1. Presented by Amlan B Dey

2.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer science.  Function is to control which principals have access to which resources.

4. The access controls provided with an operating system typically authenticate principals using some mechanism such as passwords or Kerberos, then mediate their access to files, communications ports, and other system resources.

5.  we want a small number of predefined groups, or functional roles, to which staff can be assigned.  The more careful definition: A group is a list of principals, while a role is a fixed set of access permissions that one or more principals may assume for a period of time using some defined procedure.  Examples.

6.  Another way of simplifying access rights management: Stores the access control matrix a column at a time, along with the resource to which the column refers.  The operating system must either check the ACL at each file access or keep track of the active access rights in some other way.

7.  Where access control policy is set centrally, they are suited to environments where protection is dataoriented.  Less suited where the user population is large and constantly changing, or where users want to be able to delegate their authority to run a particular program to another user for some set period of time.  Distributing the access rules into ACLs can make it tedious to find all the files to which a user has access.

8.  Files are not allowed to have arbitrary access control lists, but simply rwx attributes for the resource owner.  Disadvantage: In Unix, the program that gets control when the machine is booted (the os Kernel) runs as the supervisor, and has unrestricted access to the whole machine.

9.  Rather than just read, write, and execute, there are separate attributes for take ownership, change permissions, and delete  which means that more flexible delegation can be supported.  These attributes apply to groups as well as users  A benefit of the richer syntax (AccessDenied, AccessAllowed, or SystemAudit).

10.  Another way to manage the access control matrix is to store it by rows.  Runtime security checking is more efficient.  we can do delegation without much difficulty.  On the other hand, changing a file’s status can suddenly become more tricky, as it can be difficult to find out which users have access

11.  A practical problem with all current flavors of access control system  Multiple administrators are expected to work simultaneously.  Another granularity problem is single sign- on.  Such solutions are hard to engineer properly.

12.  Users want to run some code that they have downloaded from the Web as an applet.  Their concern is that the applet might do something nasty, such as taking a list of all their files and mailing it off to a software marketing company.  The designers of Java tackle this problem by providing a “sandbox” for such code—a restricted environment in which it has no access to the local hard disk

13.  An object consists of code and data bundled together, accessible only through specified externally visible methods  gives the potential for much more powerful and flexible access control.  The idea is to base security functions on the object request broker, or ORB, a software component that mediates communications between objects

14.  operate at a number of levels in a system  Higher-level mechanisms can be more expressive  But also tend to be more vulnerable to attack  Most attacks involve the opportunistic exploitation of bugs.  Software that is very large, very widely used, or both (as with operating systems) is particularly likely to have security bugs found and publicized.

15.  http://research.microsoft.com/pubs/54665/ac cesscontrolwithdiversity.pdf http://research.microsoft.com/pubs/54665/ac cesscontrolwithdiversity.pdf  http://www.profsandhu.com/journals/commu n/i94ac(org).pdf http://www.profsandhu.com/journals/commu n/i94ac(org).pdf  http://csrc.nist.gov/rbac/ferraiolo-kuhn- 92.pdf http://csrc.nist.gov/rbac/ferraiolo-kuhn- 92.pdf  http://www.cidrdb.org/cidr2011/Papers/CIDR 11_Paper11.pdf http://www.cidrdb.org/cidr2011/Papers/CIDR 11_Paper11.pdf  http://www.cl.cam.ac.uk/~rja14/Papers/SE- 04.pdf http://www.cl.cam.ac.uk/~rja14/Papers/SE- 04.pdf