Talal A. Alsubaie Presenting “Evereds” Paper (2001) Bracket Capability for Distributed Systems Security Talal A. Alsubaie

Overview Protection in Operating System Distributed System Security Access Control Access control lists Capabilities Case Study Bracket Capabilities Bracket Capabilities Implementation Talal A. Alsubaie

Protection in Operating System

Distributed System Security

Access Control

Access control lists

Capabilities

Case Study

Bracket Capabilities

Bracket Capabilities Implementation

Protection in Operating System Protection features are provided by O.S. There are many controlling access approaches to control access to objects: Access Control Matrix, ACL, Capabilities Most of security concerns about “Controlling Access”. Talal A. Alsubaie

Protection features are provided by O.S.

There are many controlling access approaches to control access to objects:

Access Control Matrix, ACL, Capabilities

Most of security concerns about “Controlling Access”.

Protection in Operating System Entities that can perform actions in the system are called subjects i.e. (Ahmed account). Entities representing resources to which access may need to be controlled are called objects i.e. (xyz file). Talal A. Alsubaie Object Subject Access

Entities that can perform actions in the system are called subjects i.e. (Ahmed account).

Entities representing resources to which access may need to be controlled are called objects i.e. (xyz file).

Protected Objects Typical Objects We Desire to Protect: Memory Disk and tape drives Printers Programs Networks Data … Talal A. Alsubaie

Typical Objects We Desire to Protect:

Memory

Disk and tape drives

Printers

Programs

Networks

Data

…

Distributed System Security Components of a distributed system can be viewed as objects according to the object-oriented paradigm. One advantage of an object-oriented approach is that the security can be based on the interface methods of an object. In this presentation, well talk about Object Oriented Programming Access Control. Talal A. Alsubaie

Components of a distributed system can be viewed as objects according to the object-oriented paradigm.

One advantage of an object-oriented approach is that the security can be based on the interface methods of an object.

In this presentation, well talk about Object Oriented Programming Access Control.

Access Control Is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing Physical resources Accessing the University. Logical resources Banking Account. Digital resources Text document. We’ll have an example of a Banking System Talal A. Alsubaie

Is the ability to permit or deny the use of a particular resource by a particular entity.

Access control mechanisms can be used in managing

Physical resources

Accessing the University.

Logical resources

Banking Account.

Digital resources

Text document.

We’ll have an example of a Banking System

Access Control Talal A. Alsubaie Request for Operation Authorize Request Imagine a server with a number of entities (which we will call objects) under its control. Requests come in, but are allowed only if the sender has sufficient access rights. Access control is how to verify rights.

Imagine a server with a number of entities (which we will call objects) under its control.

Requests come in, but are allowed only if the sender has sufficient access rights.

Access control is how to verify rights.

Access Control List (ACL) Talal A. Alsubaie

Access Control List (ACL) A list of permissions attached to an object. The list specifies who is allowed to access the object and what operations are allowed to be performed on the object. Each entry in the list specifies a subject and an operation. Example: ( Ahmed , Write ) ( Saleh, Read ) ( Mohammed, Read/Write ) on XYZ file. Talal A. Alsubaie

A list of permissions attached to an object.

The list specifies who is allowed to access the object and what operations are allowed to be performed on the object.

Each entry in the list specifies a subject and an operation.

Example: ( Ahmed , Write )

( Saleh, Read )

( Mohammed, Read/Write )

on XYZ file.

General Schema One list for each object. Shows all users who have access. Shows what access each user has. Can have default entries for any users. Specific users have explicit rights and all other users have default rights. Objects can be shared by all possible users. Talal A. Alsubaie Ahmed R Mohammed R/W Talal W Omar Deny

One list for each object.

Shows all users who have access.

Shows what access each user has.

Can have default entries for any users.

Specific users have explicit rights and all other users have default rights.

Objects can be shared by all possible users.

How does ACL Works? Talal A. Alsubaie Create Request ( r ) as Subject ( s ) ( r , s ) Object ACL If ( s appears in ACL) if( r appears in ACL[ s ] ) grant access;

Capabilities Talal A. Alsubaie

Capabilities A capability is a token (or ticket or key ) which : Gives the possessor certain rights to an object. Must be unforgeable. May grant transfer(or propagate) rights Something like delegation of authority. A right to pass copies of capabilities to others. Also should be able to revoke the capability. User holds a “ ticket ” for each resource. Example: ( XYZ , delete ) , hold by Ahmed Talal A. Alsubaie

A capability is a token (or ticket or key ) which :

Gives the possessor certain rights to an object.

Must be unforgeable.

May grant transfer(or propagate) rights

Something like delegation of authority.

A right to pass copies of capabilities to others.

Also should be able to revoke the capability.

User holds a “ ticket ” for each resource.

Example: ( XYZ , delete ) , hold by Ahmed

How does Capabilities Works? Talal A. Alsubaie ( r , o ) Object if( r appears in C ) grant access; ( C ) Create Request ( r ) for object ( o ) Pass capability ( C )

Case Study E-Banking System using Java Talal A. Alsubaie

E-Banking System using Java

Java Interface An interface is a contract between a class and the outside world. When a class implements an interface, it promises to provide the behavior published by that interface. Talal A. Alsubaie interface Bicycle { void changeGear( int newValue); void speedUp( int increment); void applyBrakes( int decrement); } class MyBicycle implements Bicycle { // remainder of this class }

An interface is a contract between a class and the outside world.

When a class implements an interface, it promises to provide the behavior published by that interface.

Banking System Talal A. Alsubaie A Bank Account object

Account Object Talal A. Alsubaie Class Accounts { void new (Key newKey, String name); void deposit (Key key, Currency amount); void withdraw (Key key, Currency amount) Currency balance (Key key); String getName (Key key); void setInterest ( Percent rate); void transfer (Key fromKey, Key toKey, Currency amount) }

Semantic Role-based Access Control Access rights can be granted on the basis of the roles of the users. A bank teller may have access to the deposit and withdraw methods. Talal A. Alsubaie Teller

Access rights can be granted on the basis of the roles of the users.

A bank teller may have access to the deposit and withdraw methods.

Semantic Role-based Access Control Access rights can be granted on the basis of the roles of the users. A bank teller may have access to the deposit and withdraw methods. While the bank manager may also have access to the method for setting the interest rate . Talal A. Alsubaie Bank Manager

Access rights can be granted on the basis of the roles of the users.

A bank teller may have access to the deposit and withdraw methods.

While the bank manager may also have access to the method for setting the interest rate .

Semantic Role-based Access Control In terms of per-method access control, the previous mechanism is not ideal. All the methods of the object are still known to all the users even if they cannot be called Ideally, in a need-to-know security environment, someone who is not allowed to invoke a method should not KNOW of the existence of that method Talal A. Alsubaie

In terms of per-method access control, the previous mechanism is not ideal.

All the methods of the object are still known to all the users even if they cannot be called

Ideally, in a need-to-know security environment, someone who is not allowed to invoke a method should not KNOW of the existence of that method

Extending Role-based Security ATM machine only requires access to the withdraw and balance methods of an Accounts object . Define a view for the ATMAccount . Talal A. Alsubaie interface ATMAccounts { void withdraw(Key key, Currency amount) Currency balance (Key key); }

ATM machine only requires access to the withdraw and balance methods of an Accounts object .

Define a view for the ATMAccount .

Extending Role-based Security What access to an Accounts object should be given to the owner of an individual account? We must ensure that only the right account is being accessed. This means that the Key parameter of balance and getName and the fromKey parameter of transfer must be restricted to a particular value ( Owners’ Account # ). Talal A. Alsubaie

What access to an Accounts object should be given to the owner of an individual account?

We must ensure that only the right account is being accessed.

This means that the Key parameter of balance and getName and the fromKey parameter of transfer must be restricted to a particular value ( Owners’ Account # ).

Extending Role-based Security Would like the account owner to view the object as if it had the type: MyAccount object can be seen as a virtual object . Talal A. Alsubaie interface MyAccount { Currency balance (); String getName (); void transfer (Key toKey, Currency amount) }

Would like the account owner to view the object as if it had the type:

MyAccount object can be seen as a virtual object .

Bracket Capabilities Talal A. Alsubaie

Bracket Capabilities To gain access to an object, the object is “opened” using a capability. For example: Where c is a variable of type Capability . Talal A. Alsubaie Accounts acc= c.open();

To gain access to an object, the object is “opened” using a capability.

For example:

Where c is a variable of type Capability .

Bracket Capabilities Each persistent object, as well as implementing an interface such as Accounts also implements the standard interface Persistent which includes methods such as deleteObject , deleteCapability and refine . Call refine method when the possessor of a capability wishes to grant a more restricted view of the object to other users in the system. The refine method is called as: Talal A. Alsubaie x = c.open(); Capability cref = x.refine(interface, class);

Each persistent object, as well as implementing an interface such as Accounts also implements the standard interface Persistent which includes methods such as deleteObject , deleteCapability and refine .

Call refine method when the possessor of a capability wishes to grant a more restricted view of the object to other users in the system.

The refine method is called as:

Bracket Capabilities Talal A. Alsubaie Capability C Capability Cerf Interface x = c.open(); Capability cref = x.refine(interface, class); Bracketing Object

Bracket Capabilities It can be seen that calls using the capability cref are directed through a kind of proxy or bracketing object. Talal A. Alsubaie Capability C Capability Cerf Interface Bracketing Object

It can be seen that calls using the capability cref are directed through a kind of proxy or bracketing object.

Bracket Capabilities Implementation Talal A. Alsubaie acc = objc.open(); Capability AtmCap = acc.refine(ATMAccounts , Account); Capability objc Capability AtmCap ATMAccount

Bracket Capabilities Implementation Talal A. Alsubaie Capability objc Capability AtmCap ATMAccount The result of a further 'refine' operation Capability cerf2 Interface2

Talal A. Alsubaie eMail : [email_address] Website : www.talals.net