Security Engineering. Ross Anderson

Читать онлайн.
Название Security Engineering
Автор произведения Ross Anderson
Жанр Зарубежная компьютерная литература
Серия
Издательство Зарубежная компьютерная литература
Год выпуска 0
isbn 9781119642817



Скачать книгу

Alice rx x – – Accounts program rx rx rw w Bob rx r r r

      Another way of expressing a policy of this type would be with access triples of (user, program, file). In the general case, our concern isn't with a program so much as a protection domain which is a set of processes or threads that share access to the same resources.

      Access control matrices (whether in two or three dimensions) can be used to implement protection mechanisms as well as just model them. But they don't scale well: a bank with 50,000 staff and 300 applications would have a matrix of 15,000,000 entries, which might not only impose a performance overhead but also be vulnerable to administrators' mistakes. We will need a better way of storing and managing this information, and the two main options are to compress the users and to compress the rights. With the first, we can use groups or roles to manage large sets of users simultaneously, while with the second we may store the access control matrix either by columns (access control lists) or rows (capabilities, also known as ‘tickets’ to protocol engineers and ‘permissions’ on mobile phones) [1642, 2024].

      6.2.1 Groups and roles

      When we look at large organisations, we usually find that most staff fit into one of a small number of categories. A bank might have 40 or 50: teller, call centre operator, loan officer and so on. Only a few dozen people (security manager, chief foreign exchange dealer, …) will need personally customised access rights.

      Groups and roles can be combined. The officers of the watch of all ships currently at sea is a group of roles. In banking, the manager of the Cambridge branch might have their privileges expressed by membership of the group manager and assumption of the role acting manager of Cambridge branch. The group manager might express a rank in the organisation (and perhaps even a salary band) while the role acting manager might include an assistant accountant standing in while the manager, deputy manager, and branch accountant are all off sick.

      Whether we need to be careful about this distinction is a matter for the application. In a warship, even an ordinary seaman may stand watch if everyone more senior has been killed. In a bank, we might have a policy that “transfers over $10m must be approved by two staff, one with rank at least manager and one with rank at least assistant accountant”. If the branch manager is sick, then the assistant accountant acting as manager might have to get the regional head office to provide the second signature on a large transfer.

      6.2.2 Access control lists

User Accounting
Data
Sam rw
Alice rw
Bob r

      Finally, distributing the access rules into ACLs makes it tedious to find all the files to which a user has access. Verifying that no files have been left world-readable or even world-writable could involve checking ACLs on millions of user files; this is a real issue for large complex firms. Although you can write a script to check whether any file on a server has ACLs that breach a security policy, you can be tripped up by technology changes; the move to containers has led to many corporate data exposures as admins forgot to check the containers' ACLs too. (The containers themselves are often dreadful as it's a new technology being sold by dozens of clueless startups.) And revoking the access of an employee who has just been fired will usually have to be done by cancelling their password or authentication token.

      Let's look at an important example of ACLs – their implementation in Unix (plus its derivatives Android, MacOS and iOS).

      6.2.3 Unix operating system security

      In traditional Unix systems, files are not allowed to have arbitrary access control lists, but simply rwx attributes that allow the file to be read, written and executed. The access control list as normally displayed has a flag to show whether the file is a directory, then flags r, w and x for owner, group and world respectively; it then has the owner's name and the group name. A directory with all flags set would have the ACL:

       drwxrwxrwx Alice Accounts

      In our first example in Figure 6.1, the ACL of file 3 would be:

       -rw-r----- Alice Accounts

      The program that gets control when the machine is booted (the operating system kernel)