Capability Based Security By Zachary Walker CS265 Section 1.

Capability Based SecurityCapability Based Security

By Zachary Walker

CS265

Section 1

Access Control IssuesAccess Control Issues

Preventing Access– Prevent users form accessing privileged data or

resources Limiting Access

– Need to allow some access but not full access Granting Access

– Give new access or greater access. Revoking Access

– Take back some or all of granted access.

Methods of Access ControlMethods of Access Control

Access Control Lists– Access control

associated with the resource

– Can prevent and revoke access

– Cannot limit or grant access

Capability Lists– Access control

associated with the user

– Can prevent , limit , and grant access

– Can revoke but not like expected ( more later )

Lampson Access MatrixLampson Access Matrix

Network Access

Bank Records

Accounting Program

Billy the CEO

Read/Write Read Execute

Joe the CFO

Read/Write Read/Write Execute

Accounting Program

Read/Write

Why the Lampson Why the Lampson Equivelency Model isn’t Equivelency Model isn’t

exactly accurateexactly accurateWhat happens if an attacker somehow slips

a Trojan Horse virus into the system with the intent to steal funds via the accounting program

We examine the differences between the cases where the CEO and the CFO are attacked by the Trojan Horse

Trojan Horse Attack on an Trojan Horse Attack on an ACL systemACL system

The CEO gets the virus– The Trojan horse is run

by the CEO– The CEO lacks access

to write to bank records

– The Trojan horse in unsuccessful in stealing money

The CFO gets the virus– The Trojan horse is run

by the CFO– The CFO has access to

write bank records– The Trojan horse is

successful in stealing money from the company

ACL view of attackACL view of attack

OS checks the the bank records ACL to see if write is authorized

It is the CFO. No Problem

CFO

Trojan Horse

Bank Records

Write

ACL

The DilemaThe Dilema

The CFO needs write access to the Bank Records

Anyone with write access to the bank records will be susceptible to the Trojan Horse

What is the solution?

CapabilitiesCapabilities

With capabilities write access to the Bank Records are not implicit even if the CFO mistakenly downloads and runs the Trojan Horse

The CFO would have to grant the Trojan horse the write capability to the Bank Records for the attack to be successful

Capability DelegationCapability Delegation

The CFO has capabilities to both the Trojan Horse and the Bank Records

However, the Trojan horse has no notion of the Bank Records CFO

Trojan Horse

Bank Records

Delegation cont.Delegation cont.

For the attack to succeed the CFO would have to explicitly pass the capability (yellow arrow) to the Trojan horse.

CFO

Trojan Horse

Bank Records

ACL DiagramACL Diagram

Arrows go from resources to subjects

Capability DiagramCapability Diagram

Arrows go from subjects to resources

Why are ACL’s the normWhy are ACL’s the norm

When UNIX was being developed ACL’s and C-lists were both viable.

C-lists were known to be more secure but also more complex

ACL’s provided better performance and were deemed secure enough for the current computing environment

EROS a capability based OSEROS a capability based OS

EROS stands for “Extremely Reliable Operating System”

EROS is not the first capability based OSMultics, KeyKOS, and Mach are example

of previous attempts at capability based OS designs

Earlier systems have been criticized for being extremely slow.

How is EROS different from How is EROS different from other OS designsother OS designs

Access control handled by capabilitiesAll data and processes are persistent

throughout power cycles

OS PersistenceOS Persistence

Persistence means the state of the system is maintained even when powered off.

All registers, processes, memory contents, and of course disk data are stored when powered down.

Persistence is actually a necessity of capability based systems

Why is persistence necessaryWhy is persistence necessary

It is a “Chicken or the Egg” issueSuppose the system isn’t persistentWhen the system is started where would the

startup process get it’s capabilities from?There is no simple answer to this question

and the startup condition is one of the most vexing in capability-based OS design

How is EROS initializedHow is EROS initialized

Every resource in the system is allocated an atomic level primitive object

There are Pages, Nodes, and Numbers at the lowest level.

The OS creates capabilities for every primitive object

Every capability every used in the system will be a composition of these base level capabilities

How does persistence workHow does persistence work

In EROS a snapshot of the system is taken every 5 minutes.

long enough to minimize the overhead required for repeated saves

short enough to minimize loss in the case of a system failure

What to save and whereWhat to save and where

User dataProcess ListList of open filesSave them in a partitioned section of disk

set aside for persistent dataNote that network connections and open

streams are not saved and must be re-established

What if?What if?

System crashes during a save?– The data is actually saved to a look ahead log– If the save is interrupted there is an older

version to revert to– Consequence is that there must be two sets of

persistence data maintained

SummarySummary

Capabilities provide much more granularity of control than ACL’s

Capabilities solve security issues unsolvable with ACL’s

ACL’s are much simpler to implement and provide for a faster OS