Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Access Control. 2 Objects and Subjects A multi-user distributed computer system offers access to objects such as resources (memory, printers), data.

Published byAvery Bailey Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Access Control. 2 Objects and Subjects A multi-user distributed computer system offers access to objects such as resources (memory, printers), data."— Presentation transcript:

1 1 Access Control

2 2 Objects and Subjects A multi-user distributed computer system offers access to objects such as resources (memory, printers), data (files) and applications. The system offers this access to subjects such as users, processes and other applications

3 3 Subjects and objects represent respectively the active and passive parties in a request for access. In defining access controls, you can either specify what a subject is allowed to do or what may be done with an object

4 4 Operations and Modes Operations that the system may offer include read write (including read) append execute Access modes include observe (look at contents) alter (change contents)

5 5 The relation between the operations and access modes Operations are defined by the security model Modes are basic notions of what can be done to an object

6 6 Permissions Permissions for files may include read write execute append delete change permission change ownership

7 7 Ownership policy - who decides what the access rights are? Discretionary - the owner of the resource, for example web pages mandatory - the security system manager according to the security policy of the organisation

8 8 Access control structures Control structures permit or deny subjects access to (operate on) objects using a reference monitor subject access reference object request monitor

9 9 Access Control Tables An access control table is a matrix (table) whose rows are indexed by subject and columns are indexed by objects. Thus every entry in the matrix is indexed by a subject and an object The entry of the table is the set of access rights for that subject over that object

10 10 S={Jones,Smith} O={timetable.doc, install.exe,format.com} A={read,write,execute}

11 11 Access Control Lists A security system is more likely to list the access rights according to the subjects or the objects: Jonestimetable.doc:read; install,exe:execute; format.com:execute,read; Smith timetable.doc:read,write; format.com:execute;

12 12 Groups Representation of access control can be easier if subjects with the same access are grouped together. A subject may belong to more than one group. The system may not be hierarchical. Group membership and access rights may be expressed using graphs.

13 13 Protection Rings Used if access control is hierarchical A subject is given a security level and can access all objects at that level or any level below. A security level may involve operations too. For example read and write permission may be at a higher level than read only.

14 14 Graphs We can use directed graphs to represent security levels and their structure. Each vertex represents a security level An edge (line) from one security level to another shows that the second is at a higher level than the first. A protection ring is a linear graph.

15 15 More complicated graphs: Suppose we have the following security system: There is a director of finance and two deputy directors, one responsible for pay and the other for capital. Each of the deputies has access to data that the other does not. The director has access to both sets of data. This information can be represented by a graph.

16 16 Domination If there is a path from a subject s to an object o then the subject has access rights to that object. Note that the path from s to o does not have to be a direct path. Subject s is said to dominate object o. Domination is anti-symmetric and transitive.

17 17 Lattice Graphs Security systems based on lattice graphs are very common. They have two particular properties: 1. Given 2 vertices a and b, there is a unique vertex c which dominates both a and b. If vertex d also dominates a and b then d also dominates c. 2. Given 2 vertices a and b there is a unique vertex e which is dominated by both a and b and if f is also dominated by a and b then f is dominated by e.

18 18 These properties ensure that no portion of the graph looks like a butterfly. The advantage of this is that for any two security levels, there is a unique minimum security level above both. Such a system avoids conflicts.

19 19 Example In a system there are two sets of files and three levels of security for each {nothing, read, write and read}. There are 9 levels of security, each represented by a pair (x,y) where x and y are one of n,r,w and show the security level for each set of files respectively. Thus a subject with a security level of (r,n) would be allowed to read the first set of files but neither read not write with the second set. We can use a lattice graph to represent this system.

20 20 Summary an access control system offers subjects rights to perform operations on objects and the operations available will depend on the security model and the application access control tables represent access control for every subject and object lists may be used instead of matrices groups can be used if different subjects have the same access rights directed graphs can be used to represent security levels and show domination lattices are used by many security models to represent access control

Download ppt "1 Access Control. 2 Objects and Subjects A multi-user distributed computer system offers access to objects such as resources (memory, printers), data."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Chapter 6 Matrix Algebra.

Chapter 6 Matrix Algebra.
Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.
© 2004 Ravi Sandhu www.list.gmu.edu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.

© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.

MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)
Addition Facts 1 - 20.

Addition Facts

Similar presentations

Ads by Google