Professional Documents
Culture Documents
CS155 Lecture 2
Tal Garfinkel
Todays Agenda
• Lots of new language/models for talking about
security systems
– Capabilities, ACL’s, DTE
– How do we talk about existing systems
– What to consider in a new design?
A B C D
alice 0 0 1 0
bob 1 1 0 1
subjects
charlie 0 0 1 0
dave 1 1 0 1
Adding Access Rights
• Access Rights
– e.g. Simple: Read, Write
– e.g. Complex: execute, change ownership
Objects
A B C D
alice r r/w r -
bob r r - r/w
subjects
charlie - - w -
dave r/w - w
Grouping
• Subjects
– Groups e.g. staff = {alice,dave}, students = {bob, charlie}
• Objects
– Types e.g. system_file = {A,B}, user_file = {C,D}
• “-rwxrwxrwx
• “-rw------- talg talg vimrc”
• “-r-sr-xr-x root wheel chpass”
/
• Variety of sharp edges due to
power of root user, ptrace(),
home
etc. etc bin
• BSD Jail tries to fix this. apache
• Fundamental problem, limited
controlled sharing. base
• Still, a useful primitive
etc bin
• Richer primitive in plan9, a
research OS.
Posix “Capabilities”
• Paritioning power of root
– CAP_DAC_OVERRIDE: ignore normal file permissions
– CAP_CHOWN: allow arbitrary chown
– CAP_SYS_NET_BIND_SERVICE: allow bind of TCP/UPD sockets below port
1024
– CAP_NET_RAW: allow raw socket access (can create arbitrary ethernet frames)
• Improvement on setuid
– Doesn’t help with files
– Fixed granularity
Sandboxing Systems
• Examples: AppArmor (SuSe), Systrace, Janus
SELinux
• Adding MAC to Linux
• Flexible policy architecture
– DTE, RBAC, MLS
• Default uses combination of RBAC and DTE
• Checks applied if existing unix model succeeds
e.g. if access fails, additional checks not invoked
• Most folks never use MLS
Domain and Type Enforcement
• Generalization of Access Control Matrix
• Processes have a domain
• Objects (generally files) have a type.
– Stored in extended file attribute
– Type set at system configuration time.
Example:
assign -u /home user_t
assign -u /var spool_t
•…
Whole System Containers
• Solaris Zones, OS Level Virtual Machines
• Given application completely private view
of OS
• Great for isolation, no sharing model.
• Same camp as virtual machines
– the right tool for some jobs
– large topic in its own right
Multilevel Security
Classical military model
• Vertical classification levels
– Confidential < Secret < Top Secret
• Horizontal compartments
– Nuclear, SIGINT, Biowar, etc.
• User has a level, can’t read above that level (violates
secrecy), can’t write below that level (leaks data).
• Process can begin with
– Upperbound (read),lowerbound (write)
– Lower bound raised every time information read from
above.
Bell-Lapadula
• No read up, no write down
<Top Secret, {Nuclear,Biowar}>
<confidential
MLS in the world
• Classification level added by tagging files
– Just like DTE
• Everything tends to flow up
– Ends up being very cumbersome in practice
• Declassification
– Don’t know how to automate this, human in the loop
– Becomes a bottle neck in critical situations (e.g.9/11)
• Almost no one uses this in practice
• Tagging data with sensitive labels a cool idea, maybe could
be used to help protect your personal data from malware
– Ongoing research area.
Biba-Integrity Model
• Cool Observation: Integrity the opposite of
secrecy -- low integrity data flowing
upwards leads to system compromise.
• Biba Rules
– No read down
– No write up
• Again, tends to be kind of unwieldly, can
make sense for some systems.
The Confinement Problem
• In real life, really really hard to prevent to
colaborating processes from communicating (say
in order to write down).
– Often due to timing channels
• Communication path called a “covert channel”
• Real world systems that care (very very few) try to
limit bandwidth.
• Lampsons “Notes on the confinement Problem” a
must read.
Closing thoughts
Most of you will go off to
companies to write code
• Many attacks seen in the wild could have been rendered moot if software
used access controls properly.