| author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
| Thu, 08 Oct 2015 17:06:48 +0100 (2015-10-08) | |
| changeset 402 | fb0c844a26cf |
| parent 366 | 34a8f73b2c94 |
| child 404 | 4e3bc09748f7 |
| permissions | -rw-r--r-- |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs}
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
4 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\begin{document}
|
|
366
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
365
diff
changeset
|
6 |
\fnote{\copyright{} Christian Urban, 2014}
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
8 |
\section*{Handout 4 (Access Control)}
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
9 |
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
10 |
Access control is essentially about deciding whether to grant |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
11 |
access to a resource or deny it. Sounds easy, no? Well it |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
12 |
turns out that things are not as simple as they seem at first |
|
252
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
13 |
glance. Let us first look, as a case-study, at how access |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
14 |
control is organised in Unix-like systems (Windows systems |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
15 |
have similar access controls, although the details might be |
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
16 |
quite different). Then we have a look at how secrecy and |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
17 |
integrity can be ensured in a system, and finally have a look |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
18 |
at shared access control in multi-agent systems. |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
19 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
20 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
21 |
\subsubsection*{Unix-Style Access Control}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
22 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
23 |
Following the Unix-philosophy that everything is considered as |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
24 |
a file, even memory, ports and so on, access control in Unix |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
25 |
is organised around 11 Bits that specify how a file can be |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
26 |
accessed. These Bits are sometimes called the \emph{permission
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
27 |
attributes} of a file. There are typically three modes for |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
28 |
access: \underline{\textbf{r}}ead, \underline{\textbf{w}}rite
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
29 |
and e\underline{\textbf{x}}ecute. Moreover there are three
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
30 |
user groups to which the modes apply: the owner of the file, |
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
31 |
the group the file is associated with and everybody else. |
|
366
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
365
diff
changeset
|
32 |
A typical permission of a file owned by \texttt{bob}
|
|
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
365
diff
changeset
|
33 |
being in the group \texttt{staff} might look as
|
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
34 |
follows: |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
35 |
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
36 |
\begin{center}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
37 |
${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
38 |
\;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
39 |
{\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
40 |
{\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
41 |
\LARGE\texttt{bob}\;\;\;\texttt{staff}$
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
42 |
\end{center}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
43 |
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
44 |
\noindent For the moment let us ignore the directory bit. The |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
45 |
Unix access rules imply that Bob will only have read access to |
|
366
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
365
diff
changeset
|
46 |
this file, even if he is in the group \texttt{staff} and this
|
|
34a8f73b2c94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
365
diff
changeset
|
47 |
group's access permissions allow read and write. Similarly every |
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
48 |
member in the \texttt{staff} group who is not \texttt{bob},
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
49 |
will only have read-write access permissions, not |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
50 |
read-write-execute. |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
51 |
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
52 |
This |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
53 |
relatively fine granularity of owner, group, everybody else |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
54 |
seems to cover many useful scenarios of access control. A |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
55 |
typical example of some files with permission attributes is as |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
56 |
follows: |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
57 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
58 |
{\small\lstinputlisting[language={}]{../slides/lst}}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
59 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
60 |
\noindent The leading \pcode{d} in Lines 2 and 6 indicate that
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
61 |
the file is a directory, whereby in the Unix-tradition the |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
62 |
\pcode{.} points to the directory itself. The \pcode{..}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
63 |
points at the directory ``above'', or parent directory. The |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
64 |
second to fourth letter specify how the owner of the file can |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
65 |
access the file. For example Line 3 states that \pcode{ping}
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
66 |
can read and write \pcode{manual.txt}, but cannot execute it.
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
67 |
The next three letters specify how the group members of the |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
68 |
file can access the file. In Line 4, for example, all students |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
69 |
can read and write the file \pcode{report.txt}. Finally the
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
70 |
last three letters specify how everybody else can access a |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
71 |
file. This should all be relatively familiar and |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
72 |
straightforward. No? |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
73 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
74 |
There are already some special rules for directories and |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
75 |
links. If the execute attribute of a directory is \emph{not}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
76 |
set, then one cannot change into the directory and one cannot |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
77 |
access any file inside it. If the write attribute is |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
78 |
\emph{not} set, then one can change existing files (provide
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
79 |
they are changeable), but one cannot create new files. If the |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
80 |
read attribute is \emph{not} set, one cannot search inside the
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
81 |
directory (\pcode{ls -la} does not work) but one can access an
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
82 |
existing file, provided one knows its name. Links to files |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
83 |
never depend on the permission of the link, but the file they |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
84 |
are pointing to. Otherwise one could easily change access |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
85 |
rights to files. |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
86 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
87 |
While the above might sound already moderately complicated, |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
88 |
the real complications with Unix-style file permissions |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
89 |
involve the setuid and setgid attributes. For example the file |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
90 |
\pcode{microedit} in Line 5 has the setuid attribute set
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
91 |
(indicated by the \pcode{s} in place of the usual \pcode{x}).
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
92 |
The purpose of setuid and setgid is to solve the following |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
93 |
puzzle: The program \pcode{passwd} allows users to change
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
94 |
their passwords. Therefore \pcode{passwd} needs to have write
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
95 |
access to the file \pcode{/etc/passwd}. But this file cannot
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
96 |
be writable for every user, otherwise anyone can set anyone |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
97 |
else's password. So changing securely passwords cannot be |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
98 |
achieved with the simple Unix access rights discussed so far. |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
99 |
While this situation might look like an anomaly, it is in fact |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
100 |
an often occurring problem. For example looking at current |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
101 |
active processes with \pcode{/bin/ps} requires access to
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
102 |
internal data structures of the operating system, which only |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
103 |
root should be allowed to. In fact any of the following |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
104 |
actions cannot be configured for single users, but need |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
105 |
privileged root access |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
106 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
107 |
\begin{itemize}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
108 |
\item changing system databases (users, groups, routing tables |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
109 |
and so on) |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
110 |
\item opening a network port below 1024 |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
111 |
\item interacting with peripheral hardware, such as printers, |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
112 |
harddisk etc |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
113 |
\item overwriting operating system facilities, like |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
114 |
process scheduling and memory management |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
115 |
\end{itemize}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
116 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
117 |
\noindent This will typically involve quite a lot of programs |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
118 |
on a Unix system. I counted 90 programs with the setuid |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
119 |
attribute set on my bog-standard Mac OSX system (including the |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
120 |
program \pcode{/usr/bin/login} for example). The problem is
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
121 |
that if there is a security problem with only one of them, be |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
122 |
it a buffer overflow for example, then malicious users can |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
123 |
gain root access (and for outside attackers it is much easier |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
124 |
to take over a system). Unfortunately it is rather easy to |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
125 |
cause a security problem since the handling of elevating and |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
126 |
dropping access rights in such programs rests entirely with |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
127 |
the programmer. |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
128 |
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
129 |
The fundamental idea behind the setuid attribute is that a |
|
252
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
130 |
file will be able to run not with the callers access rights, |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
131 |
but with the rights of the owner of the file. So |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
132 |
\pcode{/usr/bin/login} will always be running with root access
|
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
133 |
rights, no matter who invokes this program. The problem is |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
134 |
that this entails a rather complicated semantics of what the |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
135 |
identity of a process (that runs the program) is. One would |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
136 |
hope there is only one such ID, but in fact Unix distinguishes |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
137 |
three(!): |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
138 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
139 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
140 |
\item \emph{real identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
141 |
This is the ID of the user who creates |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
142 |
the process; can only be changed to something else by root. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
143 |
\item \emph{effective identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
144 |
This is the ID that is used to |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
145 |
grant or deny access to a resource; can be changed to either |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
146 |
the real identity or saved identity by users, can be changed |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
147 |
to anything by root. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
148 |
\item \emph{saved identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
149 |
If the setuid bit set in a file then the process is started |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
150 |
with the real identity of the user who started the program, |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
151 |
and the identity of the owner of the program as effective and |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
152 |
saved identity. If the setuid bit is not set, then the |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
153 |
saved identity will be the real identity. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
154 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
155 |
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
156 |
\noindent As an example consider again the \pcode{passwd}
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
157 |
program. When started by, say the user \pcode{foo}, it has at
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
158 |
the beginning the identities: |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
159 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
160 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
161 |
\item \emph{real identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
162 |
\emph{effective identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
163 |
\emph{saved identity}: \pcode{root}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
164 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
165 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
166 |
\noindent It is then allowed to change the effective |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
167 |
identity to the saved identity to have |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
168 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
169 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
170 |
\item \emph{real identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
171 |
\emph{effective identity}: \pcode{root}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
172 |
\emph{saved identity}: \pcode{root}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
173 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
174 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
175 |
\noindent It can now read and write the file |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
176 |
\pcode{/etc/passwd}. After finishing the job it is supposed to
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
177 |
drop the effective identity back to \pcode{foo}. This is the
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
178 |
responsibility of the programmers who wrote \pcode{passwd}.
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
179 |
Notice that the effective identity is not automatically |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
180 |
elevated to \pcode{root}, but the program itself must make
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
181 |
this change. After it has done the work, the effective |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
182 |
identity should go back to the real identity. |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
183 |
|
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
184 |
If you want to play more with access rights in Unix, you can |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
185 |
use the program in Figure~\ref{test}. It explicitly checks for
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
186 |
readability and writability of files. The \pcode{main}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
187 |
function is organised into two parts: the first checks |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
188 |
readability and writability with the permissions according to |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
189 |
a potential setuid bit, and the second (starting in Line 34) |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
190 |
when the permissions are lowered to the caller. Note that this |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
191 |
program has one problem as well: it only gives a reliable |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
192 |
answer in cases a file is {\bf not} readable or {\bf not}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
193 |
writable when it returns an error code 13 (permission denied). |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
194 |
It sometimes claims a file is not writable, say, but with an |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
195 |
error code 26 (text file busy). This is unrelated to the |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
196 |
permissions of the file. |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
197 |
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
198 |
\begin{figure}[p]
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
199 |
\small |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
200 |
\lstinputlisting[language=C]{../progs/read.c}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
201 |
\caption{A read/write test program in C. It returns errno = 13
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
202 |
in cases when permission is denied.\label{test}}
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
203 |
\end{figure}
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
204 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
205 |
Despite this complicated semantics, Unix-style access control |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
206 |
is of no use in a number of situations. For example it cannot |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
207 |
be used to exclude some subset of people, but otherwise have |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
208 |
files readable by everybody else (say you want to restrict |
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
209 |
access to a file such that your office mates cannot access a |
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
210 |
file). You could try setting the group of the file to this |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
211 |
subset and then restrict access accordingly. But this does not |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
212 |
help, because users can drop membership in groups. If one |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
213 |
needs such fine-grained control over who can access a file, |
|
365
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
214 |
one needs more powerful \emph{mandatory access controls} as
|
|
942205605c30
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
283
diff
changeset
|
215 |
described next. |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
216 |
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
217 |
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
218 |
\subsubsection*{Secrecy and Integrity}
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
219 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
220 |
Often you need to keep information secret within a system or |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
221 |
organisation, or secret from the ``outside world''. An example |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
222 |
would be to keep insiders from leaking information to |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
223 |
competitors. An instance of such an access control system is |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
224 |
the secrecy levels used in the military. There you distinguish |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
225 |
usually four secrecy levels: |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
226 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
227 |
\begin{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
228 |
\item top secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
229 |
\item secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
230 |
\item confidential |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
231 |
\item unclassified |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
232 |
\end{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
233 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
234 |
The idea is that the secrets classified as top-secret are most |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
235 |
closely guarded and only accessible to people who have a |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
236 |
special clearance. The unclassified category is the lowest |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
237 |
level not needing any clearance. While the idea behind these |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
238 |
security levels is quite straightforward, there are some |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
239 |
interesting phenomenons that you need to think about when |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
240 |
realising such a system. First this kind of access control |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
241 |
needs to be \emph{mandatory} as opposed to
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
242 |
\emph{discretionary}. With discretionary access control, the
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
243 |
users can decide how to restrict or grant access to resources. |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
244 |
With mandatory access control, the access to resources is |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
245 |
enforced ``system-wide'' and cannot be controlled by the user. |
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
246 |
There would be no point to let users set the secrecy level, |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
247 |
because if they want to leak information they would set it to |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
248 |
the lowest. Even if there is no malicious intent, it could |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
249 |
happen that somebody by accident sets the secrecy level too |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
250 |
low for a document. Note also that the secrecy levels are in |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
251 |
tension with the Unix-style access controls. There root is |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
252 |
allowed to do everything, but in a system enforcing secrecy, |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
253 |
you might not like to give root such powers. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
254 |
|
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
255 |
There are also some interesting rules for reading and writing |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
256 |
a resource that need to be enforced: |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
257 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
258 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
259 |
\begin{itemize}
|
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
260 |
\item {\bf Read Rule}: a principal $P$ can read a resource $O$
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
261 |
provided $P$'s security level is at least as high as |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
262 |
$O$'s |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
263 |
\item {\bf Write Rule}: a principal $P$ can write a resource
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
264 |
$O$ provided $O$'s security level is at least as high as |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
265 |
$P$'s |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
266 |
\end{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
267 |
|
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
268 |
\noindent The first rule implies that a principal with secret |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
269 |
clearance can read secret documents or lower, but not |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
270 |
documents classified top-secret. The second rule for writing |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
271 |
needs to be the other way around: someone with secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
272 |
clearance can write secret or top-secret documents---no |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
273 |
information is leaked in these cases. In contrast the |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
274 |
principal cannot write confidential documents, because then |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
275 |
information can be leaked to lower levels. These rules about |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
276 |
enforcing secrecy with multi-level clearances are often called |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
277 |
\emph{Bell/LaPadula} model, named after two people who studied
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
278 |
such systems. |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
279 |
|
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
280 |
A problem with this kind of access control system is when two |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
281 |
people want to talk to each other but are assigned different |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
282 |
security clearances, say secret and confidential. In these |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
283 |
situations, the people with the higher clearance have to lower |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
284 |
their security level and are not allowed to take any document |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
285 |
from the higher level with them to the lower level (otherwise |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
286 |
information could be leaked). In actual systems, this |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
287 |
might mean that people need to log out and log into the system |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
288 |
again---this time with credentials for the lower level. |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
289 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
290 |
While secrecy is one property you often want to enforce, |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
291 |
integrity is another. This property ensures that nobody |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
292 |
without adequate clearance can change, or tamper with, |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
293 |
systems. An example for this property is a \emph{fire-wall},
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
294 |
which isolates a local system from threads from the |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
295 |
Internet, for example. The rule for such a system is |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
296 |
that somebody from inside the fire-wall can write resources |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
297 |
outside the firewall, but you cannot write a resource inside |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
298 |
the fire-wall from outside. Otherwise an outside can just |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
299 |
tamper with a system in order to break in. In contrast |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
300 |
we can read resources from inside the fire-wall, for example |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
301 |
web-pages. But we cannot read anything from outside the |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
302 |
fire-wall. Lest we might introduce a virus into the system |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
303 |
(behind the fire-wall). In effect in order to ensure |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
304 |
integrity the read and write rules are reversed from the |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
305 |
case of secrecy: |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
306 |
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
307 |
\begin{itemize}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
308 |
\item {\bf Read Rule}: a principal $P$ can read a resource $O$
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
309 |
provided $P$'s security level is lower or equal than |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
310 |
$O$'s |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
311 |
\item {\bf Write Rule}: a principal $P$ can write a resource
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
312 |
$O$ provided $O$'s security level is lower or equal than |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
313 |
$P$'s |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
314 |
\end{itemize}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
315 |
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
316 |
\noindent This kind of access control system is called |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
317 |
\emph{Biba} model, named after Kenneth Biba. Its purpose is to
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
318 |
prevent data modification by unauthorised principals. |
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
319 |
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
320 |
The somewhat paradoxical result of the different reading and |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
321 |
writing rules in the \emph{\mbox{Bell}/LaPadula} and
|
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
322 |
\emph{Biba} models is that we cannot have secrecy and
|
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
323 |
integrity at the same time in a system, or they need to be |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
324 |
enforced by different means. |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
325 |
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
326 |
\subsubsection*{Multi-Agent Access Control}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
327 |
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
328 |
In military or banking, for example, very critical decisions |
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
261
diff
changeset
|
329 |
need to be made using a \emph{two-people rule}. This means such
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
330 |
decisions need to be taken by two people together, so that no |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
331 |
single person can defraud a bank or start a nuclear war (you |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
332 |
will know what I mean if you have seen the classic movie ``Dr |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
333 |
Strangelove or: How I Learned to Stop Worrying and Love the |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
334 |
Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}).
|
|
263
8a42736cce27
updated 5th handout
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
261
diff
changeset
|
335 |
Translating the two-people rule into a software system seems not |
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
336 |
as straightforward as one might think. |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
337 |
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
338 |
Let us assume we want to implement a system where CEOs can |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
339 |
make decisions on their own, for example whether or not to |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
340 |
sell assets, but two managing directors (MDs) need to come |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
341 |
together to make the same decision. If ``lowly'' directors |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
342 |
(Ds) want to take this decision, three need to come together. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
343 |
Remember cryptographic keys are just sequences of bits. A |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
344 |
naive solution to the problem above is to split the necessary |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
345 |
key into $n$ parts according to the ``level'' where the |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
346 |
decision is taken. For example one complete key for a CEO, |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
347 |
halves of the key for the MDs and thirds for the Ds. The |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
348 |
problem with this kind of sharing a key is that there might be |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
349 |
many hundreds MDs and Ds in your organisations. Simple-minded |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
350 |
halving or devision by three of the key just does not work. |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
351 |
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
352 |
A much more clever solution was proposed by Blakley and Shamir |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
353 |
in 1979. This solution is inspired by some simple geometric |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
354 |
laws. Suppose a three-dimentional axis system. We can, clearly, |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
355 |
specify a point on the $z$-axis, say, by specifying its |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
356 |
coordinates. But we could equally specify this point by a line |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
357 |
that intersects the $z$-axis in this point. How can a line be |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
358 |
specified? Well, by giving two points in space. But as you |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
359 |
might remember from school days, we can specify the point also |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
360 |
by a plane intersecting the $z$-axis and a plane can be |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
361 |
specified by three points in space. This could be pictured as |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
362 |
follows: |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
363 |
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
364 |
\begin{center}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
365 |
\includegraphics[scale=0.45]{../pics/pointsplane.jpg}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
366 |
\end{center}
|
|
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
367 |
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
368 |
\noindent The idea is to use the points as keys for each level |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
369 |
of shared access. The CEO gets the point directly. The MDs get |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
370 |
keys lying on a line and the Ds get keys lying on the plane. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
371 |
Clever, no? Scaling this idea to more dimensions allows for |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
372 |
even more levels of access control and more interesting access |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
373 |
rules, like one MD and 2 Ds can take a decision together. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
374 |
|
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
375 |
Is such a shared access control used in practice? Well |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
376 |
military command-chains are obviously organised like this. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
377 |
But in software systems often need to rely on data that might |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
378 |
not be entirely accurate. So the CEO-level would correspond |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
379 |
to the in-house data-source that you can trust completely. |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
380 |
The MD-level would correspond to simple errors where you need |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
381 |
three inputs and you decide on what to do next according to |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
382 |
what at least two data-sources agree (the third source |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
383 |
is then disregarded, because it is assumed it contains an |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
384 |
error). If your data contains not just simple errors, you |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
385 |
need levels corresponding to Ds. |
|
260
42bf66f0a903
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
257
diff
changeset
|
386 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
387 |
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
388 |
\subsubsection*{Further Information}
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
389 |
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
390 |
If you want to know more about the intricacies of the |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
391 |
``simple'' Unix access control system you might find the |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
392 |
relatively readable paper about ``Setuid Demystified'' |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
393 |
useful. |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
394 |
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
395 |
\begin{center}\small
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
396 |
\url{http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf}
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
397 |
\end{center}
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
398 |
|
|
261
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
399 |
\noindent About secrecy and integrity, and shared access |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
400 |
control I recommend to read the chapters on ``Nuclear Command |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
401 |
and Control'' and ``Multi-Level Security'' in Ross Anderson's |
|
e7a31a247e5a
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
260
diff
changeset
|
402 |
Security Engineering book (whose first edition is free). |
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
403 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
404 |
\end{document}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
405 |
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
406 |
%%% Local Variables: |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
407 |
%%% mode: latex |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
408 |
%%% TeX-master: t |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
409 |
%%% End: |