Outline for February 18, 1999

  1. Greetings and felicitations!
    1. Can people make a make-up class on Monday at 10:30AM?
  2. Representing access control
    1. ACM
    2. ACLs - columns: (subject, rights)
    3. C-Lists - rows: (object, rights); use ticket analogy
  3. Capabilities Implementation
    1. Tagged Architecture: extra bits setting word so it can only be altered in privileged mode
    2. Cryptography (for a network or when no tags available): digitally sign capability with OS key
    3. Protection: keep capability in system area, OS manipulates them
    4. Copy right: can capabilities be inherited or copied? depends ...
  4. Revocation
    1. ACL: just delete entry giving subject access to object
    2. C-Lists: can track down all capabilities; better to use indirection and aliasing through a Global Object Table
  5. Discretionary AC Attacks: Trojan Horse
    1. overt - example edit a file
    2. covert - example delete all files
    3. a type of malicious logic (discuss this)
  6. Approaches
    1. Mandatory Access Control; works between compartments, but not within a single compartment
    2. Limited Protection Domain: easiest with C-list; if not, can be widened using TH, especially if ACLs are used and child has privileges of initiator
    3. Name-checking subsystem; catches accesses not in pattern (startup, .asm, .obj)
  7. Reference Monitor
    1. Controls access to a resource
    2. Verifiable: KISS Principlee
    3. Complete: should only be able to get to resource through the monitor
    4. Tamperproof: can't be changed without authorization
  8. MULTICS ring mechanism
    1. MULTICS rings: used for both data and procedures; rights are REWA
    2. (b1, b2) access bracket - can access freely; (b3, b4) call bracket - can call segment through gate; so if a's access bracket is (32,35) and its call bracket is (36,39), then assuming permission mode (REWA) allows access, a procedure in:
      rings 0-31: can access a, but ring-crossing fault occurs
      rings 32-35: can access a, no ring-crossing fault
      rings 36-39: can access a, provided a valid gate is used as an entry point
      rings 40-63: cannot access a
    3. If the procedure is accessing a data segment d, no call bracket allowed; given the above, assuming permission mode (REWA) allows access, a procedure in:
      rings 0-32: can access d
      rings 33-35: can access d, but cannot write to it (W or A)
      rings 36-63: cannot access d
  9. Lock and Key
    1. Associate with each object a lock; associate with each process that has access to object a key (it's a cross between ACLs and C-Lists)
    2. Example: use crypto (Gifford). X object enciphered with key K. Associate an opener R with X. Then:
      OR-Access: K can be recovered with any Di in a list of n deciphering transformations, so R = (E1(K), E2(K), ..., En(K)) and any process with access to any of the Di's can access the file
      AND-Access: need all n deciphering functions to get K: R = E1(E2(...En(K)...))


You can get this document in ASCII text, Framemaker+SGML version 5.5, PDF (for Acrobat 3.0 or later), or Postscript.
Send email to [email protected].

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562



Page last modified on 3/1/99