Week 10 - Access Control Flashcards
(29 cards)
just read
so essentially the os is in charge of what users can access cetain resources
ie we may have resource that must be available across users (ie mail) and those may certain restrictions
- Alice can access Alice’s mailes
- Bob cant access Alice
what do access control policies do
set of rules to determine which users can access which resources and operations a user is allowed to perform
what do we mean by system defines mechanisms users define policies
os needs to be able to provide mechanisms to support wide range of access control policy
The user then selects the policy they want to implement
Ie Alice might create a file that :
Anyone can read but only alice can write
amongst many other policies ( she could have done - ie both bob and alice can read or write but nobody else can access …)
Why is checking permission bits on open and after than knowing the file handle advantages
so essentially design means
cost of checking amortised - time penalty of permission check on opern spread out across all future read write operations
revocation is hard - changing permission does not alter open fd’ - ie if bob is has an open fd and alice changes permission to the file so only she can access it bob can still access it if he originally had read and write permissions
delegation possible - can hand over open fd’s to other processes
advantages of instead of using ACLS
attaching a list of pairs (which object , permissions) to a SUBJECT
💥 Summary of the idea:
Instead of attaching a list of pairs to each object (like in ACLs),
we attach a list of pairs → (which object, what permissions) → to each subject.
⚙️ And yes → the subject can be:
a user (coarse-grained), or
a process (fine-grained).
✅ By making the subject = process:
You can give different permissions to different processes,
even if they are all running under the same user account.
Example:
Process A (Alice) → can read and write file X.
Process B (Alice) → can only read file X.
Process C (Alice) → has no access to file X.
Advantages of ACL
Easy to revoke permissions of ACL
Easy to understand
Disadvantages of ACL
scale can become large -> consume lots of memory
if permission checks frequent have to look up large ACL which slows performance
Autority is ambient - All of a users processes will have their permissions
ie if alice has read and write permissions all her processes will be read and write
cant restrict aka make more fine grained and have one be read and one be write
like you could in capability system ( where we attactch list to subject not object)
what does security mean
A mind set of constant suspicion ( theres always an adversary out to get you)
Who am i forced to trust
is security and fault tolerance same thing
NO
Fault tolerance - protecting processes or other resources from accidental behaviour ( incompentence)
Security - protecting processes or other reosurces from malicious behaviour
adversary is out to get you
properties of security
security has many properties:
confidentiality - info not exposed to unintended parties
Integrity - Info cannot be modified by unintended parties and modification includes adding fake and spurious data to sit alongside old data (not just chaning data to something hacker wants)
availability - malicious actors cant deprive others of services
These properties are held under the assumption of
attack model - We define what kinds of attackers we are defending against.
the attackers resources -
We assume attackers have reasonable, realistic resources
Just read
with access control lists we have already covered the notion of confidentiality ( as we know who has access to an object) and integrity ( we know the permissions each person has)
but with availability:
to make sure processes arent deprived :
we need a max (memory , no of processes …} per user
limit rate of process creation per user
attack model is : we cant have > 1 account per user as if that were the case we could just make hella accounts and deprive others that way
swiss cheese deffence
so key takeawy is that we use independent layers of defence (swiss cheese model ) such that if one attack passes througg a layer its likely to get block by sucessive layers
that way the only ways tht pass through is limited
EACH LAYER IS A DIFFERENT TECHNIQUE and so attackers to face multiple kinds of barriers requring:
more time
more skillsets
more resoures
READ Very important
PROBLEM With splitting privelleges using ACL
so the problem with our approach then is we keep adding to acl ( which as we mentioned efore slows down even more) for each user we need to set their privelege ( to least privilege) for but the thing is this is tedious and if we flop ( set permissions) wrong it can cause our program to fail
SOME PROGRAMS NEED TO COMBINE MULTIPLE AUTHORITIES
student@5CCS20SC:$ submit 1 ~/my-project-1
Because ACLs are typically tied to users:
You can only give the program the permissions of the user running it.
But here, you need both the student’s and the instructor’s permissions at the same time.
Just read
-rwsrws–x
Here’s the breakdown:
rws → owner has read, write, and setuid (s) permissions.
rws → group has read, write, and setgid (s) permissions.
–x → others can execute.
✅ First s (setuid):
When anyone runs this program, the OS temporarily switches the process’s user ID to the owner’s user ID.
That means the program runs with the owner’s permissions, not just the caller’s.
✅ Second s (setgid):
Same idea, but switches to the owner’s group ID.
This gives the program the owner’s group privileges too.
✅ Final x:
Others (like you) are allowed to execute the program.
why is setuid root so dangerous
set uid root
have roots permissions can run as root and do whatever
solution
use handle based approach
Create new processes with a handle that explicitly and narrowly defines:
→ what the process can do,
→ and what permissions it has.
Each process has only the minimum power it needs (least privilege).
Example:
If the process is meant only to write to log files,
→ it gets a logging handle —
and it cannot touch user files, create new processes, or modify configs.
If the process is meant only to manage user sessions,
→ it gets a session handle —
and it cannot write to logs or escalate privileges.
if thats correct how would we use this approach to do the submit coursework command
Authenticity
How does system know who user is
why does authenticity go both wats
. does the user trust the system (eg are we sure we are accessing kcl and not a malicious kcl clone
. does system trust the user ( verified through passwords…)
defence against password attacks
Bruteforce - try all strings
time delays after successive unsuccessuful attempts
dictionary attacks - attacker gets a list of dictionary words (words with meaning that are common with passwords and tries those)
To combot dictionary attacks dont use dictionary words
Why dont computers store passwords
what do they store instead and why
t the system doesnt store the password it stores a hash of the password
ie it stores some f(p) where p is password and f is function and checks if f(p) == f(input)
storing hash is better as if theres an attack and hacker retrieves hash very hard to reverse into password
offline dictionary attack
passwords - specifically the hash of password (f(p)) has leaked
The hacker gets a list of dictionary words and for each dictionary word checks if the hash (f(input)) is equal to the leaked hash they have ( f(p)) - if it is they gasses the password
Offline as they are ARE WORKING ON THEIR COMPUTER not yours and so are not subjected by rate limited , lockouts …
Timing channel attack
When we have password stored on disk or memory -compares input and password directly
Attacker can use a timer to measure no of microseconds for system to reject password
the longer it takes to say incorrect password - closer you are to getting the password correct
turns from exponential to linear - as you can go character by character now
solution to this problem - add a randomised delay or better yet dont store passwords
untrappable key
so we are saying a user cant always trust system
ie i may be trying to login but its a fake login screen
solution:
untrappable keys(APPS CANT CAPTURE / REPLICATE BEHAVIOUR)
ie control alt delete
if i press this and expected output (takes me to task manager ) then real
if nothing then fake
What is cryptography
cryptography - techniques (involving codes) for secure communication
If something is physically secure ( CHANNEL NOT EXPOSED TO ATTACKERS ) cryptography is not needed
