第四讲访问控制

1、Access Controln“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“ncentral element of computer securitynassume have users and groupsauthenticate to systemassigned access rights to certain resources on systemAccess Control Princi

2、plesAccess Control Policiesn自主访问控制（Discretionary Access ControlDAC） 由客体的属主对自己的客体进行管理，由属主自己决定是否将自己客体的访问权或部分访问权授予其他主体，这种控制方式是自主的.自主访问控制下，用户可以自主选择哪些用户可以共享他的文件。 Linux系统中有两种自主访问控制策略，一种是9位权限码（User-Group-Other），另一种是访问控制列表ACL（Access Control List）。n强制访问控制（Mandatory Access ControlMAC） 将系统中的信息分密级和类进行管理，以保证每个用户

3、只能访问到那些被标明可以由他访问的信息的一种访问约束机制。 在强制访问控制下，用户（或其他主体）与文件（或其他客体）都被标记了固定的安全属性（如安全级、访问权限等），在每次访问发生时，系统检测安全属性以便确定一个用户是否有权访问该文件。其中多级安全（MultiLevel Secure, MLS）就是一种强制访问控制策略.。Access Control Requirementsnreliable inputnfine and coarse specificationsnleast privilegenseparation of dutynopen and closed policiesnpoli

4、cy combinations, conflict resolutionnadministrative policies(规定谁能增加、删除或修改授权规则)Access Control Elementsnsubject - entity that can access objectsa process representing user/applicationoften have 3 classes: owner, group, worldnobject - access controlled resourcee.g. files, directories, records, programs

5、 etcnumber/type depend on environmentnaccess right - way in which subject accesses an objecte.g. read, write, execute, delete, create, searchDiscretionary Access Control noften provided using an access matrixlists subjects in one dimension (rows)lists objects in the other dimension (columns)each ent

6、ry specifies access rights of the specified subject to that objectnaccess matrix is often sparsencan decompose by either row or columnAccess control matrix LampsonFile 1File 2File 3File nUser 1readwrite-readUser 2writewritewrite-User 3-readreadUser mreadwritereadwritereadSubjectsObjects按主体排序或访问等价于能力

7、表按客体排序或访问等价于ACLAccess Control ModelAccess Control FunctionProtection Domainsnset of objects with associated access rightsnin access matrix view, each row defines a protection domain任何由该用户派生的进程拥有同一保护域的访问权限but not necessarily just a usermay be a limited subset of users rightsapplied to a more restrict

8、ed processnThe association between a process and a domain may be static or dynamic 例： 操作系统的用户模式（不能使用某些受保护的内存区域，且不能执行某些指令）和内核模式（能够执行特权指令，并能访问受保护的内存区域）UNIX File ConceptsnUNIX files administered using inodescontrol structure with key info on filenattributes, permissions of a single file几个文件名可以与一个inode关

9、联，但一个活动inode仅与一个文件关联磁盘上有一个 inode表，包含所有文件的inoden打开一个文件时，它的inode被读入主存，驻留在内存inode表中ndirectories form a hierarchical treemay contain files or other directories目录包含文件名和指向关联inode的指针列表。每个目录都与其自己的inode关联UNIX File Access Control与每个文件相关联，有12位保护位，9个保护位分别指定文件所有者、组用户、其他用户的读、写和执行许可，后三位分别是SetUID SetGID sticky位UNIX

10、 File Access Controln9个保护位分别指定文件所有者、组用户、其他用户的读、写和执行许可，后三位分别是SetUID SetGID sticky位n“set user ID”(SetUID) or “set group ID”(SetGID)system temporarily uses rights of the file owner / group in addition to the real users rights when making access control decisions (These are known as the “effective user

11、ID”and “effective group ID” and are used in addition to the “real user ID” and “real group ID” of the executing user )enables privileged programs to access files / resources not generally accessiblensticky bit 应用于目录，表示只有目录中任何文件的所有者才可以重命名、移动或删除该文件nsuperuser is exempt from usual access control restric

12、tions(Any program that is owned by, and SetUID to, the “superuser” potentially grants unrestricted access to the system to any user executing that program)进程标志Each process has three Ids (+ more under Linux)Real user ID (RUID) 用户标志 same as the user ID of parent (unless changed) used to determine whic

13、h user started the process 用来识别谁启动了程序Effective user ID (EUID) 有效用户标志 from set user ID bit on the file being executed, or sys call determines the permissions for process 识别程序的权限 Saved user ID (SUID) So previous EUID can be restored;exec( );RUID 25SetUIDprogram;i=getruid()setuid(i);RUID 25EUID 18RUID

14、25EUID 25-rw-r-r-file-rw-r-r-fileOwner 18Owner 25read/writeread/writeOwner 18UNIX Access Control Listsnmodern UNIX systems support ACLsncan specify any number of additional users / groups and associated rwx permissionsnACLs are optional extensions to std permsngroup perms also set max ACL permsnwhen

15、 access is requiredselect most appropriate ACLnowner, named users, owning / named groups, otherscheck if have sufficient permissions for access扩展的ACLFreeBSD允许管理员通过Setfacl命令为文件分配一个UNIX用户ID和组的列表，通过三个保护位（读写执行）与文件关联FreeBSD文件有一个附加位，用于指出文件是否有扩展ACL组类中的权限起到了掩码的作用Android process isolationnAndroid application

16、 sandboxIsolation: Each application runs with its own UID in own VMnProvides memory protectionnCommunication protected using Unix domain socketsnOnly ping, zygote (spawn another process) run as rootInteraction: reference monitor checks permissions on inter-component communication Least Privilege: Ap

17、plications announces permission nWhitelist model user grants accessQuestions asked at install time, to reduce user interruptionRole-Based Access ControlRBAC得到商用，活跃的研究领域。每个角色包含其需要访问权的最小集Role-Based Access ControlIndividualsRolesResourcesengineeringmarketinghuman resServer 1Server 3Server 2Advantage: u

18、sers change more frequently than rolesRole-Based Access ControlUser: An individuals that has access to this computer system, & associated user ID. Role: A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the autho

19、rity（权限） and responsibility（职责） conferred on this role, and on any user who assumes this role. Permission: An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization. Session: A mapping between a user and an activated subset of

20、the set of roles to which the user is assigned.基本模型RBAC0RBAC 参考模型n角色层次RBAC1下级工作岗位的访问权可能是上级岗位的一个子集，继承 使一个角色能够隐式包含其下级角色关联的访问权约束RBAC2n角色之间定义的关系或与角色相关的条件n互斥角色（mutually exclusive role）：一个用户只能被分配集合中的一个角色；任何许可只能被授予集合中的一个角色（增加不同能力、不同工作职责的个体联合破坏安全策略的难度）n基数(cardinality)：关于角色的最大数值。（分配给指定角色的最大用户数；强制约束一个用户可以分配的最

21、大角色数；一个用户一次会话中可被激活的角色数；授予某个特定许可的最大角色数）n先决条件(prerequisite)：用户已经被分配了特定角色，才能被分配某个角色。NIST RBAC Model（2001）主要创新是引进了主要创新是引进了RBAC系统与管理函数规约系统与管理函数规约Administrative functions（管理函数）: provide the capability to create, delete, and maintain RBAC elements and relations 包括添加、删除用户；添加、删除角色；创建、删除用户到角色分配的实例；创建、删除许可到角色分

22、配的实例。Supporting system functions（支持系统函数）（支持系统函数）: provide functions for session management and for making access control decisions 包括创建用户与默认的活动角色集的会话；为会话添加活动角色；在会话中删除角色；检查会话主体是否有权限执行对客体的请求操作。Review functions（评审函数）（评审函数）: provide the capability to perform query operations on RBAC elements and relatio

23、ns 查看模型所有元素及其关系被采纳为ANSI INCITS 359-2004NIST RBAC模型组件n核心RBAC： 包含目前RBAC系统具有的共同特征的最小模型n层次RBAC：包含RBAC1描述的继承概念 通用角色层次允许角色层次中存在任意偏序关系 受限角色层次施加限制，保证简单的树形结构 增加了4个新的管理函数，在两个已存在的角色之间添加、删除直接继承关系；创建新的角色并添加为已存在角色的直接子孙；评审函数能查看各角色直接或通过继承相关联的许可和用户n静态职责分离关系（SSD） 定义互斥角色集，（角色集，n）包括创建、删除角色集及添加、删除角色成员的管理函数，查看已存在的SSDn动态职

24、责分离关系（DSD）限制了用户可以使用的许可，（角色集，n）没有用户可以激活角色集中的n或者更多的角色职责分离 （Separation of duty）：由不同的人分别作不同的事 中国墙安全策略（Chinese Wall Policy） Lawyers L1, L2 in Firm F are experts in banking If bank B1 sues bank B2, L1 and L2 can each work for either B1 or B2 No lawyer can work for opposite sides in any case 没有律师在任何案例中可以为对

25、立双方工作RBAC For a Bank强制访问控制强制访问控制（Mandatory Access ControlMACn用于将系统中的信息分密级和类进行管理，以保证每个用户只能访问到那些被标明可以由他访问的信息的一种访问约束机制。n用户（或其他主体）与文件（或其他客体）都被标记了固定的安全属性（如安全级、访问权限等）n在每次访问发生时，系统检测安全属性以便确定一个用户是否有权访问该文件。Bell-La Padula 机密模型 nWhen is it OK to release information?nTwo PropertiesSimple security propertynA subj

26、ect S may read object O only if C(O) C(S)*-PropertynA subject S with read access to O may write object P only if C(O) C(P)nIn words,You may only read below your classification and only write above your classificationn简单安全特性：主体s要能读对象O, 主体的安全许可等级不得低于对象的安全等级。n仅当C(o) C(s) ,主体s才能对对象o有读访问权n * 特性：将一个敏感对象写入

27、另一个敏感对象时，要求被写入对象的敏感度至少不低于要写入的对象n 仅当C(o) C(p),对对象o有访问权的主体才可以对对象p有写访问权n适用于信息安全，用于识别那些可能导致信息被不适当修改的模型SPublicProprietaryRead below, write aboveSPublicProprietaryRead above, write belowBiba完整性模型Rules that preserve integrity of informationTwo Properties Simple integrity property A subject S may write object O only if C(S) C(O) (Only trust S to modify O if S has higher rank ) *-Property A subject S with read access to O may write object P only if C(O) C(P) (Only move info from O to P if O is more trusted than P)In words, You