245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs}
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
4 |
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\begin{document}
|
366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
6 |
\fnote{\copyright{} Christian Urban, 2014}
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
8 |
\section*{Handout 4 (Access Control)}
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
9 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
10 |
Access control is essentially about deciding whether to grant
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
11 |
access to a resource or deny it. Sounds easy, no? Well it
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
turns out that things are not as simple as they seem at first
|
252
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
glance. Let us first look, as a case-study, at how access
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
control is organised in Unix-like systems (Windows systems
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
have similar access controls, although the details might be
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
quite different). Then we have a look at how secrecy and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
17 |
integrity can be ensured in a system, and finally have a look
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
18 |
at shared access control in multi-agent systems.
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
19 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
20 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
21 |
\subsubsection*{Unix-Style Access Control}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
22 |
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
23 |
Following the Unix-philosophy that everything is considered as
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
a file, even memory, ports and so on, access control in Unix
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
25 |
is organised around 11 Bits that specify how a file can be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
26 |
accessed. These Bits are sometimes called the \emph{permission
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
attributes} of a file. There are typically three modes for
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
28 |
access: \underline{\textbf{r}}ead, \underline{\textbf{w}}rite
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
29 |
and e\underline{\textbf{x}}ecute. Moreover there are three
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
30 |
user groups to which the modes apply: the owner of the file,
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
31 |
the group the file is associated with and everybody else.
|
366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
32 |
A typical permission of a file owned by \texttt{bob}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
33 |
being in the group \texttt{staff} might look as
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
34 |
follows:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
35 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
36 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
38 |
\;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
{\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
40 |
{\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
\LARGE\texttt{bob}\;\;\;\texttt{staff}$
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
\noindent For the moment let us ignore the directory bit. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
Unix access rules imply that Bob will only have read access to
|
366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
this file, even if he is in the group \texttt{staff} and this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
47 |
group's access permissions allow read and write. Similarly every
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
48 |
member in the \texttt{staff} group who is not \texttt{bob},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
49 |
will only have read-write access permissions, not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
50 |
read-write-execute.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
51 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
52 |
This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
53 |
relatively fine granularity of owner, group, everybody else
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
54 |
seems to cover many useful scenarios of access control. A
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
55 |
typical example of some files with permission attributes is as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
follows:
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
57 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
{\small\lstinputlisting[language={}]{../slides/lst}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
59 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
60 |
\noindent The leading \pcode{d} in Lines 2 and 6 indicate that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
61 |
the file is a directory, whereby in the Unix-tradition the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
62 |
\pcode{.} points to the directory itself. The \pcode{..}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
63 |
points at the directory ``above'', or parent directory. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
64 |
second to fourth letter specify how the owner of the file can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
65 |
access the file. For example Line 3 states that \pcode{ping}
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
66 |
can read and write \pcode{manual.txt}, but cannot execute it.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
67 |
The next three letters specify how the group members of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
68 |
file can access the file. In Line 4, for example, all students
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
69 |
can read and write the file \pcode{report.txt}. Finally the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
70 |
last three letters specify how everybody else can access a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
71 |
file. This should all be relatively familiar and
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
72 |
straightforward. No?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
73 |
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
74 |
There are already some special rules for directories and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
75 |
links. If the execute attribute of a directory is \emph{not}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
76 |
set, then one cannot change into the directory and one cannot
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
77 |
access any file inside it. If the write attribute is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
78 |
\emph{not} set, then one can change existing files (provide
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
79 |
they are changeable), but one cannot create new files. If the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
80 |
read attribute is \emph{not} set, one cannot search inside the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
directory (\pcode{ls -la} does not work) but one can access an
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
existing file, provided one knows its name. Links to files
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
never depend on the permission of the link, but the file they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
are pointing to. Otherwise one could easily change access
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
85 |
rights to files.
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
86 |
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
87 |
While the above might sound already moderately complicated,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
the real complications with Unix-style file permissions
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
89 |
involve the setuid and setgid attributes. For example the file
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
90 |
\pcode{microedit} in Line 5 has the setuid attribute set
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
91 |
(indicated by the \pcode{s} in place of the usual \pcode{x}).
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
92 |
The purpose of setuid and setgid is to solve the following
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
93 |
puzzle: The program \pcode{passwd} allows users to change
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
94 |
their passwords. Therefore \pcode{passwd} needs to have write
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
95 |
access to the file \pcode{/etc/passwd}. But this file cannot
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
96 |
be writable for every user, otherwise anyone can set anyone
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
97 |
else's password. So changing securely passwords cannot be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
98 |
achieved with the simple Unix access rights discussed so far.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
99 |
While this situation might look like an anomaly, it is in fact
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
100 |
an often occurring problem. For example looking at current
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
101 |
active processes with \pcode{/bin/ps} requires access to
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
102 |
internal data structures of the operating system, which only
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
103 |
root should be allowed to. In fact any of the following
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
104 |
actions cannot be configured for single users, but need
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
105 |
privileged root access
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
106 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
107 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
108 |
\item changing system databases (users, groups, routing tables
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
109 |
and so on)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
110 |
\item opening a network port below 1024
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
111 |
\item interacting with peripheral hardware, such as printers,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
112 |
harddisk etc
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
113 |
\item overwriting operating system facilities, like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
114 |
process scheduling and memory management
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
115 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
116 |
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
117 |
\noindent This will typically involve quite a lot of programs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
118 |
on a Unix system. I counted 90 programs with the setuid
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
119 |
attribute set on my bog-standard Mac OSX system (including the
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
120 |
program \pcode{/usr/bin/login} for example). The problem is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
121 |
that if there is a security problem with only one of them, be
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
122 |
it a buffer overflow for example, then malicious users can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
123 |
gain root access (and for outside attackers it is much easier
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
124 |
to take over a system). Unfortunately it is rather easy to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
125 |
cause a security problem since the handling of elevating and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
126 |
dropping access rights in such programs rests entirely with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
127 |
the programmer.
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
128 |
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
129 |
The fundamental idea behind the setuid attribute is that a
|
252
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
130 |
file will be able to run not with the callers access rights,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
131 |
but with the rights of the owner of the file. So
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
132 |
\pcode{/usr/bin/login} will always be running with root access
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
133 |
rights, no matter who invokes this program. The problem is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
134 |
that this entails a rather complicated semantics of what the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
135 |
identity of a process (that runs the program) is. One would
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
136 |
hope there is only one such ID, but in fact Unix distinguishes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
137 |
three(!):
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
138 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
139 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
140 |
\item \emph{real identity}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
141 |
This is the ID of the user who creates
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
142 |
the process; can only be changed to something else by root.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
143 |
\item \emph{effective identity}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
144 |
This is the ID that is used to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
145 |
grant or deny access to a resource; can be changed to either
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
146 |
the real identity or saved identity by users, can be changed
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
147 |
to anything by root.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
148 |
\item \emph{saved identity}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
149 |
If the setuid bit set in a file then the process is started
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
150 |
with the real identity of the user who started the program,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
151 |
and the identity of the owner of the program as effective and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
152 |
saved identity. If the setuid bit is not set, then the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
153 |
saved identity will be the real identity.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
154 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
155 |
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
156 |
\noindent As an example consider again the \pcode{passwd}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
157 |
program. When started by, say the user \pcode{foo}, it has at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
158 |
the beginning the identities:
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
159 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
160 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
161 |
\item \emph{real identity}: \pcode{foo}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
162 |
\emph{effective identity}: \pcode{foo}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
163 |
\emph{saved identity}: \pcode{root}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
164 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
165 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
166 |
\noindent It is then allowed to change the effective
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
167 |
identity to the saved identity to have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
168 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
169 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
170 |
\item \emph{real identity}: \pcode{foo}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
171 |
\emph{effective identity}: \pcode{root}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
172 |
\emph{saved identity}: \pcode{root}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
173 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
174 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
175 |
\noindent It can now read and write the file
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
176 |
\pcode{/etc/passwd}. After finishing the job it is supposed to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
177 |
drop the effective identity back to \pcode{foo}. This is the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
178 |
responsibility of the programmers who wrote \pcode{passwd}.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
179 |
Notice that the effective identity is not automatically
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
180 |
elevated to \pcode{root}, but the program itself must make
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
181 |
this change. After it has done the work, the effective
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
182 |
identity should go back to the real identity.
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
183 |
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
184 |
If you want to play more with access rights in Unix, you can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
185 |
use the program in Figure~\ref{test}. It explicitly checks for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
186 |
readability and writability of files. The \pcode{main}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
187 |
function is organised into two parts: the first checks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
188 |
readability and writability with the permissions according to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
189 |
a potential setuid bit, and the second (starting in Line 34)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
190 |
when the permissions are lowered to the caller. Note that this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
191 |
program has one problem as well: it only gives a reliable
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
192 |
answer in cases a file is {\bf not} readable or {\bf not}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
193 |
writable when it returns an error code 13 (permission denied).
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
194 |
It sometimes claims a file is not writable, say, but with an
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
195 |
error code 26 (text file busy). This is unrelated to the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
196 |
permissions of the file.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
197 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
198 |
\begin{figure}[p]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
199 |
\small
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
200 |
\lstinputlisting[language=C]{../progs/read.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
201 |
\caption{A read/write test program in C. It returns errno = 13
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
202 |
in cases when permission is denied.\label{test}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
203 |
\end{figure}
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
204 |
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
205 |
Despite this complicated semantics, Unix-style access control
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
206 |
is of no use in a number of situations. For example it cannot
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
207 |
be used to exclude some subset of people, but otherwise have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
208 |
files readable by everybody else (say you want to restrict
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
209 |
access to a file such that your office mates cannot access a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
210 |
file). You could try setting the group of the file to this
|
251
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
211 |
subset and then restrict access accordingly. But this does not
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
212 |
help, because users can drop membership in groups. If one
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
213 |
needs such fine-grained control over who can access a file,
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
214 |
one needs more powerful \emph{mandatory access controls} as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
215 |
described next.
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
216 |
|
248
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
217 |
|
247
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
218 |
\subsubsection*{Secrecy and Integrity}
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
219 |
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
220 |
Often you need to keep information secret within a system or
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
221 |
organisation, or secret from the ``outside world''. An example
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
222 |
would be to keep insiders from leaking information to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
223 |
competitors. An instance of such an access control system is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
224 |
the secrecy levels used in the military. There you distinguish
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
225 |
usually four secrecy levels:
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
226 |
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
227 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
228 |
\item top secret
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
229 |
\item secret
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
230 |
\item confidential
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
231 |
\item unclassified
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
232 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
233 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
234 |
The idea is that the secrets classified as top-secret are most
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
235 |
closely guarded and only accessible to people who have a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
236 |
special clearance. The unclassified category is the lowest
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
237 |
level not needing any clearance. While the idea behind these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
238 |
security levels is quite straightforward, there are some
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
239 |
interesting phenomenons that you need to think about when
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
240 |
realising such a system. First this kind of access control
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
241 |
needs to be \emph{mandatory} as opposed to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
242 |
\emph{discretionary}. With discretionary access control, the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
243 |
users can decide how to restrict or grant access to resources.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
244 |
With mandatory access control, the access to resources is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
245 |
enforced ``system-wide'' and cannot be controlled by the user.
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
246 |
There would be no point to let users set the secrecy level,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
247 |
because if they want to leak information they would set it to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
248 |
the lowest. Even if there is no malicious intent, it could
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
249 |
happen that somebody by accident sets the secrecy level too
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
250 |
low for a document. Note also that the secrecy levels are in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
251 |
tension with the Unix-style access controls. There root is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
252 |
allowed to do everything, but in a system enforcing secrecy,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
253 |
you might not like to give root such powers.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
254 |
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
255 |
There are also some interesting rules for reading and writing
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
256 |
a resource that need to be enforced:
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
257 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
258 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
259 |
\begin{itemize}
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
260 |
\item {\bf Read Rule}: a principal $P$ can read a resource $O$
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
261 |
provided $P$'s security level is at least as high as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
262 |
$O$'s
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
263 |
\item {\bf Write Rule}: a principal $P$ can write a resource
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
264 |
$O$ provided $O$'s security level is at least as high as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
265 |
$P$'s
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
266 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
267 |
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
268 |
\noindent The first rule implies that a principal with secret
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
269 |
clearance can read secret documents or lower, but not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
270 |
documents classified top-secret. The second rule for writing
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
271 |
needs to be the other way around: someone with secret
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
272 |
clearance can write secret or top-secret documents---no
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
273 |
information is leaked in these cases. In contrast the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
274 |
principal cannot write confidential documents, because then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
275 |
information can be leaked to lower levels. These rules about
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
276 |
enforcing secrecy with multi-level clearances are often called
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
277 |
\emph{Bell/LaPadula} model, named after two people who studied
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
278 |
such systems.
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
279 |
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
280 |
A problem with this kind of access control system is when two
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
281 |
people want to talk to each other but are assigned different
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
282 |
security clearances, say secret and confidential. In these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
283 |
situations, the people with the higher clearance have to lower
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
284 |
their security level and are not allowed to take any document
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
285 |
from the higher level with them to the lower level (otherwise
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
286 |
information could be leaked). In actual systems, this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
287 |
might mean that people need to log out and log into the system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
288 |
again---this time with credentials for the lower level.
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
289 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
290 |
While secrecy is one property you often want to enforce,
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
291 |
integrity is another. This property ensures that nobody
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
292 |
without adequate clearance can change, or tamper with,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
293 |
systems. An example for this property is a \emph{fire-wall},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
294 |
which isolates a local system from threads from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
295 |
Internet, for example. The rule for such a system is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
296 |
that somebody from inside the fire-wall can write resources
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
297 |
outside the firewall, but you cannot write a resource inside
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
298 |
the fire-wall from outside. Otherwise an outside can just
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
299 |
tamper with a system in order to break in. In contrast
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
300 |
we can read resources from inside the fire-wall, for example
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
301 |
web-pages. But we cannot read anything from outside the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
302 |
fire-wall. Lest we might introduce a virus into the system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
303 |
(behind the fire-wall). In effect in order to ensure
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
304 |
integrity the read and write rules are reversed from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
305 |
case of secrecy:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
306 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
307 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
308 |
\item {\bf Read Rule}: a principal $P$ can read a resource $O$
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
309 |
provided $P$'s security level is lower or equal than
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
310 |
$O$'s
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
311 |
\item {\bf Write Rule}: a principal $P$ can write a resource
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
312 |
$O$ provided $O$'s security level is lower or equal than
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
313 |
$P$'s
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
314 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
315 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
316 |
\noindent This kind of access control system is called
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
317 |
\emph{Biba} model, named after Kenneth Biba. Its purpose is to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
318 |
prevent data modification by unauthorised principals.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
319 |
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
320 |
The somewhat paradoxical result of the different reading and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
321 |
writing rules in the \emph{\mbox{Bell}/LaPadula} and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
322 |
\emph{Biba} models is that we cannot have secrecy and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
323 |
integrity at the same time in a system, or they need to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
324 |
enforced by different means.
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
325 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
326 |
\subsubsection*{Multi-Agent Access Control}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
327 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
328 |
In military or banking, for example, very critical decisions
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
329 |
need to be made using a \emph{two-people rule}. This means such
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
330 |
decisions need to be taken by two people together, so that no
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
331 |
single person can defraud a bank or start a nuclear war (you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
332 |
will know what I mean if you have seen the classic movie ``Dr
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
333 |
Strangelove or: How I Learned to Stop Worrying and Love the
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
334 |
Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}).
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
335 |
Translating the two-people rule into a software system seems not
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
336 |
as straightforward as one might think.
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
337 |
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
338 |
Let us assume we want to implement a system where CEOs can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
339 |
make decisions on their own, for example whether or not to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
340 |
sell assets, but two managing directors (MDs) need to come
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
341 |
together to make the same decision. If ``lowly'' directors
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
342 |
(Ds) want to take this decision, three need to come together.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
343 |
Remember cryptographic keys are just sequences of bits. A
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
344 |
naive solution to the problem above is to split the necessary
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
345 |
key into $n$ parts according to the ``level'' where the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
346 |
decision is taken. For example one complete key for a CEO,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
347 |
halves of the key for the MDs and thirds for the Ds. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
348 |
problem with this kind of sharing a key is that there might be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
349 |
many hundreds MDs and Ds in your organisations. Simple-minded
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
350 |
halving or devision by three of the key just does not work.
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
351 |
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
352 |
A much more clever solution was proposed by Blakley and Shamir
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
353 |
in 1979. This solution is inspired by some simple geometric
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
354 |
laws. Suppose a three-dimentional axis system. We can, clearly,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
355 |
specify a point on the $z$-axis, say, by specifying its
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
356 |
coordinates. But we could equally specify this point by a line
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
357 |
that intersects the $z$-axis in this point. How can a line be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
358 |
specified? Well, by giving two points in space. But as you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
359 |
might remember from school days, we can specify the point also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
360 |
by a plane intersecting the $z$-axis and a plane can be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
361 |
specified by three points in space. This could be pictured as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
362 |
follows:
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
363 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
364 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
365 |
\includegraphics[scale=0.45]{../pics/pointsplane.jpg}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
366 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
367 |
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
368 |
\noindent The idea is to use the points as keys for each level
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
369 |
of shared access. The CEO gets the point directly. The MDs get
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
370 |
keys lying on a line and the Ds get keys lying on the plane.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
371 |
Clever, no? Scaling this idea to more dimensions allows for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
372 |
even more levels of access control and more interesting access
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
373 |
rules, like one MD and 2 Ds can take a decision together.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
374 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
375 |
Is such a shared access control used in practice? Well
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
376 |
military command-chains are obviously organised like this.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
377 |
But in software systems often need to rely on data that might
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
378 |
not be entirely accurate. So the CEO-level would correspond
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
379 |
to the in-house data-source that you can trust completely.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
380 |
The MD-level would correspond to simple errors where you need
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
381 |
three inputs and you decide on what to do next according to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
382 |
what at least two data-sources agree (the third source
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
383 |
is then disregarded, because it is assumed it contains an
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
384 |
error). If your data contains not just simple errors, you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
385 |
need levels corresponding to Ds.
|
260
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
386 |
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
387 |
|
248
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
388 |
\subsubsection*{Further Information}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
389 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
390 |
If you want to know more about the intricacies of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
391 |
``simple'' Unix access control system you might find the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
392 |
relatively readable paper about ``Setuid Demystified''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
393 |
useful.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
394 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
395 |
\begin{center}\small
|
249
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
396 |
\url{http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf}
|
248
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
397 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
398 |
|
261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
399 |
\noindent About secrecy and integrity, and shared access
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
400 |
control I recommend to read the chapters on ``Nuclear Command
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
401 |
and Control'' and ``Multi-Level Security'' in Ross Anderson's
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
402 |
Security Engineering book (whose first edition is free).
|
248
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
403 |
|
245
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
404 |
\end{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
405 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
406 |
%%% Local Variables:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
407 |
%%% mode: latex
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
408 |
%%% TeX-master: t
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
409 |
%%% End:
|