CIS511 Class Notes, Jan 19, 2006
by Yu-Hua Chang and Kai Wang
Prof. Zdancewic Office Hours 9:30-10:30 R Levine511
TA Office Hours 12:00-1:00 MW TBA

Gold Standard (three concepts for setting security rules and enforcing security policies)

Access Control

Def: Give specific access rights to resources.

Access Control policy

Some Model of the System

ex: file system in unix, base on user (uid) and group (gid), policy is rwx eg: in UNIX, actions of each process can be limited. OS will check again wether it's allowed.
mechanism should be general. Actually, it's a trade-off. The more complete, the better.mechanism should be able to be applied to other situations
ex: Firewall decides which packet is allowed to pass through and which is dropped depending on the policy defined in the filter rule.

Reference Monitors

  /-----------------\                 /----------------------\ 
  |    subject      |                 |   (?)look up the     |
  |(user, network,  |-----------------+-> control policy   --+---> deny
  |     process... )|   request       |   to make decision   |
  \-----------------/ (action object) |          |           |
                                              granted (allow)
Reference monitor example: All of these operate at different levels of abstraction.

Access Control Matrix (design policy)

|           | object (ex: files...) |
|  subject  | collection of right   |
|(ex: user, | (privilege)           |
|     group)|                       |

Access Control Check

it's correct iff if (r belongs to A[S][O]) then granted,
                 else deny.
The only problem is space.
It's too large to store the entire matrix.
How do you compress this table?
Trick: make each entry of this table into an object; Make objects/subjects into groups. ex: in UNIX, subject are divided into owner, group, and world New Subject New Object New Right -> grant right r to subject S with respect object O. Also called delegation.


Want to minimize it as much as you can.
  1. Correctness
  2. Complete Mediation
  3. Expressiveness
  4. How big and complicated is it

Software Mechanisms

Matrix size depends on the number of user, the number of file, and the number of process.
Since the matrix only stores non-empty entries, it is typically sparse.

Access Control Lists

gA -> v
gB -> x
if I belongs to gA and gB
    can I access?
  result: make a priority.
Make a priority access control list to handle this problem.

Authentication Critical

The most security way is to ask user id and password every time we need to check security.
It's a kind of a trade-off.
Another way to simplify this is to make groups like using a PennCard to access different areas.
eg: use a key to open different doors.


Implementing Capability

  1. Identify the object of the system
  2. name the object.
  3. unique identifiers
  4. ex: uid, gid
  5. Pointer
  6. ex: change name...

Unforgeability of Capabilities