Download Computer Security: Capability Systems - Lecture 13 and more Study notes Computer Science in PDF only on Docsity! CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger CSE 543 - Computer Security Lecture 13 - Capability Systems October 9, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Process-specific Permissions • Design the permissions of a process specific to its use • How do we change the permissions of a process in an ACL system? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Capabilities • A: Well, yes and no … • Capabilities remove the overhead of managing per object rights, but add the overhead of managing capabilities • Moreover, to get any real security, they have to be unforgeable – Hardware tags (to protect capabilities) – Protected address space/registers – Language based techniques • Enforce access restrictions on caps. – Cryptography • Make them unforgeable CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Real OS Capabilities • The OS kernel manages capabilities in the process table, out of reach of the process • Capabilities added by user requests (that comply with policy) Process Table . . . Process Z X C R D W E . . . C List A B C D RX RW CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page User space capability? • Well, what are the requirements? – Authenticity/integrity - do not want malicious process to forge capabilities • Start with the data itself: [object, rights] – Object is typically encoded with identifier, or by some other tag (capabilities are sometimes known as tags) – Rights are often fixed (read, modify, write, execute, etc.) • Now, do what you with any other data (assume the kernel has a secret key k) E(k, [Oi, r1, r2, … rn]) • What’s wrong with this construction (I got it from the website of one of the experts in the area)? Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Procedure-Level Protection Domains • HYDRA – Each procedure defines a new protection domain • Procedure – Code – Data – Capabilities to other objects • Caller-independent • Caller-dependent templates • Local Name Space – Capabilities are bound here – Record of a procedure invocation (procedure instance) • Process – Stack of LNSs 10 Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger How HYDRA works • Q: Which object defines the protection domain? 11 Caller LNS Callee LNS Kernel Call Callee + Capabilities Create Callee LNS Caller Proc Callee Proc Capabilities Capabilities Data Data Template Template Caller-Dep Capabilities Caller-Dep Capabilities Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Implications of Fine-Grained Protection • Programmer – Must define templates for procedure – Connect the procedure rights together • Performance Impact • Q: Do we need to manage rights at this level? 12 Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Flexibility vs. Security • Small protection domains are desirable because: – Enables solving finer-grained problems – Less rigid protection – Independent accounting – Reliable and redundant security controls – Individual controls are easier to understand • Top-down vs. bottom-up; Fine vs coarse-grained 15 Page CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Secure Capability Systems • SCAP – Karger’s extension of the Cambridge CAP system • EROS – Shapiro’s reimplementation of the KeyKOS system 16 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Capabilities and the *-Property • Capabilities and Lattice Models Don’t Mix • Suppose A is higher secrecy than B – A can read B’s capabilities • Q: Can a Trojan horse running as A write to Obj? B’s capabilities Read-Write Obj CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Capability Management • How’d you get those capabilities? – Stored with program, user – Compare with getting permissions by a process label • How do I get them back? – Once granted, nearly impossible to revoke CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page EROS Revocation • Defined by Redell – Use a layer of indirection • Revoker capabilities – If you may revoke, create a revoker – The grant capabilities to the revoker – When you delete the revoker, all descendants become invalid Object Revoker Not Revocable Revocable CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page SCAP Revocation • Chain the capabilities – “revocation by chaining” • All capabilities to an object are stored in a ring – Can then revoke one – Motivate reassessment of all others – How do I know that I am revoking a particular capability? • Compare with using revoker capabilities – the memory/performance cost – the flexibility of revocation