Protection and Security - 2

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

(2) The Access Control List Method

Each object o is assigned a list of pairs (s, P[s,o]), for all subjects s that can
access the object
The access list for an object corresponds to the access rights contained in the
column for object o in the access matrix

Example:

Subjects

Acc ess rights

Smith

read, write, execute

Jones

read

Lee

write

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

(2) The Access Control List Method (cont.)

Operation: Subject s requests access to object o

Search access control list of o for entry (s, )

If entry exists, check if
If yes, allow execution. Else, exception raised

Advantages of access control lists

Easy revocation of access rights from a subject to an object: remove

objects entry from the objects access control list
Easy review of access rights of all subjects to a given object
Note: it is, however, difficult to determine for a given subject what
objects it has access to

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

Issues with Access Control Lists

Efficiency

of execution

Access control list needs to be searched for every access to an object!

Option: use shadow capability registers

On first access by a subject, copy access rights from access control list to a
shadow register with the subject
The access rights in the shadow register acts as a capability
Subsequent accesses by this subject use the shadow register
Potential drawback:

Revocation of access rights becomes more difficult: removing access rights

from access control list is not sufficient, some access rights remain in shadow
registers

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

Issues with Access Control Lists (cont)

Efficiency of storage

The list can be very large, containing the access rights of all subjects that can
access this object
Note: the aggregate storage requirement is about the same as for capabilities
Option: use protection groups

Subjects (users) divided into protection groups

Access control list contains the names of groups and their access rights
Operation: subject gives its protection group and requested access
Issue: All subjects in a protection group have the same access rights to the object

Authority to change an access control list

Issue: who can modify an access control list?

Options:

Self control: owner process (e.g., creator of the object) can modify list
Hierarchical control:

When object created, owner process specifies what other processes can modify access
control list
Processes organized in a hierarchy: a process can change the access control list of all
processes below it in the hierarchy

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

Examples of Systems using Access Control Lists

Multics

Access control lists to control access to files

Principle of least privilege

Unix

Access control list has three entries: owner, group, and other
Access rights: read, write, execute

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

(3) The Lock-Key Method

Principles

Hybrid of capability-based method and access control list method

Every subject has a capability list made of tuples (o, k): the subject can
access object o using key k
Every object has an access control list made of tuples (l, ), called lock
entries: any subject that can open lock l can access the object with an
access right contained in

Operation

Subject s makes request for access to object o

The system locates tuple (o, k) in capability list of the subject
If present, search access control list of object o for entry (l, ), where
k = l and obtain
Access allowed if

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

(3) The Lock-Key Method (cont.)

Advantages:

Easy revocation of access rights: to revoke the access rights of a subject

to an object, delete the lock entry corresponding to the key of the subject

Capability-based addressing can be used

Disadvantages:

Access control list must be searched for every access

Example

IBM/360 storage keys protection method similar to lock-key method

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

Access Matrix Model: Changing The Protection State

Access matrix is itself a protected object
Commands for changing protection state

Set of commands C for changing protection state defined in the form of

the following primitive operations
enter r into P [s, o]
delete r from P [s, o]
create subject s
create object o
destroy subject s
destroy object o
Primitive operations: define changes to be made to the access matrix P
Example: Primitive operation delete r from P [s, o] deletes access right r
from the position P [s, o] in the access matrix, I.e., access right r of
subject s to object o is withdrawn
CS-550 (M.Soneru): Protection and Security - 2 [SaS]

Access Matrix Model: Changing The Protection State (cont.)

Before the operation is performed (e.g., the delete in previous example), a

verification should be made that the process has the right to perform this operation
on the access matrix:
Command syntax:
command < command id > (<formal parameters>)
if < conditions >
then
< list of primitive operations >
end.
Command execution

All checks in the condition part are evaluated. The <conditions> part has checks
in the form r in P[s,o]
If all checks pass, primitive operations in <list of primitive operations> are
executed

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

10

Access Matrix Model: Changing The Protection State (cont.)

All accesses are validated by a mechanism called a reference monitor: the

reference monitor will reject an access not allowed by the access matrix
Each object has an owner

If s is the owner of o, then own P [ s, o ]

The owner of an object can give (confer) a right to the object to another
subject
Example: command to create a file and assign own and read rights to it
command create-read (process, file)
create object file
enter own into P [process, file]
enter read into P [process, file]
end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

11

Access Matrix Model: Changing The Protection State (cont.)

Example:

command owner of a file gives write access rights to another process

command confer-write (owner, process, file)

if own P [ owner, file ]
then
enter write into P [process, file]
end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

12

Advanced Models of Protection: The Take-Grant Model

Principles:

Uses directed graphs to model access control

Protection state of system represented by directed graph
More efficient than (sparsely populated) access matrix

Model:

Graph nodes: subjects and objects

An edge from node x to node y indicates that subject x has an access right to
the object y: the edge is tagged with the corresponding access rights
Access rights
Read (r), write (w), execute (e)
Special access rights for propagating access rights to other nodes

Take: If node x has access right take to node y, then subject x can take any
access right that it has on y to another node
Grant: If node x has access right grant to node y, then the entity represented
by node y can be granted any of the access rights that node x has

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

13

The Take-Grant Model (cont.)

Example: take operation

Node x has take access to node y

Node y has read and write access to node z
Node x can take access right read from y and have this access right
for object z : a directed edge labeled r is added from node x to node
z

r, w

z
x

r, w

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

14

The Take-Grant Model (cont.)

Example: grant operation

Node x has grant access to node y and also has read and write access
to node z
Node x can grant read access for z to node y ( a directed edge
labeled r from y to z is added in the graph)

r, w

z
g

r, w

z
CS-550 (M.Soneru): Protection and Security - 2 [SaS]

15

The Take-Grant Model (cont.)

State and state transitions:

The protection state of the system is represented by the directed graph

System changes state (state transition) when the directed graph changes
The directed graph changes with the following operations

Take
Grant
Create: A new node is added to the graph

When node x creates a new node y, a directed edge is added from x to y

Remove: A node deletes some of its access rights to another node

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

16

Bell-LaPadula Model
Used to control information flow
Model components

Subjects, objects, and access matrix

Several ordered security levels

Subjects can have the following access rights to objects

Each subject has a (maximum) clearance and a current clearance level

Each object has a classification (I.e., belongs to a security level)
Read-only
Append: subject can only write object (no read permitted)
Execute: no read or write
Read-write: both read and write are permitted

Subject that creates an object has control attribute to that object and is
the controller of the object

Subject can pass any of the four access rights of the controlled object to
another subject
CS-550 (M.Soneru): Protection and Security - 2 [SaS]

17

Bell-LaPadula Model (cont.)

Restrictions on information flow and access control (reading down and writing up
properties):
1. The simple security property

A subject cannot have read access to an object with classification higher than the
clearance level of the subject

2. The -property (star property)

A subject has append (I.e., write) access only to objects which have classification
(I.e., security level) higher than or equal to the current security clearance level of
the subject
A subject has read access only to objects which have classification (I.e., security
level) lower than or equal to the current security clearance level of the subject
A subject has read-write access only to objects which have classification (I.e.,
security level) equal to the current security clearance level of the subject

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

18

Bell-LaPadula Model (cont.)

Level n

can write

.
.
.

Level i+1

Level i
Level i-1
.
.
.
Level 1

can read

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

19

Case Studies: Unix

Subjects:

Each user identified by a a userid

A user may belong to a group identified by groupid
Userid and groupid are part of the process descriptor of the process
running on behalf of the user and used to verify access rights

Protected objects: files and directories

Each file has a unique owner (user who created the file)
Each file has two access fields

userid field: file owner

groupid field: groupid of the group to which the file belongs

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

20

Case Studies: Unix (cont.)

Protection mechanism for files: access control list with protection
groups for access efficiency

Protection groups: owner, group, others

Access rights for each group: read, write, execute

Three fields associated with each file of three bits each

Only the owner of the file and the super user can change these bits
(chmod command)

Protection domain

Associated with each user

At login, user starts in a protection domain defining access rights
Domain can be changed with su (set userid) command

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

21

The Hydra Kernel

Kernel of a multiprocessor OS (Carnegie-Mellon U.)

Provides mechanisms on which a large array of OSs can be built

Supports capability-based protection

An object (abstraction of a resource) is the unit of protection

Procedure is an abstraction of an operation on an object
Protection mechanism controls the invocation of procedures to
instances of objects (i.e., resources)
Objects

Each object has: name, type, representation,

Representation

Data part: can be accessed by programs with the right capability

Capability part: capabilities for other objects can be changed only by the kernel

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

22

The Hydra Kernel (cont.)

Protection:

Elements: objects (abstraction of resources) and capabilities (references

to objects)
Operation:

Process/user supplies capability for object

Kernel validates access rights

Access rights:

Kernel rights: kernel supports the basic access rights (read, write, copy)
Auxiliary rights: user defined object operations

User defines a new object type and associated operations

Kernel treats these operations as auxiliary rights for the object
For a user to perform these operations on the object, its capability must
contain these auxiliary rights

Kernel uses a 24-bit mask to encode access rights: kernel rights have
fixed positions
CS-550 (M.Soneru): Protection and Security - 2 [SaS]

23

Amoeba
Distributed OS (Tanenbaum)
Object-based, client-server model

Client processes request operations on objects by sending requests to

server processes via RPCs
Every object is managed by a server process

Capabilities-based protection: Capability structure

server port

object number

rights

check

Server port: identity of server process that manages corresponding object

Object number: identifies specific object
Rights: access allowed
Check: protection against unauthorized changes (cryptographic
technique)

CS-550 (M.Soneru): Protection and Security - 2 [SaS]

24