Not posted yet

Materials

See raw slides (pdf).

Topics

• Introduced the notion of setuid and how it is used to solve certain permission problems in Unix

• Discussed the security problems with setuid and specifically the confused deputy problem.

• Introduced an alternative method for access control based on capabilities. This idea offers from natural deterrence for confused deputies.

• All of these methods still suffer from a basic failure of operation. To defend, systems often employ manditory access control policies.

• Mandatory Access Control (MAC) is a security model where access rights are regulated by a central authority.

  • Centralized control: System administrators define the policies, not data owners.
  • Sensitivity labels: System resources and users are assigned classifications and clearances respectively.
  • Need-to-know principle: Access is granted only if a user has both the appropriate clearance level and a need to access the resource.
  • Strict enforcement: The system rigidly enforces these policies; users cannot change access rights.
  • Hierarchical structure or lattice: Labels are typically organized in a hierarchical manner (e.g., Top Secret, Secret, Confidential, Unclassified), or a security lattice in which there compartments in addition to clearances.
  • Information flow control: For confidentiality, the Bell-LaPadula model enforces “no read up, no write down”, and for integrity, the Bipa model enforces “no read down, no write up.”
  • Common implementations include SELinux and AppArmor.