Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 11 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 11/01/15
CSE 543 Computer Security Lecture 13 Capability Systems October 9 2007 URL httpwwwcsepsuedutiaegercse543f07 PENNSTATE Processspecific Permissions Design the permissions of a process specific to its use 39 quot h 39 How do we change the permissions of a process in an ACL system CSE543 Computer and Network Security Fall 2007 Professor Jaeger Page PENNSTATE Confused Deputy Problem Imagine a multiclient server Each client has a different set of objects that they can access In an ACL system the server always has access to all the objects What happens if a client tricks the server into accessing into another client s objects Shouldn t the server only have access to that client s objects for its requests CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Capabilities A capability is the tuple object rights A capability system implements access control by checking if the process has an appropriate capability Simple right This is a little like a ticket in the Kerberos system Q Does this eliminate the need for authentication Capabilities PENN A Well yes and no Capabilities remove the overhead of managing per object rights but add the overhead of managing capabm es Moreover to get any real security they have to be unforgeable Hardware tags to protect capabilities Protected address spaceregisters Language based techniques Enforce access restrictions on caps Cryptography Make them unforgeable I J PENNSTATE Real 08 Capabilities Process Table The OS kernel manages capabilities in the process table out of reach of the process Capabilities added by user requests that comply with policy I J PENNSTATE User space capability Well what are the requirements Authenticityintegrity do not want malicious process to forge capabilities Start with the data itself object rights Object is typically encoded with identifier or by some other tag capabilities are sometimes known as tags Rights are often fixed read modify write execute etc Now do what you with any other data assume the kernel has a secret key k Ek 0 r1 r2 rn What s wrong with this construction I got it from the website of one of the experts in the area I J PENNSTATE The right construction v Encryption does not provide authenticityintegrity it provides confidentiality Oh r1 r2 rnHMACk Oh r1 r2 rn So how would you attack the preceding construction PENNSTATE A fictional Capability Example We use the Is lt command to view the contents of our home directory in a OS implementing capabilities Initially our shell process has RWX capabilities for our home directory and RX capabilities for all the directories to the root The ls lt command is execed and the shell delegates the directory permissions by giving Is the capabilities Note that the capabilities are not tied to any subject The ls lt process exercises the rights to read the directories structure all the way down to the local Of course the Is lt process now need to obtain read rights to the files to get their specific metainformation and obtains them by appealing to the security manager in kernel the request fulfills the policy and they are added and exercised The ls lt uses access rights given to the terminal to write output Note there are many ways that the policy can be implemented rights handed off etc We will talk about a couple in the following discussions I J ProcedureLevel Protection Domains PENNSTATE HYDRA Each procedure defines a new protection domain Procedure Code Data Capabilities to other objects Callerindependent Callerdependent templates Local Name Space Capabilities are bound here Record of a procedure invocation procedure instance Process Stack of LNSs How HYDRA works Call Callee Capabilities Create Callee LNS Q Which object defines the protection domain I l PENNSTATE Implications of FineGrained Protection Programmer Must define templates for procedure Connect the procedure rights together Performance Impact Q Do we need to manage rights at this level CSE543 Computer and Network Security Fall 2007 Page 12 PENNSTATE Linden s Capability View Achieve flexible effective security by Small protection domains Extensible set of types lmplies a capability system Small protection domains with least privilege permissions Extensible types enable composition of systems reliably Capabilities can be passed among protection domains and into new subsystems Protected Procedures Like HYDRA Change domain with each procedure invocation New procedure is a new instance Protection Domain switch time is key high in modern processors I l Correctness Claim It is far more difficult to build a 50000 line program than 1000 programs that are each 50 lines longquot What is your opinion of this ls itjust the procedure development that is important Two problems Decomposition results in inefficiencies Interactions between procedures are not captured PENNSTATE Flexibility vs Security Small protection domains are desirable because Enables solving finergrained problems Less rigid protection Independent accounting Reliable and redundant security controls Individual controls are easier to understand i x Flexibility Topdown vs bottomup Fine vs coarsegrained CSE543 Computer and Network Security Fall 2007 Professor Jaeger Page 15 Secure Capability Systems SCAP Karger s extension of the Cambridge CAP system EROS Shapiro s reimplementation of the KeyKOS system PENNSTATE PENNSTATE Capabilities and the Property Capabilities and Lattice Models Don t Mix Suppose A is higher secrecy than B Acan read B s capabilities Q Can a Trojan horse running as A write to Obj PENNSTATE SCAP security Mediate requests to load capabilities Must be loaded into a capability cache before use Enforce MLS requirements on capability load If subject label dominates capability s object label then Change the capability to readonly Expensive to test for MLS on every load For general con nement test against confinement property for every load uses ACLs PENNSTATE EROS security Define weak capabilities If a weak capability is used to fetch a capability transitively then the fetched capability becomes read only and weak Assign weak capabilities to highersecrecy subjects for accessing a lowersecrecy write capability becomes readonly and weak No need to test against a policy at runtime Faster performance is possible For general con nement use an confined processes or authorized capability sets Not clear these really worked for general confinement I J Capability Management PM How d you get those capabilities Stored with program user Compare with getting permissions by a process label How do I get them back Once granted nearly impossible to revoke EROS Revocation WEE Defined by Redell Use a layer of indirection Revoker capabilities If you may revoke create a revoker The grant capabilities to the revoker When you delete the revoker all descendants become invalid SCAP Revocation PM Chain the capabilities revocation by chaining All capabilities to an object are stored in a ring Can then revoke one Motivate reassessment of all others How do I know that I am revoking a particular capability Compare with using revoker capabilities the memoryperformance cost the flexibility of revocation Result Generally the security problems with capability systems can be solved So why aren t cap systems more broadly used Capability management is difficult How do I know what rights to give out in the first place Defining and testing confinement is expensive or limiting Test every grant is expensive supposed to be lots Predefine a safe domain is limiting and counterintuitive Setup per process is key For ACLs it is setup per object may be less volatility