A policy flexible system must be capable of supporting a wide variety of security policies Security policies may be classified by >The need to revoke previously granted access >The type of input required to make access decisions >The sensitivity of policy decisions to external factors like history or environment Transitivity of access decisions Revocation is the most difficult characteristic to support ence and lec入 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
❖A policy flexible system must be capable of supporting a wide variety of security policies. ❖Security policies may be classified by ➢The need to revoke previously granted access ➢The type of input required to make access decisions ➢The sensitivity of policy decisions to external factors like history or environment ➢Transitivity of access decisions ❖Revocation is the most difficult characteristic to support
Security policy must deal with policy changes interleaved with execution of controlled operations Interleaving must be atomic so any controlled operation has a consistent policy Atomicity is difficult to achieve because access permissions tend to migrate throughout the system >Example:Unix write permissions on a file are only checked when the file is opened.The granted permission is cached in the file descriptor. Changing permissions only affects future open operations. >Migrated permissions are common in capabilities,access rights in page tables,open IPC connections,and other operations in progress Cience and Techilu 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
❖ Security policy must deal with policy changes interleaved with execution of controlled operations ❖ Interleaving must be atomic so any controlled operation has a consistent policy ❖ Atomicity is difficult to achieve because access permissions tend to migrate throughout the system ➢ Example: Unix write permissions on a file are only checked when the file is opened. The granted permission is cached in the file descriptor. Changing permissions only affects future open operations. ➢ Migrated permissions are common in capabilities, access rights in page tables, open IPC connections, and other operations in progress
Must make sure entire system knows if a permission is revoked when policy changes >Complicated and potentially expensive >Must identify relevant in-progress operations Three ways to handle revocation for an in-progress operation >Abort and return error >Restart operation and check permission Wait for operation to complete Waiting is not safe because it does not enforce policy and can take an unbounded amount of time 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
❖Must make sure entire system knows if a permission is revoked when policy changes ➢Complicated and potentially expensive ➢Must identify relevant in-progress operations ❖Three ways to handle revocation for an in-progress operation ➢Abort and return error ➢Restart operation and check permission ➢Wait for operation to complete ❖Waiting is not safe because it does not enforce policy and can take an unbounded amount of time
Outline *Introduction Policy Flexibility Insufficiency of Popular Mechanisms Related Work Flask Design and Implementation Results Summary *Other Flask object managers Current Status 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
Outline ❖Introduction ❖Policy Flexibility ❖Insufficiency of Popular Mechanisms ❖Related Work ❖Flask Design and Implementation ❖Results ❖Summary ❖Other Flask object managers ❖Current Status
Insufficiency of Popular Mechanisms We will take a look at: >Capability-Based Systems >Intercepting Requests 1958 o0.气 嵌入式系统实验室 EMBEDDED SYSTEM LABORATORY SUZHOU INSTITUTE FON ADVANCED STUDY OF USTC
Insufficiency of Popular Mechanisms ❖We will take a look at: ➢Capability-Based Systems ➢Intercepting Requests