Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 27 Oct 2014 00:35:12 +0000
changeset 260 42bf66f0a903
parent 259 f96d3e48ed3d
child 261 e7a31a247e5a
updated
handouts/ho04.pdf file | annotate | diff | comparison | revisions
handouts/ho04.tex file | annotate | diff | comparison | revisions 
Binary file handouts/ho04.pdf has changed
--- a/handouts/ho04.tex	Thu Oct 23 11:30:21 2014 +0100
+++ b/handouts/ho04.tex	Mon Oct 27 00:35:12 2014 +0000
@@ -9,7 +9,7 @@
 \section*{Handout 4 (Access Control)}
 
 Access control is essentially about deciding whether to grant
-access to a resource or deny it. Sounds easy. No? Well it
+access to a resource or deny it. Sounds easy, no? Well it
 turns out that things are not as simple as they seem at first
 glance. Let us first look, as a case-study, at how access
 control is organised in Unix-like systems (Windows systems
@@ -175,11 +175,11 @@
 \subsubsection*{Secrecy and Integrity}
 
 Often you need to keep information secret within a system or
-organisation, or secret to the ``outside world''. An example
-would be to keep information secret such that insiders cannot
-leak information to competitors. A very good instance of such
-an access control system is the secrecy levels used in the
-military. There you distinguish four secrecy levels:
+organisation, or secret from the ``outside world''. An example
+would be to keep insiders from leaking information to
+competitors. An instance of such an access control system is
+the secrecy levels used in the military. There you distinguish
+usually four secrecy levels:
 
 \begin{itemize}
 \item top secret
@@ -193,48 +193,125 @@
 special clearance. The unclassified category is the lowest
 level not needing any clearance. While the idea behind these
 security levels is quite straightforward, there are some
-interesting implications for when you want to realise such a
-system. To begin the access control needs to be
-\emph{mandatory} as opposed to \emph{discretionary}. With
-discretionary access control, the users can decide how to
-restrict or grant access to resources. With mandatory access
-control, the access to resources is enforced ``system-wide''
-and cannot be controlled by the user. There are also some
-interesting rules for reading and writing an object that 
-need to be enforced: 
+interesting phenomenons that you need to think about when
+realising such a system. First this kind of access control
+needs to be \emph{mandatory} as opposed to
+\emph{discretionary}. With discretionary access control, the
+users can decide how to restrict or grant access to resources.
+With mandatory access control, the access to resources is
+enforced ``system-wide'' and cannot be controlled by the user.
+There are also some interesting rules for reading and writing
+a resource that need to be enforced: 
 
 
 \begin{itemize}
-\item {\bf Read Rule}: a principal $P$ can read an object $O$
-provided $P$'s security level is at least as high as $O$'s
-
-\item {\bf Write Rule}: a principal $P$ can write an object $O$
-provided $O$'s security level is at least as high as $P$'s 
+\item {\bf Read Rule}: a principal $P$ can read a resource $O$
+      provided $P$'s security level is at least as high as
+      $O$'s
+\item {\bf Write Rule}: a principal $P$ can write a resource
+      $O$ provided $O$'s security level is at least as high as
+      $P$'s 
 \end{itemize} 
 
-\noindent The first rule says that a principal with secret
+\noindent The first rule implies that a principal with secret
 clearance can read secret documents or lower, but not
 documents classified top-secret. The second rule for writing
 needs to be the other way around: someone with secret
 clearance can write secret or top-secret documents---no
-information is leaked. In contrast it cannot write
-confidential documents, because then information can be leaked
-to lower levels. These rules about enforcing secrecy with
-mult-level clearances is often called \emph{Bell/LaPudela}
-model, named after two people who studied such systems.
+information is leaked in these cases. In contrast the
+principal cannot write confidential documents, because then
+information can be leaked to lower levels. These rules about
+enforcing secrecy with multi-level clearances are often called
+\emph{Bell/LaPadula} model, named after two people who studied
+such systems.
 
-A problem with this access control system is when two people
-want to talk to each other but having different security
-clearances, say secret and confidential. In these situations,
-the people with the higher clearance have to lower their
-security level and are not allowed to take any document
-from the higher level with them (otherwise again information
-could be leaked). In actual systems this might mean that
-people need to log out and log into the system again---this
-time with credentials for the lower level.
+A problem with this kind of access control system is when two
+people want to talk to each other but are assigned different
+security clearances, say secret and confidential. In these
+situations, the people with the higher clearance have to lower
+their security level and are not allowed to take any document
+from the higher level with them to the lower level (otherwise
+information could be leaked). In actual systems, this
+might mean that people need to log out and log into the system
+again---this time with credentials for the lower level.
 
 While secrecy is one property you often want to enforce,
-integrity is another. This property ensures that no
+integrity is another. This property ensures that nobody
+without adequate clearance can change, or tamper with,
+systems. An example for this property is a \emph{fire-wall},
+which isolates a local system from threads from the 
+Internet, for example. The rule for such a system is
+that somebody from inside the fire-wall can write resources
+outside the firewall, but you cannot write a resource inside 
+the fire-wall from outside. Otherwise an outside can just
+tamper with a system in order to break in. In contrast
+we can read resources from inside the fire-wall, for example
+web-pages. But we cannot read anything from outside the 
+fire-wall. Lest we might introduce a virus into the system
+(behind the fire-wall). In effect in order to ensure
+integrity the read and write rules are reversed from the
+case of secrecy:
+
+\begin{itemize}
+\item {\bf Read Rule}: a principal $P$ can read a resource $O$
+      provided $P$'s security level is lower or equal than
+      $O$'s
+\item {\bf Write Rule}: a principal $P$ can write a resource
+      $O$ provided $O$'s security level is lower or equal than
+      $P$'s 
+\end{itemize} 
+
+\noindent This kind of access control system is called
+\emph{Biba} model, named after Kenneth Biba. Its purpose is to
+prevent data modification by unauthorised principals.
+
+The paradoxical result of the different reading and writing 
+rules in the \emph{Bell/LaPadula} and \emph{Biba} models is
+that we cannot have secrecy and integrity at the same time
+in a system, or they need to be enforced by different means.
+
+\subsubsection*{Multi-Agent Access Control}
+
+In military or banking, for example, very critical decisions
+need to be made using a \emph{two-man rule}. This means such
+decisions need to be taken by two people together, so that
+no single person can defraud a bank or start a nuclear war
+(you will know what I mean if you have seen the classic movie
+``Dr Strangelove or: How I Learned to Stop Worrying and Love
+the
+Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}).
+
+Let us assume we want to implement a system where a CEOs can
+fell decisions on their own, but two managing directors (MDs)
+need to come together to fell the same decision. If ``lowly''
+directors (Ds) want to take the decision, three need to come
+together. An obvious solution to such a problem is to split
+the necessary key into $n$ parts according to the ``level''
+where the decision is taken. For example one key for a CEO,
+two halves for the MDs and three thirds for the Ds. The 
+problem with this kind of sharing a key is that there might 
+be many hundreds MDs and Ds in your organisations. Simple-minded
+halving or devision by three of the keey just does not work.
+
+A much more clever solution was Blakley and Shamir in 1979. 
+This solution is inspired by some simple geometric facts.
+Given a three-dimentional axis system, we can specify a
+point on the $z$-axis, say, by specifying its coordinates.
+But we could equally specify this point by a line that 
+intersects the $z$-axis in this point. How can a line be
+specified? Well, by giving two spaces in space. But as you
+might remember from school days, we can specify the point
+also by a plane and a plane can be specified by three points
+in space. This could be pictured as follows:
+
+\begin{center}
+\includegraphics[scale=0.45]{../pics/pointsplane.jpg}
+\end{center}
+
+\noindent 
+Scaling this idea to more dimensions allows for even more 
+levels of access control.
+
 
 \subsubsection*{Further Information}
sen-material