Transcript Win32 Programming

Secure Operating Systems
Lesson 4: Access Control
Where are we?



Now that we have a model of the OS in our
heads, it’s time to layer in really the most
important part of security: the access control
model
Key Points: how access control works
(Lampson) and the “Safety Problem”
Look at OSC Ch 14… we’ll be here a lot over
the next few weeks
The OS doesn’t HAVE TO…


First, there’s the DOS model… anything can
do anything
All well and good, but has a lot of problems
too
Access Control


We think of it as a security thing, but it’s also
a stability thing
Protection schemes help protect from
accidents too
Formally


Decide if a principal can perform a requested
operation on a target (object)
Typically:




Principal = user, process, …
Operation = read, write, execute, …
Object = file, memory, process, …
The theory for this is by Lampson – it’s old,
but the conclusions are solid
Why does this matter?



In many ways, exploitation of a system is
about elevating our rights – gaining access to
objects we should not have access to
Two ways: faulty access control rules, faulty
access control implementation (sort of)
Example: incorrect privileges on /dev/swap
used to be exploitable
Policy




The policy is the idealization for how the
system makes access decisions
Can’t be too restrictive (availability)
Must be restrictive enough (confidentiality,
integrity)
Ideally, the policy should be easy to
understand (but see later…)
Why is Access Control Hard?

Things change – I need access to <blah>
today



Example: look at the rules on a firewall sometime
Continuing with our firewall example, defaults
really matter (ip-directed-broadcast)
Worst of all: the safety problem
Safety Problem


In the general case, it’s impossible to
determine the properties of protection for all
possible access control lists
This is all about undecidability – given a
system and permissions,
Access Control Models



Basic Models – ACLs etc.
Aggregate Models – RBAC
Lattice – Bell-LaPadula
Basic Models



Basic models are more common than we tend
to think
Lots of examples in the “real world”
Limited by complexity, flexibility, ease of
maintenance
RBAC



Evan is a student – he gets student rights to
the course
Mark is a student and a grader… he has more
than one role
Richard has full admin access to everything


What principle does this violate?
Exists in the real world, and quite powerful
Administering this…


Discretionary – object owner (usually) picks
access
Mandatory – no choice on the part of the
owner, the policy decides
Bell-LaPadula


What does our access control model tell us
about protection from a Trojan Horse? What’s
the risk?
Cannot write to data which has lower
classification – that his, it protects against
information leaking out (exfiltration, if you
like)

Can’t read up, can’t write down…
Biba


Biba for integrity – can’t write up, can’t read
down… protects contamination of data from
lower levels
Note how this is the reverse of BellLaPadula…

Are you starting to see how gnarly this is yet?
Quick Example: UAC


UAC covers a few different things – but let’s
talk about the part which prevents admin
access from normal processes
Here’s the problem: the matrix for protection
still isn’t good enough due to whitelisting of
certain programs…
Things to Do


Read the Harrison “Protection in Operating
Systems” paper and make sure you
understand the safety problem and its
implications for this class!
This will likely feature in an exam…
Questions & Comments

What do you want to know?