Ch 2: Access Control Matrix
Week 2
�Protection State
The state of a system:
The collection of the current values of all memory
locations, all secondary storage, and all registers and
other components of the system.
The subset of this collection that deals with protection
is the protection state of the system.
�Protection State
Consider the set of possible protection states P. Some
subset Q of P consists of exactly those states in which
the system is authorized to reside.
So, whenever the system state is in Q, the system is
secure.
When the current state is in P Q , the system is not
secure.
We want to ensure that the system state is always an
element of Q.
�Security Policy, Security Mechanism,
Precision
Characterizing the states in Q is the function of a
security policy.
Preventing the system from entering a state in P Q is
the function of a security mechanism.
�Types of Security Mechanisms
Let P be the set of all possible states and Q be the set of
secure states (as specified by the security policy). Let the
security mechanisms restrict the system to some set of states
R (thus, R P).
A security mechanism is secure if R Q; it is precise if R = Q;
and it is broad if there are states r such that r R and r Q.
secure
precise
R: set of reachable states
broad
Q: set of secure states
�Access Control
An access control system regulates the operations
that can be executed on data and resources to be
protected
Its goal is to control operations executed by subjects
in order to prevent actions that could damage data
and resources
Access control is typically provided as part of the
operating system and of the database management
system (DBMS)
�Access Control Model
By B. Lampson. Protection. ACM Operating System
Reviews, 8, 1974.
The very nature of access control suggests that there
is an active subject requiring access to a passive object
to perform some specific access operation.
A reference monitor grants or denies access
Subject
Access
request
Reference
monitor
Object
�Access Control Mechanism
Typically a software system implements the access
control function
Usually part of other systems
The access control mechanism uses some access
control policies to decide whether to grant or deny a
subject access to a requested resource
We will refer to an access control system as system
comprising an access control mechanism and all
information required to take access control decisions
(for example, access permissions)
�Object
Objects are the set of all protected entities.
Anything that holds data: such as relations, directories,
interprocess messages, network packets, I/O devices, or
physical media
Note that not all resources managed by a system need
to be protected
�Subject
Subjects are the set of active objects
It is an abstraction of any active entity that performs
computation in the system
Subjects can be classified into:
users -- single individuals connecting to the system
groups -- sets of users
roles -- named collections of privileges / functional
entities within the organization
processes -- executing programs on behalf of users
Relations may exist among various types of subjects
�Access Operations (Modes)
Operations that a subject can exercise on the protected
objects in the system
Each type of operation corresponds to an access mode
Several different types:
Read: look at the contents of an object
Write: change the contents of an object
Execute, select, insert, update, delete, etc.
The same mode can correspond to different operations
when applied to different objects
�Access Modes Unix OS Example
Access modes defined for files
read:
write:
execute:
reading from a file
writing to a file
executing a (program) file
Access modes defined for directories
read:
write:
execute:
list a directory contents
create or rename a file in a directory
search a directory (including
subdirectiroes)
Access modes defined for processes
read:
write:
execute:
receive signals
send signals
execute a process as a subprocess
�Access Permissions
Access permissions, also called authorizations, are
expressed in terms of subjects, objects, and access modes
From a conceptual point of view an access permission is a
tuple <s, o, a> where
s is a subject
o is an object
a is an access mode
It states that subject s has the permission to execute
operation a on object o
We also say that s has access right a on object o
Example: the access permission <Bob, Read, F1> states
that Bob has the permission to read file F1
�Access Permission
Subjects, objects, and access modes can be organized
into hierarchies
The semantics of the hierarchy depends on the domain
The use of hierarchies has two important advantages:
It reduces the number of permissions that need to be entered
into the access control system, thus reducing administration
costs
Combined with negative authorizations, it supports the
specification of exceptions
�Object Hierarchy
PART-OF
directory
file
object
component object
�Role Hierarchy
technical manager
programmer
senior role
junior role
�Group Hierarchy
GROUP MEMBERSHIP
University
CS Dept
group
group member
Suppose that the group CS department has 200 members and the
University group 5000 members; suppose we have the policy that
the department calendar can be read to all members of the
University and written only by the members of CS; these policies
can be encoded into two access permissions of the form:
<University, calendar, Read> <CS Dept, calendar, Write>
�Access Mode Hierarchy
SUBSUMPTION
write
read
mode
implied mode
�Groups and Negative Permissions
Groups can be seen as an intermediate level between
users and objects
An example of an ideal world where all access
permissions are mediated by groups
s1
s2
s3
g1
o1
o2
s4
Users
s5
g2
o3
o4
Groups
o5
o6
Objects
�Groups and Negative Permissions
Often access control policies have special cases
where it proves convenient to give some user a
permission for an object directly or deny a user a
permission that it would normally derive from its
membership in some group
A negative permission specifies an operation that a
subject is not allowed to perform
Representing negative permissions requires
extending our simple tuple model with an additional
component sign:
<s, o, a, sign> where sign {+, -}
�Groups and Negative Permissions
An example in which not all access permissions are
mediated through groups
s1
s2
s3
Users
g1
o1
o2
Groups
o3
o4
o5
Objects
�Ownership and Administration
A key question when dealing with access control is
who specifies which subjects can access which
objects for which operations
In the case of permissions, this means specifying
which are the subjects that can enter permissions
22
�Ownership and Administration
Discretionary approach
the owner of a resource decrees who is allowed to
have access
But then: who is the owner of a resource?
Mandatory approach
a system-wide policy decrees who is allowed to
have access
�Basic Operations in Access Control
Grant permissions
Inserting values in the access control mechanisms
entries
Revoke permissions
Remove values from the access control mechanisms
entries
Check permissions
Verifying whether the entry related to a subject s and
an object o contains a given access mode
�Access Control Matrix (ACM)
Recall that protection state of system
Describes current settings, values of system relevant to
protection
An access control matrix is one tool that can describe
the current protection state.
Access control matrix
Describes protection state precisely
Matrix describing rights of subjects
State transitions change elements of matrix
�Access Control Matrix (ACM)
objects (entities)
subjects
o1 om s1 sn
s1
s2
sn
Subjects S = { s1,,sn }
Objects O = { o1,,om }
Rights R = { r1,,rk }
Entries A[si, oj] R
A[si, oj] = { rx, , ry }
means subject si has
rights rx, , ry over
object oj
�Example 1 Protection State of a System
Processes p, q
Files f, g
Rights r: read, w: write, x: execute, a: append, o: own
subjects
objects (entities)
f
rwo
g
r
p
rwxo
q
w
ro
rwxo
Process 1 can read or write file 1 and can read file 2; process 2 can append
to file 1 and read file 2. Process 1 can communicate with process 2 by
writing to it, and process 2 can read from process 1. The processes
themselves are treated as both subjects (rows) and objects (columns).
�Example 2
Procedures inc_ctr, dec_ctr, manage
Variable counter
Rights +, , call
subjects
objects (entities)
inc_ctr
dec_ctr
manage
counter inc_ctr
+
call
dec_ctr manage
call
call
At the micro level, access control matrices can model programming language
accesses: Objects are the variables and subjects are the procedures.
�Protection State Transitions
Change the protection state of system
| represents transition
Xi | Xi+1: command moves system from state Xi to Xi+1
Xi | * Y : a sequence of commands moves system from
state Xi to Y
Commands often called transformation procedures
�6 Primitive Operations
create subject s; create object o
Creates new row, column in ACM; creates new column in
ACM
destroy subject s; destroy object o
Deletes row, column from ACM; deletes column from ACM
enter r into A[s, o]
Adds r rights for subject s over object o
delete r from A[s, o]
Removes r rights from subject s over object o
�Creating File
In the UNIX system, if process p created a file f with
owner read (r) and write (w) permission, the
command capturing the resulting changes in the
access control matrix would be:
command createfile(p, f)
create object f;
enter own into A[p, f];
enter r into A[p, f];
enter w into A[p, f];
end
�Mono-Operational Commands
Make process p the owner of file g
command makeowner(p, g)
enter own into A[p, g];
end
Mono-operational command
Single primitive operation in this command
�Conditional Commands
Let process p give process q r (read) right over file f,
if p owns f:
command grantreadfile1(p, f, q)
if own in A[p, f]
then
enter r into A[q, f];
end
Mono-conditional command
Single condition in this command
�Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has
a distinguished c right over q:
command grantreadfile2(p, f, q)
if own in A[p, f] and c in A[p, q]
then
enter r into A[q, f];
enter w into A[q, f];
end
Bi-conditional command
Two conditions in this command connected with an AND
�Key Points
Access control matrix is the simplest abstraction
mechanism for representing protection state
Transitions alter protection state
6 primitive operations alter matrix
Transitions can be expressed as commands composed
of these operations and, possibly, conditions
�Discussion
Directly implementing access control matrices is quite
inefficient, because in most cases these matrices are
sparse
Therefore two main implementations have been
developed
Access Control Lists (ACL)
Store columns with objects of the access control matrix.
Used in DBMS and Operating Systems
Capabilities
Store rows with subjects of the access control matrix.
Used in Operating Systems (such as Linux capabilities at
/usr/src/linux/include/linux/capability.h)
36
�Access Control Lists (ACLs)
Given the ACM below:
file1
file2
John
R, W, X
Jane
The set of objects is file 1 and file 2. The corresponding ACL
for each object will be:
acl(file 1) = { (John, { read}), (John, {write}), (John,
{execute}), (Jane, {own}) }
acl(file 2) = { (John, { read }), (Jane, {execute}) }
37
�Capabilities
Conceptually, a capability is the row of an access
control matrix. Each subject has associated with it a set
of pairs, with each pair containing an object and a set
of rights. The subject associated with this list can access
the named object in any of the ways indicated by the
named rights.
Each subject has an associated Capability-List.
�Capabilities - Example
Given the ACM below:
The set of subjects is process 1 and process 2. The
corresponding capability lists for each subject are:
cap(process 1) = { (file 1, { read, write, own }), (file 2,
{ read }), (process 1, {read, write, execute, own}),
(process 2, { write }) }
cap(process 2) = { (file 1, { append }), (file 2, { read,
own }), (process 1, { read }), (process 2, {read, write,
39
execute, own}) }
�UNIX Access Control Manipulation
chmod: Change mode command
chmod u=rx file
(Give the owner rx permissions)
chmod go-rwx file
(Deny rwx permission for group and
others)
chmod g+w file
(Give write permission to the group)
chmod a+x fileA fileB (Give execute permission to all)
chmod g+rx, o+x file (Give rx write to the group, and x right
to the others)
chmod 751 file1
(Give rwx rights to the user, rx rights
to the group, x right to the others)
40
�UNIX Access Control Manipulation
chown: Change owner command.
41
