Access Control Matrix
Access Control Matrix
Week 2
Protection State
The state of a system:
The collection of the current values of all memory
locations, all secondary storage, and all registers and
other components of the system.
Protection State
Consider the set of possible protection states P. Some
subset Q of P consists of exactly those states in which
the system is authorized to reside.
So, whenever the system state is in Q, the system is
secure.
When the current state is in P Q , the system is not
secure.
secure
precise
broad
Access Control
An access control system regulates the operations
that can be executed on data and resources to be
protected
Its goal is to control operations executed by subjects
in order to prevent actions that could damage data
and resources
Access control is typically provided as part of the
operating system and of the database management
system (DBMS)
Subject
Access
request
Reference
monitor
Object
Object
Objects are the set of all protected entities.
Anything that holds data: such as relations, directories,
interprocess messages, network packets, I/O devices, or
physical media
Note that not all resources managed by a system need
to be protected
Subject
Subjects are the set of active objects
It is an abstraction of any active entity that performs
computation in the system
Subjects can be classified into:
users -- single individuals connecting to the system
groups -- sets of users
roles -- named collections of privileges / functional
entities within the organization
processes -- executing programs on behalf of users
receive signals
send signals
execute a process as a subprocess
Access Permissions
Access permissions, also called authorizations, are
expressed in terms of subjects, objects, and access modes
From a conceptual point of view an access permission is a
tuple <s, o, a> where
s is a subject
o is an object
a is an access mode
Access Permission
Subjects, objects, and access modes can be organized
into hierarchies
The semantics of the hierarchy depends on the domain
Object Hierarchy
PART-OF
directory
file
object
component object
Role Hierarchy
technical manager
programmer
senior role
junior role
Group Hierarchy
GROUP MEMBERSHIP
University
CS Dept
group
group member
Suppose that the group CS department has 200 members and the
University group 5000 members; suppose we have the policy that
the department calendar can be read to all members of the
University and written only by the members of CS; these policies
can be encoded into two access permissions of the form:
<University, calendar, Read> <CS Dept, calendar, Write>
read
mode
implied mode
s2
s3
g1
o1
o2
s4
Users
s5
g2
o3
o4
Groups
o5
o6
Objects
s2
s3
Users
g1
o1
o2
Groups
o3
o4
o5
Objects
22
Mandatory approach
a system-wide policy decrees who is allowed to
have access
Revoke permissions
Remove values from the access control mechanisms
entries
Check permissions
Verifying whether the entry related to a subject s and
an object o contains a given access mode
subjects
o1 om s1 sn
s1
s2
sn
Subjects S = { s1,,sn }
Objects O = { o1,,om }
Rights R = { r1,,rk }
Entries A[si, oj] R
A[si, oj] = { rx, , ry }
means subject si has
rights rx, , ry over
object oj
subjects
objects (entities)
f
rwo
g
r
p
rwxo
q
w
ro
rwxo
Process 1 can read or write file 1 and can read file 2; process 2 can append
to file 1 and read file 2. Process 1 can communicate with process 2 by
writing to it, and process 2 can read from process 1. The processes
themselves are treated as both subjects (rows) and objects (columns).
Example 2
Procedures inc_ctr, dec_ctr, manage
Variable counter
Rights +, , call
subjects
objects (entities)
inc_ctr
dec_ctr
manage
counter inc_ctr
+
call
dec_ctr manage
call
call
At the micro level, access control matrices can model programming language
accesses: Objects are the variables and subjects are the procedures.
6 Primitive Operations
create subject s; create object o
Creates new row, column in ACM; creates new column in
ACM
Creating File
In the UNIX system, if process p created a file f with
owner read (r) and write (w) permission, the
command capturing the resulting changes in the
access control matrix would be:
command createfile(p, f)
create object f;
enter own into A[p, f];
enter r into A[p, f];
enter w into A[p, f];
end
Mono-Operational Commands
Make process p the owner of file g
command makeowner(p, g)
enter own into A[p, g];
end
Mono-operational command
Single primitive operation in this command
Conditional Commands
Let process p give process q r (read) right over file f,
if p owns f:
command grantreadfile1(p, f, q)
if own in A[p, f]
then
enter r into A[q, f];
end
Mono-conditional command
Single condition in this command
Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has
a distinguished c right over q:
command grantreadfile2(p, f, q)
if own in A[p, f] and c in A[p, q]
then
enter r into A[q, f];
enter w into A[q, f];
end
Bi-conditional command
Two conditions in this command connected with an AND
Key Points
Access control matrix is the simplest abstraction
mechanism for representing protection state
Transitions alter protection state
6 primitive operations alter matrix
Transitions can be expressed as commands composed
of these operations and, possibly, conditions
Discussion
Directly implementing access control matrices is quite
inefficient, because in most cases these matrices are
sparse
Therefore two main implementations have been
developed
Access Control Lists (ACL)
Store columns with objects of the access control matrix.
Used in DBMS and Operating Systems
Capabilities
Store rows with subjects of the access control matrix.
Used in Operating Systems (such as Linux capabilities at
/usr/src/linux/include/linux/capability.h)
36
file2
John
R, W, X
Jane
Capabilities
Conceptually, a capability is the row of an access
control matrix. Each subject has associated with it a set
of pairs, with each pair containing an object and a set
of rights. The subject associated with this list can access
the named object in any of the ways indicated by the
named rights.
Each subject has an associated Capability-List.
Capabilities - Example
Given the ACM below:
41