Computer Security: Capability Systems - Lecture 13, Study notes of Computer Science

A part of the lecture notes for the computer security course (cse543) taught by professor jaeger at penn state university in fall 2007. The notes cover the topic of capability systems, including process-specific permissions, the confused deputy problem, capabilities, real os capabilities, and user space capabilities. The document also discusses the advantages and disadvantages of capability systems and compares them to access control lists (acls).

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-m67
koofers-user-m67 🇺🇸

5

(1)

10 documents

1 / 23

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 13 - Capability Systems
October 9, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17

Partial preview of the text

Download Computer Security: Capability Systems - Lecture 13 and more Study notes Computer Science in PDF only on Docsity!

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 13 - Capability Systems

October 9, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1

Process-specific Permissions

  • Design the permissions of a process specific to its use
  • How do we change the permissions of a process in an ACL system?

Capabilities

  • A capability is the tuple (object, rights)
  • A capability system implements access control by checking if the process has an appropriate capability - Simple, right? - This is a little like a ticket in the Kerberos system
  • Q: Does this eliminate the need for authentication?

Capabilities

  • A: Well, yes and no …
  • Capabilities remove the overhead of managing per object rights, but add the overhead of managing capabilities
  • Moreover, to get any real security, they have to be unforgeable - Hardware tags (to protect capabilities) - Protected address space/registers - Language based techniques - Enforce access restrictions on caps. - Cryptography - Make them unforgeable

User space capability?

  • Well, what are the requirements?
    • Authenticity/integrity - do not want malicious process to forge capabilities
  • Start with the data itself: [object, rights]
    • Object is typically encoded with identifier, or by some other tag (capabilities are sometimes known as tags)
    • Rights are often fixed (read, modify, write, execute, etc.)
  • Now, do what you with any other data (assume the kernel has a secret key k) E(k, [O i , r 1 , r 2 , … r n

])

  • What’s wrong with this construction (I got it from the website of one of the experts in the area)?

The right construction

  • Encryption does not provide authenticity/integrity, it provides confidentiality [O i , r 1 , r 2 , … r n ],HMAC(k, [O i , r 1 , r 2 , … r n

])

  • So how would you attack the preceding construction?

Procedure-Level Protection Domains

  • HYDRA
    • Each procedure defines a new protection domain
  • Procedure
    • Code
    • Data
    • Capabilities to other objects
      • Caller-independent
      • Caller-dependent templates
  • Local Name Space
    • Capabilities are bound here
    • Record of a procedure invocation (procedure instance)
  • Process
    • Stack of LNSs

How HYDRA works

  • Q: Which object defines the protection domain? Caller LNS Callee LNS Kernel Call Callee
  • Capabilities Create Callee LNS Caller Proc Callee Proc Capabilities Capabilities Data Data Template Template Caller-Dep Capabilities Caller-Dep Capabilities

Linden’s Capability View

  • Achieve flexible, effective security by
    • Small protection domains
    • Extensible set of types
  • Implies a capability system
    • Small protection domains with least privilege permissions
    • Extensible types enable composition of systems reliably
    • Capabilities can be passed among protection domains and into new subsystems
  • Protected Procedures
    • Like HYDRA
    • Change domain with each procedure invocation
    • New procedure is a new instance
  • Protection Domain switch time is key (high in modern processors)

Correctness Claim

  • “It is far more difficult to build a 50,000 line program than 1,000 programs that are each 50 lines long.” - What is your opinion of this? - Is it just the procedure development that is important?
  • Two problems
    • Decomposition results in inefficiencies
    • Interactions between procedures are not captured

Secure Capability Systems

  • SCAP
    • Karger’s extension of the Cambridge CAP system
  • EROS
    • Shapiro’s reimplementation of the KeyKOS system

Capabilities and the *-Property

  • Capabilities and Lattice Models Don’t Mix
  • Suppose A is higher secrecy than B
    • A can read B’s capabilities
  • Q: Can a Trojan horse running as A write to Obj? B’s capabilities Read-Write Obj

EROS *-security

  • Define weak capabilities
    • If a weak capability is used to fetch a capability (transitively), then the fetched capability becomes read- only and weak
  • Assign weak capabilities to higher-secrecy subjects for accessing a lower-secrecy write capability - becomes read-only and weak
  • No need to test against a policy at runtime
    • Faster performance is possible
  • For general confinement use an confined processes or authorized capability sets - Not clear these really worked for general confinement

Capability Management

  • How’d you get those capabilities?
    • Stored with program, user
    • Compare with getting permissions by a process label
  • How do I get them back?
    • Once granted, nearly impossible to revoke