IDA PAPER P-1935 TRADITIONAL CAPABILITY-BASED SYSTEMS: AN ANALYSIS OF THEIR ABILITY TO MEET THE TRUSTED COMPUTER SECURITY EVALUATION CRITERIA

Transcription

1 IDA PAPER P-1935 TRADITIONAL CAPABILITY-BASED SYSTEMS: AN ANALYSIS OF THEIR ABILITY TO MEET THE TRUSTED COMPUTER SECURITY EVALUATION CRITERIA v. D. Oligor J. C. Huskamp S. R. Welke C. J. Linn W. T. Mayfield February 1987 INSTITUTE ~ IDA FOR DEFENSE ANALYSES Contract MDA C 0031 Task T

2 Preface This paper, thraugh the use.of a "traditianal" capability-based system madel, is intended ta clarify the role.of capabilities in supparting different security palicies. In articular,the ability.ofthese "traditianal" systems ta meet the Trusted Camputer Security tvaluatian Criteria [TCSEC83] is analyzed. The paper is further intended ta be used as a backgraund reference by the Natianal Camputer Security Center (NCSC) Product Evaluatian Teams when they are invalved in the evaluatian.of new capability-based products. The authars have assumed that the readers.ofthis paper are camputer prafessianals (e.g., NCSC Product Evaluatian Team members.or designers.of camputer.operating systems)wha are well versed in data structures,.operatingsystem principles, and.operating system architectures, and wha are alsa relatively familiar with security cancepts and models. Virgil Gligar from the University.of Maryland served as principal researcher. Many ather individuals alsa have.cantributed ta the productian.ofthis paper. We wish ta acknowledge the assistance.ofdan Nessett, Lawrence Livermare Labs; Richard Kain, University.ofMinnesata; Narman Hardy, Susan Rajunas, et. al.,.ofkeylagic, Inc.; and Roger Schell.of Gemini Camputers, Inc., far their tharough review and critique.of the initial drafts.ofthis paper. Their camments helped significantly in praviding better focus and presentatian.of the material. The authars, hawever, remain respansible far the accuracyand appropriateness.ofthe cantents of this [mal versian.

3 Glossary of Definitions These definitions are adapted from [Saltzer75]; words which appear in italics are defmed elsewhere in this Glossary: Access Accesscontrol list The ability to make use of information stored in a computer system. Used frequently as a verb, to the horror of grammarians. - A list of subjects that are authorized to have access to some object. In most implementations, this list consists of identifiers of users and groups of users. Access Privilge A particular form of allowed access (READ as contrasted with WRITE, etc.). Authenticate Authorize To verify the identity of a person (or other agent external to the protection system) making a request To grant a subject access to certain information. Capability From a protection point of view, an unforgeable ticket containing access privileges which, when presented, can be taken as incontestable proof that the presenter is authorized to have access to the object named in the ticket. From a naming viewpoint, a capability is a system-wide object name. Confinement Descriptor Allowing a borrowed program to have access to data, while ensuring that the program cannot release the information. A protected value which is (or leads to) the physical address of some protected object. Usually, it is a process-relative mapping between a segment number and a storage segment (Le., it is an entry of a per-process table) *-.>f,

4 Discretionary Domain Encryption Grant Hierarchical control Kernel List-oriented Password Privacy Process Propagation (In contrast with nondiscretionary.) Controls on access to an object that may be changed by the creator (owner) of the object or by other principals implicitly or explicitly authorized by the object creator (owner). See Hierarchical ControL The set of objects that currently may be accessed by a subject. The (usually) reversible scrambling of data according to a secret transformation key, so as to make it safe for transmission or storage in a physically unprotected environment. To authorize. Referring to ability to change authorization, a scheme in which the record of each authorization is controlled by another aut~orization, resulting in a hierarchical tree of authorizations. An encapsulation of the ~lementary functions of an operating system. A security kernel encapsulates the key securityrelated portions of an operating system that prevent unauthorized access to objects. Used to describe aprotection system in which each protected object has a list of authorized subjects. A secret character string used to authenticate the claimed identity of an individual. The ability of an individual (or organization) to decide whether, when, and to whom personal (or organizational) information is released. A program in execution on a processor which represents an accounting, concurrency, and recovery entity of a computer system. When a subject, having been authorized access to some object, in turn authorizes access to another subject. IV

5 ~~- Protected object Protected subsystem Protection A data structure whose existence is known, but whose internal organization is not accessible, except by invoking the protected subsystem that manages it. A collection of procedures and data objects that is encapsulated in a domain of its own so that the internal structure of a data object is accessible only to the procedures of the protected subsystem and the procedures may be called only at designated domain entry points. 1) Security. 2) Used more narrowly to denote mechanisms and techniques that control the access of executing programs to stored information. Revoke To take away previously authorized access subject. from some Security Subject Ticket-based User With respect to information processing systems, used to denote mechanisms and techniques that control who may use or modify the computer or the information stored in it. A process within a domain executing instructions on behalf of a user or group of users. Used to describe a protection system in which each subject maintains a list of unforgeable bit patterns, called tickets, one for each object the subject is authorized to have access as specified by the access privileges of the ticket Used imprecisely to refer to the individual who is accountable for some identifiable set of activities in a computer system. v

6 ,.-- Table of Contents Preface Glossary of DefInitions eo eo iii List of Figures Xl 1.0 Introduction eo eo.. eo eo Properties of Traditional Capability-Based Systems ~ Capability-BasedAddressing Operand Addressing ~ Addressing Mechanisms Capability Mapping Transfer of ControL Capability-BasedProtection Maintenanceof Capability Integrity """"""" Protection of Base Objects and Authorization of Access Protection of Domain Representations and Separation of Access Privileges.. """" Protection of Extended-Type Objects Capability-BasedSystem Support of Security and Integrity Policies SecurityPolicies ' IntegrityPolicies Summaryof CommonPropertiesandPoliciesof Traditional Capability Systems Common Naming Properties Common Protection Properties..... '.' Common System Support for Security and Integrity Policies NCSC Criteria Impact on Traditional Capability-Based Systems ; Security Policy eo. eo Discretionary Access Control TCSEC Requirements Impact of the Access Authorization Requirement on Traditional Capability-Based Systems......, Impact of the Access Review Requirement on Traditional Capability-Based Systems......,...., Impact of the Explicit Access Exclusion Requirement on Traditional Capability-Based Systems vn

7 Table of Contents (Continued) Impact of the Controlled Distribution of Access Privileges Requirement on Traditional Capability-Based Systems Object Reuse TCSEC Requirements Impact of Object Reuse on Traditional Capability-Based Systems """"""" Object Labeling TCSEC Requirements Impact of Object Labeling on Traditional Capability- Based Systems Mandatory Access Contro TCSEC Requirements Model for Mandatory Access ControL Impact of Mandatory Access Control on Traditional Capability-Based Systems """"""" Accountability User Identification and Authentication.. """'" TCSEC Requirements Impact of the Accountability Requirements on Traditional Capability-Based Systems Audit TCSECRequirements Impact of the Audit Requirements on Traditional Capability-Based Systems "'" Assurance Operational A'ssurance System Architecture. """"""""""""" TCSEC Requirements Impact of System Architecture on Traditional Capability-Based Systems """"""'"."., System Integrity, Impact of System Integrity on Traditional Capability- Based Systems Covert Channel Analysis., TCSEC Requirements, Impact of Covert Channels on Capability-Based Systems Trusted Facility Management TCSEC Requirements 57 Vlll

8 ~'-~' Ii' i ' Table of Contents (Continued) Impact of Trusted Facility Management on Traditional Capability-Based Systems Life Cycle Assurance TCSEC Requirements Impact of Life Cycle Assurance on Traditional Capability-Based Systems Modifications of Traditional Capability Systems Problems of Traditional Capability-Based Systems Potential Solutions of Problems of Traditional Capability-Based Systems " Extensions BasicModificationsto TraditionalCapability-BasedSystems Traditional Capability-Based Systems Versus Descriptor-Based Systems Fundamental and Technological Differences , Fundamental Differences.....,., Addressing., Domains of Protection TechnologicalDifferences... """ Impact of Capability and Descriptor-Based Systems on Security Policy Support ;, Differences in Support of Discretionary Policies , Differences in Support of Mandatory Policies , Mandatory Policy in Traditional Capability-Based Systems,69 4.2~2.2 Mandatory Policy Support in Descriptor-Based Systems.., Differences in Audit Policy Audit in Capability-Based Systems, Audit in Descriptor-Based Systems """""".70 5':0 Conclusions 71 References "" , APPENDIX Cap-I Capability Bibliography '.'.'.'.'.'.'.'. ~ '. '. " ~'.'. '. '.'. '. '. ~'....,,... Des-l DescriptorBibliography... Security., Sec-l IX

9 ; \. \ \ '. \ \ust of Figures,Figure Title Page,.< "C'. "):lb Address Mapping in Partitioned Memory with Processor Support Address Mapping in Tagged Memory with Processor Support Indirect Addressing [3 levels] in Tagged Memory with Processor Support , , ,.,,..,.., ,.., ,......,,...,, :~ A Traditional Approach to Capability Mapping,.., , Domain Representation , Type Manager and Object(s) Using an Implicit Approach,, 20 Type Manager and Object(s) Using an Explicit Approach Creat,ing, Sealing and Unsealing a Capability for an Extended-Type Object ',"" , a. Creating a TYPE capability based on type TOlD"..., , ,,23 b, Sealing of a capability ,,...23 c. Unsealingof a capability Direct and Indirect Access to Capability CW,...,., Transitive Closure of Objects Linked by R-Capability Chains 42 Ownershipat Level L2 Not Allowed by Mandatory Policy (informationflow L2 -> Ll would take place otherwise).,..".."." 44 Full Ownership at Level Ll Not Allowed by Reference Count" 45 RestrictedOwnership at Level Ll Not Allowed by Reference Count 46 FullJRestrictedOwnership of Objects XIUX at Level Ll Not Allowedby "Link" Mechanism ,...,.., ,..,., Creation of a Self-Referencing Chain of Capabilities xi