1 / 21

CMSC 414 Computer and Network Security Lecture 10

This lecture review discusses the definition of encryption schemes, the working of CTR mode, and the concept of access control using matrices, ACLs, and capabilities.

paprika
Télécharger la présentation

CMSC 414 Computer and Network Security Lecture 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer and Network SecurityLecture 10 Jonathan Katz

  2. HW review: private-key encryption • What is the definition of an encryption scheme? • Is a ciphertext that is longer than the plaintext allowed? • How does CTR mode work? • What is the ciphertext? • What is a reasonable definition of security for an encryption scheme?

  3. HW review --- problem 3

  4. Discretionary access control

  5. Access control matrix • Matrix indexed by all subjects and objects • Characterizes rights of each subject with respect to each object • Formally: set of objects O and subjects S, set of possible rights • Matrix A with subjects labeling the rows and objects labeling the columns • The entry (s,o) contains the rights for s on o • Examples: read/write/execute/etc.

  6. Objects Subjects Example

  7. Delegation (one approach) • We augment the access control matrix to include subjects as objects • A[S,S] = “control” always • A[S,S’] = “control” if S created S’ • When S creates S’, a new column and row is created; A[S,S’] is set to “control” • Rights on other objects can also come with or without a “copy flag” set • Allows delegation, either with or w/o delegation of copy flag • Denote by *

  8. Delegation (by S) • Delegate {r, r*} on X to S’ allowed if any of the following hold • A[S,X] = r* (S has right r on X, and copy flag set) • A[S,X] = “owner” (S owns X) • A[S,X] = r and A[S,S’] = “control” (S has right r on X, and S created S’) • Delete {r} on X from S’ allowed if any of the following hold • A[S,X] = “owner” • S[S,S’] = “control”

  9. Creating a new subject • When S creates S’, why not populate row S’ with the same access rights that are in row S? • Least privilege…

  10. Note • The OS can be treated as a subject with all rights • Examples • When Alice logs in do: • Create shell process p with rights appropriate for Alice • Delegate ownership of p to Alice • When Alice creates a file • OS creates file f • OS delegates {own, read, write} to Alice on file f

  11. Drawbacks of access control matrix • Number of subjects/objects is very large • Most entries blank/default • One central matrix modified every time subjects/objects are created/deleted or rights are modified • “Small’ change can result in “many” changes to the access control matrix • E.g., making a file publicly readable

  12. Access control lists (ACLs) • Can be viewed as storing the columns of the access control matrix with the appropriate object • Ideally, one list per object showing all subjects with access and their rights • Missing subjects given “default” access • Easy to make an object public

  13. ACLs in practice • Again, full granularity may not be supported • E.g., unix allows permissions set for the owner of the file, the group to which the owner belongs, and everyone else (all)

  14. Conflicts? • Need a mechanism for handling conflicts • E.g., what if group has fewer rights than all? • Resolution (in unix) if user = owner then owner permission else if user in group then group permission else all permission • In general, could have been done differently

  15. Capabilities • Can be viewed as storing the rows of the access control matrix with the appropriate subject • Some burden for implementing protection placed on the user rather than just the OS • Analogy: user has a “ticket” which grants access to an object • A capability is an unforgeable token giving user access to an object and describing the level of allowable access • Capabilities can specify new types of rights

  16. Capabilities: two approaches • Ticket is held by OS, which returns to the subject a pointer to the ticket • Ticket is held by the user, but protected from forgery by cryptographic mechanisms • How…? • Two possibilities: ticket verified by the object or by the OS itself • Who holds the key in each case…?

  17. ACLs vs. capabilities • Access control list • ACL associated with each object • Upon request, check user/group against the ACL • Relies on authentication of the user • Capabilities • Can be passed from one user/process to another • Upon request, check validity of capability • No need to know the identity of the user/process making the request

  18. ACLs vs. capabilities • How would delegation be handled using ACLs vs. using capabilities? • ACL: run process using the name of the caller, or OS can explicitly support delegation • Capabilities: allow delegation “for free” • How can a user make a file public when capabilities are used? • Maybe it is a good thing that this is hard to do! • How to revoke capabilities? • See later…

  19. Example use of capabilities • From “The Confused Deputy,” by Hardy • Compiler in directory SYS • User can provide file for debugging output • Compiler can write statistics to SYS/stat • Compiler given ability to write to SYS • User set debugging file to SYS/billing • Allowed… • Overwrote billing file!

  20. Example continued… • Underlying problem: authority from two sources: static + authority of caller • How to solve this problem? • Check filenames explicitly? • They can change… • Legitimate access to SYS files… • Add specific list of conditions? • Complexity grows • ACLs do not work… (why?)

  21. Suggested solution • Use capabilities • Give compiler capability to write to SYS/stat • Compiler does not even need to be aware of the filename it is writing to; the capability takes care of this • Caller can provide additional capabilities, as needed • Compiler must explicitly designate capabilities to use in a particular situation

More Related