CS 513 - System Security
Lecture 21

Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 4/13/00

Today's Topics

Domain Changes
Revocation and Review

Domain Changes:

Goal:
To change domains during procedure calls

Background:
There are 2 ways to pass an object to a method.

  1. Pass an instance of the object.
    The method does not need to retain information about the object between calls. This follows the Principle of Least Privilege, but requires the caller to provide all of the necessary information for each call.
  2. Pass a pointer to the object.
    This approach requires static memory.

Strategies:

  1. All method calls invoke the kernel. When the kernel is called, it changes the domain by changing the memory protection.
  2. Use encryption.
    • Define 2 operations, seal and unseal, that respectively encrypt and decrypt representations of objects.
    • Routines can be invoked using the sealed representation, but the unsealed version is needed to manipulate the object.
    • Only methods that are allowed to access the object can run the seal and unseal operations.

    Revocation and Review:

    Definitions:
    Revocation is the process of removing a subject's access right to an object. Revocation may be done to follow the Principle of Least Privilege, to allow temporary sharing, or to recover from misplaced trust.
    Review is the process of determining the rights of every subject at a particular time.
    Attenuation is the process of removing some or all of a subject's rights.
    Amplification is the process of granting a subject additional rights.

    Access Control Lists:
    If access control lists are used, then both review and revocation are simple operations. For review, each object prints its list. For revocation, the object removes a subject from its list.

    Capability Lists:
    If the capabilities are stored in user space, then review is very difficult, because the entire user space must be searched for bit sequences that correspond to capabilities. Without an easy way to do review, revocation is difficult, because it is hard to revoke a capability that cannot be found.

    Ways to Simplify Capability Review and Revocation:

    1. The kernel can manage the capabilities. To do this, the capabilities are stored in a reserved area of memory and the kernel is called whenever a capability is created or passed to another subject.

    2. The techniques used for certificate revocation can be used for capability revocation. Specifically, each capability can have an expiration date and each object can maintain a list of subjects that no longer have access to it.

    3. A layer of indirection can be used. For example, consider the case that subject SA wants to give subject SB access to Object O. SA can create an object called an alias that can be used to access O. SA then gives SB a capability to access the alias. During revocation, SA may not be able to find and delete the capability to the alias, but SA can revoke SB's access to O, by deleting the alias. This form of indirection can have interesting side effects, since SB could have used indirection to give another subject access to the alias that is then used to access O. Following these chains during review is difficult.