Outline for March 8, 2002

Reading: §13, §14, §15.1-15.4

  1. Greetings and Felicitations
  2. Puzzle of the day
  3. Identity
    1. Principal and identity
    2. Users, groups, roles
    3. Identity on the web
    4. Host identity: static and dynamic identifiers
    5. State and cookies
    6. Anonymous remailers: type 1 and type 2 (mixmaster)
  4. Principles of Secure Design
    1. Least Privilege
    2. Fail-Safe Defaults
    3. Economy of Mechanism
    4. Complete Mediation
    5. Open Design
    6. Separation of Privilege
    7. Least Common Mechanism
    8. Psychological Acceptability
  5. Privilege in Languages
    1. Nesting program units
    2. Temporary upgrading of privileges
  6. Access Control Lists
    1. UNIX method
    2. ACLs: describe, revocation issue
  7. MULTICS ring mechanism
    1. MULTICS rings: used for both data and procedures; rights are REWA
    2. (b1, b2) access bracket - can access freely; (b3, b4) call bracket - can call segment through gate; so if a's access bracket is (32,35) and its call bracket is (36,39), then assuming permission mode (REWA) allows access, a procedure in:
      rings 0-31: can access a, but ring-crossing fault occurs
      rings 32-35: can access a, no ring-crossing fault
      rings 36-39: can access a, provided a valid gate is used as an entry point
      rings 40-63: cannot access a
    3. If the procedure is accessing a data segment d, no call bracket allowed; given the above, assuming permission mode (REWA) allows access, a procedure in:
      rings 0-32: can access d
      rings 33-35: can access d, but cannot write to it (W or A)
      rings 36-63: cannot access d
  8. Capabilities
    1. Capability-based addressing: show picture of accessing object
    2. Show process limiting access by not inheriting all parent's capabilities
    3. Revocation: use of a global descriptor table

ECS 153, Introduction to Computer Security
Winter Quarter 2002
Email: cs153@cs.ucdavis.edu