Notes for February 4, 1998 1. Greetings and felicitations! a. Reading: Pfleeger, pp. 247Į249, 277Į280, 304Į305 2. Puzzle a. Point is that sometimes non-technical solutions are the most effective 3. MULTICS ring mechanism a. MULTICS rings: used for both data and procedures; rights are REWA b. (b1, b2) access bracket - can access freely; (b3, b4) call bracket - can call segment through gate; so if ašs access bracket is (32,35) and its call bracket is (36,39), then assuming per- mission mode (REWA) allows access, a procedure in: rings 0-31: can access a, but ring-crossing fault occurs rings 32-35: can access a, no ring-crossing fault rings 36-39: can access a, provided a valid gate is used as an entry point rings 40-63: cannot access a c. If the procedure is accessing a data segment d, no call bracket allowed; given the above, assuming permission mode (REWA) allows access, a procedure in: rings 0-32: can access d rings 33-35: can access d, but cannot write to it (W or A) rings 36-63: cannot access d 4. Capabilities a. Capability-based addressing: show picture of accessing object b. Show process limiting access by not inheriting all parentšs capabilities c. Revocation: use of a global descriptor table [ ended here ] 5. Lock and Key a. Associate with each object a lock; associate with each process that has access to object a key (itšs a cross between ACLs and C-Lists) b. Example: use crypto (Gifford). X object enciphered with key K. Associate an opener R with X. Then: OR-Access: K can be recovered with any Di in a list of n deciphering transformations, so R = (E1(K), E2(K), ..., En(K)) and any process with access to any of the Dišs can access the file AND-Access: need all n deciphering functions to get K: R = E1(E2(...En(K)...)) 6. Mandatory vs. Discretionary; a. security levels b. categories 7. Bell-LaPadula Model a. Simple Security Property: no reads up b. Star Property: no writes down c. Discretionary Security Property: if mandatory controls say itšs okay, check discretionary controls. d. Basic Security Theorem: A system is secure if its initial state is secure and no action vio- lates the above rules. 8. ORCON (Originator Controlled; Graubert) a. Document/information can be passed on with approval of originator; real world justifica- tion is that originator of document trusts recipients not to release documents which they should not. b. Untrusted subject x marks object O ORCON on behalf of organization X and indicates it is releasable to subjects acting on behalf of organization Y. not releasable to subjects acting on behalf of other organizations without Xšs permission any copies made have the same restriction c. DAC: canšt do this as the restriction would not copy over (y reads O into C, puts its own ACL on C) d. MAC: separate category withO, x, y. y wants to read O, copy to C; MAC means C has same category as O, x, y, so canšt give z access to C. Say a new organization w wants to provide data in B to y but not to be shared with x or z. Canšt use Ošs category. Hence you get explosion of categories. Real world parallel: individuals are Ņbriefedæ into a category and those represent a formal Ņneed to knowæ policy that is standard across the entity; ORCON has no central clearing- house to categorize data; originator makes rules. 9. Solution? a. owner of object canšt change ACLšs relationship with object (MAC characteristic) b. on copy, ACL is copied as well (MAC characteristic) c. access control restrictions can be tailored on a subject/object basis (DAC characteristic)