Читать книгу Security Engineering - Ross Anderson - Страница 206
6.2 Operating system access controls
ОглавлениеThe access controls provided with an operating system typically authenticate principals using a mechanism such as passwords or fingerprints in the case of phones, or passwords or security protocols in the case of servers, then authorise access to files, communications ports and other system resources.
Access controls can often be modeled as a matrix of access permissions, with columns for files and rows for users. We'll write r for permission to read, w for permission to write, x for permission to execute a program, and - for no access at all, as shown in Figure 6.1.
In this simplified example, Sam is the system administrator and has universal access (except to the audit trail, which even he should only be able to read). Alice, the manager, needs to execute the operating system and application, but only through the approved interfaces – she mustn't have the ability to tamper with them. She also needs to read and write the data. Bob, the auditor, can read everything.
| Operating | Accounts | Accounting | Audit | |
| System | Program | Data | Trail | |
| Sam | rwx | rwx | rw | r |
| Alice | x | x | rw | – |
| Bob | rx | r | r | r |
Figure 6.1: Naive access control matrix
This is often enough, but in the specific case of a bookkeeping system it's not quite what we need. We want to ensure that transactions are well-formed – that each debit is balanced by credits somewhere else – so we don't want Alice to have uninhibited write access to the account file. We would also rather that Sam didn't have this access. So we would prefer that write access to the accounting data file be possible only via the accounting program. The access permissions might now look like in Figure 6.2:
| User | Operating | Accounts | Accounting | Audit |
| System | Program | Data | Trail | |
| Sam | rwx | rwx | r | r |
| Alice | rx | x | – | – |
| Accounts program | rx | rx | rw | w |
| Bob | rx | r | r | r |
Figure 6.2: Access control matrix for bookkeeping
Another way of expressing a policy of this type would be with access triples of (user, program, file). In the general case, our concern isn't with a program so much as a protection domain which is a set of processes or threads that share access to the same resources.
Access control matrices (whether in two or three dimensions) can be used to implement protection mechanisms as well as just model them. But they don't scale well: a bank with 50,000 staff and 300 applications would have a matrix of 15,000,000 entries, which might not only impose a performance overhead but also be vulnerable to administrators' mistakes. We will need a better way of storing and managing this information, and the two main options are to compress the users and to compress the rights. With the first, we can use groups or roles to manage large sets of users simultaneously, while with the second we may store the access control matrix either by columns (access control lists) or rows (capabilities, also known as ‘tickets’ to protocol engineers and ‘permissions’ on mobile phones) [1642, 2024].
