CIS511 Class Notes, Jan 19, 2006
by Yu-Hua Chang and Kai Wang
Prof. Zdancewic Office Hours 9:30-10:30 R Levine511
TA Office Hours 12:00-1:00 MW TBA
Gold Standard (three concepts for setting security rules and enforcing security
- You often need to know the user, client, or principal before you implement the policy.
- This allows the system to know what principal to use.
- What is a principal? A principal is any entity that has a stake in the security of
- Different ways to identify a principal: user id, password...
logging the activity:
- eg: Audit software so you can later reconstruct same situation
- filter the packets in the network at the firewall.
determine what actions are permissible
Def: Give specific access rights to resources.
Access Control policy
- OS reinforce policy, ex: file system. in UNIX, the privilege type (rwx)
- java applet access restriction
Some Model of the System
ex: file system in unix, base on user (uid) and group (gid), policy is rwx
eg: in UNIX, actions of each process can be limited. OS will check again wether it's
give some model of the system so that we can do something in the system.
how we determine who should be applied to a policy.
what we can do to protect the system.
what we will do for one policy. Action can be performed on an object.
eg: a process can read or write a file. a java program can open the network...
Authority. Some action are permitted based on the policy.
mechanism should be general. Actually, it's a trade-off. The more complete, the
better.mechanism should be able to be applied to other situations
ex: Firewall decides which packet is allowed to pass through and which is dropped
depending on the policy defined in the filter rule.
| subject | | (?)look up the |
|(user, network, |-----------------+-> control policy --+---> deny
| process... )| request | to make decision |
\-----------------/ (action object) | | |
Reference monitor example:
All of these operate at different levels of abstraction.
- OS: file system
- OS: memory
eg: virtual memory; in UNIX, each virtual memory is treated as a file.
one process run on its own virtual memory space and cannot see other process' memory
- Firewall: monitor network access.
Access Control Matrix (design policy)
| | object (ex: files...) |
| subject | collection of right |
|(ex: user, | (privilege) |
| group)| |
Access Control Check
it's correct iff if (r belongs to A[S][O]) then granted,
The only problem is space.
It's too large to store the entire matrix.
How do you compress this table?
Trick: make each entry of this table into an object; Make objects/subjects into
groups. ex: in UNIX, subject are divided into owner, group, and world New Subject
New Object New Right -> grant right r to subject S with respect object
O. Also called delegation.
Want to minimize it as much as you can.
- Complete Mediation
- How big and complicated is it
how do you actually do the check.
some system calls can't be used to protect security mechanism. eg: Kerberos (actually,
it implements the access control matrix)
- link the program to an interface or library; wrap it and do the check.
ex: access control problem. a library that define which is safe and which is unsafe.
use the wrapper to check.
- User Mode
check for user privilege.
- Kernel Mode
in this mode, no rules can be changed in case that the hacker changes the whole
Matrix size depends on the number of user, the number of file, and the number of
- Type Checking
ex: C doesn't do memory checking.
run process in isolation. Simulate an environment to run.
- Software fault isolation
- user/kernel mode
only OS can run in kernel mode.
Since the matrix only stores non-empty entries, it is typically sparse.
Access Control Lists
gA -> v
gB -> x
if I belongs to gA and gB
can I access?
result: make a priority.
Make a priority access control list to handle this problem.
The most security way is to ask user id and password every time we need to check
It's a kind of a trade-off.
Another way to simplify this is to make groups like using a PennCard to access
eg: use a key to open different doors.
- A capability is an object/right pair
- should be unforgivable
- authentication takes place with the capabilities
- are granted
- harder to do revocation (must find all tickets)
- Easy to audit a subject. Hard to audit an object
- Identify the object of the system
name the object.
- unique identifiers
ex: uid, gid
ex: change name...
Unforgeability of Capabilities
- special hardware
- store the capabilities in protected address space
- use static scoping mechanism of safe programming language
- could use cryptographic techniques
secret key to let a file can't be copied.