO has capabilities to both the Trojan Horse and the Bank Records
However, the Trojan horse has no notion of the Bank Records CFO
Trojan Horse
Bank Records
Delegation cont.Delegation cont.
For the attack to succeed the CFO would have to explicitly pass the capability (yellow arrow) to the Trojan horse.
CFO
Trojan Horse
Bank Records
ACL DiagramACL Diagram
Arrows go from resources to subjects
Capability DiagramCapability Diagram
Arrows go from subjects to resources
Why are ACL’s the normWhy are ACL’s the norm
When UNIX was being developed ACL’s and C-lists were both viable.
C-lists were known to be more secure but also more complex
ACL’s provided better performance and were deemed secure enough for the current computing environment
EROS a capability based OSEROS a capability based OS
EROS stands for “Extremely Reliable Operating System”
EROS is not the first capability based OSMultics, KeyKOS, and Mach are example
of previous attempts at capability based OS designs
Earlier systems have been criticized for being extremely slow.
How is EROS different from How is EROS different from other OS designsother OS designs
Access control handled by capabilitiesAll data and processes are persistent
throughout power cycles
OS PersistenceOS Persistence
Persistence means the state of the system is maintained even when powered off.
All registers, processes, memory contents, and of course disk data are stored when powered down.
Persistence is actually a necessity of capability based systems
Why is persistence necessaryWhy is persistence necessary
It is a “Chicken or the Egg” issueSuppose the system isn’t persistentWhen the system is started where would the
startup process get it’s capabilities from?There is no simple answer to this question
and the startup condition is one of the most vexing in capability-based OS design
How is EROS initializedHow is EROS initialized
Every resource in the system is allocated an atomic level primitive object
There are Pages, Nodes, and Numbers at the lowest level.
The OS creates capabilities for every primitive object
Every capability every used in the system will be a composition of these base level capabilities
How does persistence workHow does persistence work
In EROS a snapshot of the system is taken every 5 minutes.
long enough to minimize the overhead required for repeated saves
short enough to minimize loss in the case of a system failure
What to save and whereWhat to save and where
User dataProcess ListList of open filesSave them in a partitioned section of disk
set aside for persistent dataNote that network connections and open
streams are not saved and must be re-established
What if?What if?
System crashes during a save?– The data is actually saved to a look ahead log– If the save is interrupted there is an older
version to revert to– Consequence is that there must be two sets of
persistence data maintained
SummarySummary
Capabilities provide much more granularity of control than ACL’s
Capabilities solve security issues unsolvable with ACL’s
ACL’s are much simpler to implement and provide for a faster OS