Outline for February 18, 1999
- Greetings and felicitations!
- Can people make a make-up class on Monday at 10:30AM?
- Representing access control
- ACM
- ACLs - columns: (subject, rights)
- C-Lists - rows: (object, rights); use ticket analogy
- Capabilities Implementation
- Tagged Architecture: extra bits setting word so it can only be altered in
privileged mode
- Cryptography (for a network or when no tags available): digitally sign
capability with OS key
- Protection: keep capability in system area, OS manipulates them
- Copy right: can capabilities be inherited or copied? depends ...
- Revocation
- ACL: just delete entry giving subject access to object
- C-Lists: can track down all capabilities; better to use indirection and
aliasing through a Global Object Table
- Discretionary AC Attacks: Trojan Horse
- overt - example edit a file
- covert - example delete all files
- a type of malicious logic (discuss this)
- Approaches
- Mandatory Access Control; works between compartments, but not within a
single compartment
- Limited Protection Domain: easiest with C-list; if not, can be widened using
TH, especially if ACLs are used and child has privileges of initiator
- Name-checking subsystem; catches accesses not in pattern (startup, .asm,
.obj)
- Reference Monitor
- Controls access to a resource
- Verifiable: KISS Principlee
- Complete: should only be able to get to resource through the monitor
- Tamperproof: can't be changed without authorization
- MULTICS ring mechanism
- MULTICS rings: used for both data and procedures; rights are REWA
- (b1, b2) access bracket - can access freely; (b3, b4) call bracket - can
call segment through gate; so if a's access bracket is (32,35) and its call
bracket is (36,39), then assuming permission mode (REWA) allows access, a
procedure in:
rings 0-31: can access a, but ring-crossing fault occurs
rings 32-35: can access a, no ring-crossing fault
rings 36-39: can access
a, provided a valid gate is used as an entry point
rings 40-63: cannot
access a
- If the procedure is accessing a data segment d, no call bracket allowed;
given the above, assuming permission mode (REWA) allows access, a procedure in:
rings 0-32: can access d
rings 33-35: can access d, but cannot
write to it (W or A)
rings 36-63: cannot access d
- Lock and Key
- Associate with each object a lock; associate with each process that has
access to object a key (it's a cross between ACLs and C-Lists)
- Example: use crypto (Gifford). X object enciphered with key K.
Associate an opener R with X. Then:
OR-Access: K
can be recovered with any Di in a list of n deciphering
transformations, so
R = (E1(K), E2(K), ...,
En(K)) and any process with access to any of the
Di's can
access the file
AND-Access: need all n deciphering functions
to get K: R = E1(E2(...En(K)...))
You can get this document in
ASCII text,
Framemaker+SGML version 5.5,
PDF (for Acrobat 3.0 or later),
or
Postscript.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 3/1/99