Table of Contents:
Goals
Access Control Lists
Unix ACL model
Role Based Access
Capabilities
Trusted Software
Privacy - Data does not leak out.
Integrity - Data dos not leak in.
Trust - Can you trust the program to do what you think it does?
Sharing - Something must be done
The most secure computer in the world is essentially useless, since nobody can get anything done.
Common Technique for Acccess Control
Access Control Lists:
Go through the entire fle system and write down the correct access bits for each user. The downside to this is that
its horribly inefficient. It is also very hard to maintain. (What happens when a new file is added? A
new User?)
There are two main mistakes that occur with this type of Access Control.
1) Access is denied to files that should be accessible. These errors get fixed quickly. Angry Users will notice.
2) Access is granted to files that shouldn't be accessible. These errors aren't fixed quickly since nobody except for malicious individuals will notice.
Unix Access Controls
-rw-r--r-- 1 akhil akhil 408 Jun 5 13:33 access.xml -rwxr-xr-x 1 akhil akhil 14176 Jun 5 01:56 acl drwxr-xr-x 10 akhil akhil 340 Jun 5 03:54 hithere
In this model, access is represented by string like
"rw-r--r--"
Access abilities
are expressed in groups of three. The first bit is known as the read bit and it grants read access.
The second bit is the write bit, and the third bit is the execute bit. The first group represents
the permissions for the user, the second group represents permissons for the group, and the third
group represents permissions for everyone else.
This model was extended with three extra bits, the setuid bit, the setgid bit, and the sticky bit.
The setuid bit allows users to run an executable with the permissions of the executable's owner.
The setgid does the same thing as setuid, except gives the same permissions of the executable's group.
The sticky bit tells the operating system to keep the file in ram or swap space.
In Windows/solaris, access is associated with each object. Each object has a list of users and their
access.
Role Based Control
In this system, access is determined not by users ("principles"). Instead, access is given to "roles".
These roles can be certain, well defined, operations. This system is mainly used in Oracle systems, as
well as Microsoft's Active Directory system.
Capabilities
In this system, permission is assigned on a per-process basis. A capability is defined as the
ability for a single process to access a single file. The capabilty that is given to a process must
be unforgable, so they are usually managed by the kernel. The closest approximation of capabilites
in are file descriptors. When you have a file descriptor, it means you have access to the file.
Setting up Capabilities
First , have the OS maintains a table for each process. Processes must use a system call to modify the table.
this method is highly secure, but it is inflexible. Another method is to use encyrption. The operating system
generates encrypted IDs based on the accesses for the file and the permissions. Then it gives this string
to process for users to use. They can be traded. However, this approach is vulnerable to brute force cracking.
Trusted Software
Some programs need special rights to run. An example is the login program. It runs right after system boot
prints the login prompt. When you login, it becomes you and runs the shell. This is achieved by a system
call, setuid(uid). This call is priveledged, so only root can use it. The programs "su" and "sudo" use the
same mechanism to change the owner of the executable. Developing trusted software is expenisve, since you need experienced developers and auditors to ensure the
security of your system.
Checking if the software is trustworthy comes down reading the source code. Even then, this may not help.
See this link about how even source code might not
be trustworthy. The moral is that you need to trust something at some point. This base set of trusted code
is known as the trusted computing base. In Unix systems, this comprises the kernel, the su program
and the suid call.