Transcript Walker

Capability Based Security
By Zachary Walker
CS265
Section 1
Access Control Issues

Preventing Access
– Prevent users form accessing privileged data or
resources

Limiting Access
– Need to allow some access but not full access

Granting Access
– Give new access or greater access.

Revoking Access
– Take back some or all of granted access.
Methods of Access Control

Access Control Lists

Capability Lists
– Access control
– Access control
associated with the
resource
– Can prevent and
revoke access
– Cannot limit or grant
access
associated with the
user
– Can prevent , limit ,
and grant access
– Can revoke but not like
expected ( more later )
Lampson Access Matrix
Network
Access
Bank
Records
Accounting
Program
Billy the
CEO
Read/Write Read
Execute
Joe the
CFO
Read/Write Read/Write
Execute
Accounting
Program
Read/Write
Why the Lampson
Equivelency Model isn’t
exactly accurate

What happens if an attacker somehow slips
a Trojan Horse virus into the system with
the intent to steal funds via the accounting
program
 We examine the differences between the
cases where the CEO and the CFO are
attacked by the Trojan Horse
Trojan Horse Attack on an
ACL system

The CEO gets the
virus

The CFO gets the
virus
– The Trojan horse is run
– The Trojan horse is run
by the CEO
– The CEO lacks access
to write to bank
records
– The Trojan horse in
unsuccessful in
stealing money
by the CFO
– The CFO has access to
write bank records
– The Trojan horse is
successful in stealing
money from the
company
ACL view of attack

OS checks the the
bank records ACL to
see if write is
authorized
 It is the CFO. No
Problem
Bank Records
ACL
Write
CFO
Trojan
Horse
The Dilema

The CFO needs write access to the Bank
Records
 Anyone with write access to the bank
records will be susceptible to the Trojan
Horse
 What is the solution?
Capabilities

With capabilities write access to the Bank
Records are not implicit even if the CFO
mistakenly downloads and runs the Trojan
Horse
 The CFO would have to grant the Trojan
horse the write capability to the Bank
Records for the attack to be successful
Capability Delegation
The CFO has capabilities
to both the Trojan
Horse and the Bank
Records
However, the Trojan
horse has no notion of
the Bank Records
Trojan
Horse
CFO
Bank
Records
Delegation cont.

For the attack to
succeed the CFO
would have to
explicitly pass the
capability (yellow
arrow) to the Trojan
horse.
Trojan
Horse
CFO
Bank
Records
ACL Diagram

Arrows go from
resources to subjects
Capability Diagram

Arrows go from
subjects to resources
Why are ACL’s the norm
When UNIX was being developed ACL’s
and C-lists were both viable.
 C-lists were known to be more secure but
also more complex
 ACL’s provided better performance and
were deemed secure enough for the current
computing environment

EROS a capability based OS
EROS stands for “Extremely Reliable
Operating System”
 EROS is not the first capability based OS
 Multics, KeyKOS, and Mach are example
of previous attempts at capability based OS
designs
 Earlier systems have been criticized for
being extremely slow.

How is EROS different from
other OS designs

Access control handled by capabilities
 All data and processes are persistent
throughout power cycles
OS Persistence

Persistence means the state of the system is
maintained even when powered off.
 All registers, processes, memory contents,
and of course disk data are stored when
powered down.
 Persistence is actually a necessity of
capability based systems
Why is persistence necessary
It is a “Chicken or the Egg” issue
 Suppose the system isn’t persistent
 When the system is started where would the
startup process get it’s capabilities from?
 There is no simple answer to this question
and the startup condition is one of the most
vexing in capability-based OS design

How is EROS initialized

Every resource in the system is allocated an
atomic level primitive object
 There are Pages, Nodes, and Numbers at the
lowest level.
 The OS creates capabilities for every primitive
object
 Every capability every used in the system will be a
composition of these base level capabilities
How does persistence work

In EROS a snapshot of the system is taken
every 5 minutes.
 long enough to minimize the overhead
required for repeated saves
 short enough to minimize loss in the case of
a system failure
What to save and where

User data
 Process List
 List of open files
 Save them in a partitioned section of disk
set aside for persistent data
 Note that network connections and open
streams are not saved and must be reestablished
What if?

System crashes during a save?
– The data is actually saved to a look ahead log
– If the save is interrupted there is an older
version to revert to
– Consequence is that there must be two sets of
persistence data maintained
Summary

Capabilities provide much more granularity
of control than ACL’s
 Capabilities solve security issues unsolvable
with ACL’s
 ACL’s are much simpler to implement and
provide for a faster OS