Ch 2: Access Control Matrix

Week 2

Protection State
The state of a system:
The collection of the current values of all memory
locations, all secondary storage, and all registers and
other components of the system.

The subset of this collection that deals with protection

is the protection state of the system.

Protection State
Consider the set of possible protection states P. Some
subset Q of P consists of exactly those states in which
the system is authorized to reside.
So, whenever the system state is in Q, the system is
secure.
When the current state is in P Q , the system is not
secure.

We want to ensure that the system state is always an

element of Q.

Security Policy, Security Mechanism,

Precision
Characterizing the states in Q is the function of a
security policy.
Preventing the system from entering a state in P Q is
the function of a security mechanism.

Types of Security Mechanisms

Let P be the set of all possible states and Q be the set of
secure states (as specified by the security policy). Let the
security mechanisms restrict the system to some set of states
R (thus, R P).
A security mechanism is secure if R Q; it is precise if R = Q;
and it is broad if there are states r such that r R and r Q.

secure

precise

R: set of reachable states

broad

Q: set of secure states

Access Control
An access control system regulates the operations
that can be executed on data and resources to be
protected
Its goal is to control operations executed by subjects
in order to prevent actions that could damage data
and resources
Access control is typically provided as part of the
operating system and of the database management
system (DBMS)

Access Control Model

By B. Lampson. Protection. ACM Operating System
Reviews, 8, 1974.
The very nature of access control suggests that there
is an active subject requiring access to a passive object
to perform some specific access operation.
A reference monitor grants or denies access

Subject

Access
request

Reference
monitor

Object

Access Control Mechanism

Typically a software system implements the access
control function
Usually part of other systems
The access control mechanism uses some access
control policies to decide whether to grant or deny a
subject access to a requested resource
We will refer to an access control system as system
comprising an access control mechanism and all
information required to take access control decisions
(for example, access permissions)

Object
Objects are the set of all protected entities.
Anything that holds data: such as relations, directories,
interprocess messages, network packets, I/O devices, or
physical media
Note that not all resources managed by a system need
to be protected

Subject
Subjects are the set of active objects
It is an abstraction of any active entity that performs
computation in the system
Subjects can be classified into:
users -- single individuals connecting to the system
groups -- sets of users
roles -- named collections of privileges / functional
entities within the organization
processes -- executing programs on behalf of users

Relations may exist among various types of subjects

Access Operations (Modes)

Operations that a subject can exercise on the protected
objects in the system
Each type of operation corresponds to an access mode
Several different types:
Read: look at the contents of an object
Write: change the contents of an object
Execute, select, insert, update, delete, etc.
The same mode can correspond to different operations
when applied to different objects

Access Modes Unix OS Example

Access modes defined for files
read:
write:
execute:

reading from a file

writing to a file
executing a (program) file

Access modes defined for directories

read:
write:
execute:

list a directory contents

create or rename a file in a directory
search a directory (including
subdirectiroes)

Access modes defined for processes

read:
write:
execute:

receive signals
send signals
execute a process as a subprocess

Access Permissions
Access permissions, also called authorizations, are
expressed in terms of subjects, objects, and access modes
From a conceptual point of view an access permission is a
tuple <s, o, a> where
s is a subject
o is an object
a is an access mode

It states that subject s has the permission to execute

operation a on object o
We also say that s has access right a on object o
Example: the access permission <Bob, Read, F1> states
that Bob has the permission to read file F1

Access Permission
Subjects, objects, and access modes can be organized
into hierarchies
The semantics of the hierarchy depends on the domain

The use of hierarchies has two important advantages:

It reduces the number of permissions that need to be entered
into the access control system, thus reducing administration
costs
Combined with negative authorizations, it supports the
specification of exceptions

Object Hierarchy

PART-OF

directory
file

object
component object

Role Hierarchy

technical manager
programmer

senior role
junior role

Group Hierarchy
GROUP MEMBERSHIP
University
CS Dept

group
group member

Suppose that the group CS department has 200 members and the
University group 5000 members; suppose we have the policy that
the department calendar can be read to all members of the
University and written only by the members of CS; these policies
can be encoded into two access permissions of the form:
<University, calendar, Read> <CS Dept, calendar, Write>

Access Mode Hierarchy

SUBSUMPTION
write

read

mode

implied mode

Groups and Negative Permissions

Groups can be seen as an intermediate level between
users and objects
An example of an ideal world where all access
permissions are mediated by groups
s1

s2

s3

g1

o1

o2

s4

Users

s5

g2

o3

o4

Groups

o5

o6

Objects

Groups and Negative Permissions

Often access control policies have special cases
where it proves convenient to give some user a
permission for an object directly or deny a user a
permission that it would normally derive from its
membership in some group
A negative permission specifies an operation that a
subject is not allowed to perform
Representing negative permissions requires
extending our simple tuple model with an additional
component sign:
<s, o, a, sign> where sign {+, -}

Groups and Negative Permissions

An example in which not all access permissions are
mediated through groups
s1

s2

s3

Users

g1

o1

o2

Groups

o3

o4

o5

Objects

Ownership and Administration

A key question when dealing with access control is
who specifies which subjects can access which
objects for which operations
In the case of permissions, this means specifying
which are the subjects that can enter permissions

22

Ownership and Administration

Discretionary approach
the owner of a resource decrees who is allowed to
have access
But then: who is the owner of a resource?

Mandatory approach
a system-wide policy decrees who is allowed to
have access

Basic Operations in Access Control

Grant permissions
Inserting values in the access control mechanisms
entries

Revoke permissions
Remove values from the access control mechanisms
entries

Check permissions
Verifying whether the entry related to a subject s and
an object o contains a given access mode

Access Control Matrix (ACM)

Recall that protection state of system
Describes current settings, values of system relevant to
protection
An access control matrix is one tool that can describe
the current protection state.

Access control matrix

Describes protection state precisely
Matrix describing rights of subjects
State transitions change elements of matrix

Access Control Matrix (ACM)

objects (entities)

subjects

o1 om s1 sn
s1
s2

sn

Subjects S = { s1,,sn }
Objects O = { o1,,om }
Rights R = { r1,,rk }
Entries A[si, oj] R
A[si, oj] = { rx, , ry }
means subject si has
rights rx, , ry over
object oj

Example 1 Protection State of a System

Processes p, q
Files f, g
Rights r: read, w: write, x: execute, a: append, o: own

subjects

objects (entities)

f
rwo

g
r

p
rwxo

q
w

ro

rwxo

Process 1 can read or write file 1 and can read file 2; process 2 can append
to file 1 and read file 2. Process 1 can communicate with process 2 by
writing to it, and process 2 can read from process 1. The processes
themselves are treated as both subjects (rows) and objects (columns).

Example 2
Procedures inc_ctr, dec_ctr, manage
Variable counter
Rights +, , call

subjects

objects (entities)

inc_ctr
dec_ctr
manage

counter inc_ctr
+

call

dec_ctr manage

call

call

At the micro level, access control matrices can model programming language
accesses: Objects are the variables and subjects are the procedures.

Protection State Transitions

Change the protection state of system
| represents transition
Xi | Xi+1: command moves system from state Xi to Xi+1
Xi | * Y : a sequence of commands moves system from
state Xi to Y

Commands often called transformation procedures

6 Primitive Operations
create subject s; create object o
Creates new row, column in ACM; creates new column in
ACM

destroy subject s; destroy object o

Deletes row, column from ACM; deletes column from ACM

enter r into A[s, o]

Adds r rights for subject s over object o

delete r from A[s, o]

Removes r rights from subject s over object o

Creating File
In the UNIX system, if process p created a file f with
owner read (r) and write (w) permission, the
command capturing the resulting changes in the
access control matrix would be:

command createfile(p, f)
create object f;
enter own into A[p, f];
enter r into A[p, f];
enter w into A[p, f];
end

Mono-Operational Commands
Make process p the owner of file g
command makeowner(p, g)
enter own into A[p, g];
end
Mono-operational command
Single primitive operation in this command

Conditional Commands
Let process p give process q r (read) right over file f,
if p owns f:
command grantreadfile1(p, f, q)
if own in A[p, f]
then
enter r into A[q, f];
end
Mono-conditional command
Single condition in this command

Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has
a distinguished c right over q:
command grantreadfile2(p, f, q)
if own in A[p, f] and c in A[p, q]
then
enter r into A[q, f];
enter w into A[q, f];
end
Bi-conditional command
Two conditions in this command connected with an AND

Key Points
Access control matrix is the simplest abstraction
mechanism for representing protection state
Transitions alter protection state
6 primitive operations alter matrix
Transitions can be expressed as commands composed
of these operations and, possibly, conditions

Discussion
Directly implementing access control matrices is quite
inefficient, because in most cases these matrices are
sparse
Therefore two main implementations have been
developed
Access Control Lists (ACL)
Store columns with objects of the access control matrix.
Used in DBMS and Operating Systems

Capabilities
Store rows with subjects of the access control matrix.
Used in Operating Systems (such as Linux capabilities at
/usr/src/linux/include/linux/capability.h)
36

Access Control Lists (ACLs)

Given the ACM below:
file1

file2

John

R, W, X

Jane

The set of objects is file 1 and file 2. The corresponding ACL

for each object will be:
acl(file 1) = { (John, { read}), (John, {write}), (John,
{execute}), (Jane, {own}) }
acl(file 2) = { (John, { read }), (Jane, {execute}) }
37

Capabilities
Conceptually, a capability is the row of an access
control matrix. Each subject has associated with it a set
of pairs, with each pair containing an object and a set
of rights. The subject associated with this list can access
the named object in any of the ways indicated by the
named rights.
Each subject has an associated Capability-List.

Capabilities - Example
Given the ACM below:

The set of subjects is process 1 and process 2. The

corresponding capability lists for each subject are:
cap(process 1) = { (file 1, { read, write, own }), (file 2,
{ read }), (process 1, {read, write, execute, own}),
(process 2, { write }) }
cap(process 2) = { (file 1, { append }), (file 2, { read,
own }), (process 1, { read }), (process 2, {read, write,
39
execute, own}) }

UNIX Access Control Manipulation

chmod: Change mode command
chmod u=rx file
(Give the owner rx permissions)
chmod go-rwx file
(Deny rwx permission for group and
others)
chmod g+w file
(Give write permission to the group)
chmod a+x fileA fileB (Give execute permission to all)
chmod g+rx, o+x file (Give rx write to the group, and x right
to the others)
chmod 751 file1
(Give rwx rights to the user, rx rights
to the group, x right to the others)
40

UNIX Access Control Manipulation

chown: Change owner command.

41