1 Access Control

2 Objects and Subjects A multi-user distributed computer system offers access to objects such as resources (memory, printers), data (files) and applications. The system offers this access to subjects such as users, processes and other applications

3 Subjects and objects represent respectively the active and passive parties in a request for access. In defining access controls, you can either specify what a subject is allowed to do or what may be done with an object

4 Operations and Modes Operations that the system may offer include read write (including read) append execute Access modes include observe (look at contents) alter (change contents)

5 The relation between the operations and access modes Operations are defined by the security model Modes are basic notions of what can be done to an object

6 Permissions Permissions for files may include read write execute append delete change permission change ownership

7 Ownership policy - who decides what the access rights are? Discretionary - the owner of the resource, for example web pages mandatory - the security system manager according to the security policy of the organisation

8 Access control structures Control structures permit or deny subjects access to (operate on) objects using a reference monitor subject access reference object request monitor

9 Access Control Tables An access control table is a matrix (table) whose rows are indexed by subject and columns are indexed by objects. Thus every entry in the matrix is indexed by a subject and an object The entry of the table is the set of access rights for that subject over that object

10 S={Jones,Smith} O={timetable.doc, install.exe,format.com} A={read,write,execute}

11 Access Control Lists A security system is more likely to list the access rights according to the subjects or the objects: Jonestimetable.doc:read; install,exe:execute; format.com:execute,read; Smith timetable.doc:read,write; format.com:execute;

12 Groups Representation of access control can be easier if subjects with the same access are grouped together. A subject may belong to more than one group. The system may not be hierarchical. Group membership and access rights may be expressed using graphs.

13 Protection Rings Used if access control is hierarchical A subject is given a security level and can access all objects at that level or any level below. A security level may involve operations too. For example read and write permission may be at a higher level than read only.

14 Graphs We can use directed graphs to represent security levels and their structure. Each vertex represents a security level An edge (line) from one security level to another shows that the second is at a higher level than the first. A protection ring is a linear graph.

15 More complicated graphs: Suppose we have the following security system: There is a director of finance and two deputy directors, one responsible for pay and the other for capital. Each of the deputies has access to data that the other does not. The director has access to both sets of data. This information can be represented by a graph.

16 Domination If there is a path from a subject s to an object o then the subject has access rights to that object. Note that the path from s to o does not have to be a direct path. Subject s is said to dominate object o. Domination is anti-symmetric and transitive.

17 Lattice Graphs Security systems based on lattice graphs are very common. They have two particular properties: 1. Given 2 vertices a and b, there is a unique vertex c which dominates both a and b. If vertex d also dominates a and b then d also dominates c. 2. Given 2 vertices a and b there is a unique vertex e which is dominated by both a and b and if f is also dominated by a and b then f is dominated by e.

18 These properties ensure that no portion of the graph looks like a butterfly. The advantage of this is that for any two security levels, there is a unique minimum security level above both. Such a system avoids conflicts.

19 Example In a system there are two sets of files and three levels of security for each {nothing, read, write and read}. There are 9 levels of security, each represented by a pair (x,y) where x and y are one of n,r,w and show the security level for each set of files respectively. Thus a subject with a security level of (r,n) would be allowed to read the first set of files but neither read not write with the second set. We can use a lattice graph to represent this system.

20 Summary an access control system offers subjects rights to perform operations on objects and the operations available will depend on the security model and the application access control tables represent access control for every subject and object lists may be used instead of matrices groups can be used if different subjects have the same access rights directed graphs can be used to represent security levels and show domination lattices are used by many security models to represent access control