handouts/ho04.tex
changeset 257 9bc912fcedb6
parent 252 fa151c0a3cf4
child 260 42bf66f0a903
--- a/handouts/ho04.tex	Tue Oct 21 12:42:19 2014 +0100
+++ b/handouts/ho04.tex	Wed Oct 22 23:38:02 2014 +0100
@@ -51,14 +51,15 @@
 There are already some special rules for directories and
 links. If the execute attribute of a directory is \emph{not}
 set, then one cannot change into the directory and one cannot
-access any file inside it. If the write attribute is not set,
-then one can change existing files (provide they are
-changeable), but one cannot create new files. If the read
-attribute is not set, one cannot search inside the directory
-(\pcode{ls -la} does not work) but one can access an existing
-file, provided one knows its name. Links to files never depend
-on the permission of the link, but the file they are pointing
-to.
+access any file inside it. If the write attribute is
+\emph{not} set, then one can change existing files (provide
+they are changeable), but one cannot create new files. If the
+read attribute is \emph{not} set, one cannot search inside the
+directory (\pcode{ls -la} does not work) but one can access an
+existing file, provided one knows its name. Links to files
+never depend on the permission of the link, but the file they
+are pointing to. Otherwise one could easily change access
+rights to files.
 
 While the above might sound already moderately complicated,
 the real complications with Unix-style file permissions
@@ -95,12 +96,12 @@
 attribute set on my bog-standard Mac OSX system (including the
 program \pcode{/usr/bin/login} for example). The problem is
 that if there is a security problem with only one of them, be
-it a buffer overflow for example, then malicious users 
-can gain root access (and for outside attackers it is much
-easier to take over a system). Unfortunately it is rather easy 
-to make errors since the handling of elevating and dropping 
-access rights in such programs rests entirely with the 
-programmer.
+it a buffer overflow for example, then malicious users can
+gain root access (and for outside attackers it is much easier
+to take over a system). Unfortunately it is rather easy to
+cause a security problem since the handling of elevating and
+dropping access rights in such programs rests entirely with
+the programmer.
 
 The fundamental idea behind the setuid attribute is that a
 file will be able to run not with the callers access rights,
@@ -158,18 +159,82 @@
 identity should go back to the real identity.
 
 
-Despite these complicated semantics, Unix-style access control
+Despite this complicated semantics, Unix-style access control
 is of no use in a number of situations. For example it cannot
 be used to exclude some subset of people, but otherwise have
 files readable by everybody else (say you want to restrict
 access to a file such that your office mates cannot access 
 a file). You could try setting the group of the file to this
 subset and then restrict access accordingly. But this does not
-help, because users can drop membership in groups. 
+help, because users can drop membership in groups. If one
+needs such fine-grained control over who can access a file,
+one needs more powerful \emph{mandatory access controls}
+as described next.
+
 
 \subsubsection*{Secrecy and Integrity}
 
+Often you need to keep information secret within a system or
+organisation, or secret to the ``outside world''. An example
+would be to keep information secret such that insiders cannot
+leak information to competitors. A very good instance of such
+an access control system is the secrecy levels used in the
+military. There you distinguish four secrecy levels:
 
+\begin{itemize}
+\item top secret
+\item secret
+\item confidential
+\item unclassified
+\end{itemize}
+
+The idea is that the secrets classified as top-secret are most
+closely guarded and only accessible to people who have a
+special clearance. The unclassified category is the lowest
+level not needing any clearance. While the idea behind these
+security levels is quite straightforward, there are some
+interesting implications for when you want to realise such a
+system. To begin the access control needs to be
+\emph{mandatory} as opposed to \emph{discretionary}. With
+discretionary access control, the users can decide how to
+restrict or grant access to resources. With mandatory access
+control, the access to resources is enforced ``system-wide''
+and cannot be controlled by the user. There are also some
+interesting rules for reading and writing an object that 
+need to be enforced: 
+
+
+\begin{itemize}
+\item {\bf Read Rule}: a principal $P$ can read an object $O$
+provided $P$'s security level is at least as high as $O$'s
+
+\item {\bf Write Rule}: a principal $P$ can write an object $O$
+provided $O$'s security level is at least as high as $P$'s 
+\end{itemize} 
+
+\noindent The first rule says that a principal with secret
+clearance can read secret documents or lower, but not
+documents classified top-secret. The second rule for writing
+needs to be the other way around: someone with secret
+clearance can write secret or top-secret documents---no
+information is leaked. In contrast it cannot write
+confidential documents, because then information can be leaked
+to lower levels. These rules about enforcing secrecy with
+mult-level clearances is often called \emph{Bell/LaPudela}
+model, named after two people who studied such systems.
+
+A problem with this access control system is when two people
+want to talk to each other but having different security
+clearances, say secret and confidential. In these situations,
+the people with the higher clearance have to lower their
+security level and are not allowed to take any document
+from the higher level with them (otherwise again information
+could be leaked). In actual systems this might mean that
+people need to log out and log into the system again---this
+time with credentials for the lower level.
+
+While secrecy is one property you often want to enforce,
+integrity is another. This property ensures that no
 
 \subsubsection*{Further Information}