access control matrix present by napasakorn sukjay 51-7038-002-5 poom samaharn 51-7038-006-6
TRANSCRIPT
Access Control Matrix
Present by
Napasakorn Sukjay 51-7038-002-5
Poom Samaharn 51-7038-006-6
TopicIntroductionAccess Control MatrixAccess Control List (ACL)Capability List (C-List)The confused deputyComparison between ACL and C-List Summary
IntroductionAccess control matrix is a model of system resource’s
protection. It was first proposed by Butler W. Lampson [1] , an American computer scientist, in 1971. The protection schemes in this model do not allow unauthorized users or subjects to use
system resources. In other words, a particular subject has limitedly accessing rights to some specific objects if not all.
For access control system, it likes using locked doors. The doors can be opened by anyone who owns the right keys.
Another example is checking the movie ticket at a theatre. Viewers with the valid tickets are allowed to pass the door and
watch the movie.Because of increasing in system complexity, the
derivative forms of access control matrix such as access control list (ACL) and capability list (C-list) are better applied.
Those derivatives have some advantages and disadvantages.
Access Control Matrix
Access control matrix consists of triple parts such as subject, object, and access operation. A subject is an
active entity in a computer system such as user, program, process, and thread. An object is a passive
entity or system resource such as file, directory, database record and printer. In access control matrix’s schema, the subjects and objects are placed in a table.
Each row represents a subject and each column represents an object. The data inside the table are set of access operations such as read, write, and execute. The
access operations are responsible for interactions between subjects and objects.
A schematic view
A user requests access operations for objects/resources.
The reference monitor checks request validity and return either granting access or denying access.
Access Request
Reference Monitor
Grant/ Deny
Principle of access control is as follows
1. Assign subjects on the system.2. Assign objects which are recognized by
associated programs.3. Assign access operations that subjects
can use.4. Assign subjects which interact with
objects thru processes.
Access Control Matrix
Table 1: Access Control Matrix [3]r = read w = write x = execute - = not allowed
Corresponding to table 1, there are three users (Bob, Alice, and Sam) and one program (Acct. program) as subjects. They are aligned in row order.
For column alignment, there are five objects that comprise OS, accounting Program, accounting data, insurance data, and payroll data.
Noticeably, the accounting program performs as both subject and object. This approach protects accounting data from corruption or changing by other programs. If other subjects attempt to modify account data, that attempt
will be rejected. However, this protection can be intentionally avoided. The system administrator, Sam, would substitute the accounting program with a
fallacious version. This would cause the protection failure of the original accounting program. However, Alice and Bob are still being able to read and
execute the account program (original or fallacious) without corrupting it in any circumstances.
Access Control List (ACL)
In practical, the system should better not to assign numerous numbers of objects and subjects in a large access control matrix. With a large amount of matrix entries and extreme scattering
of data [2], the large access control matrix would waste too much memory space (e.g. 10,000 subjects x 1,000,000 objects =
1,000,000,000 matrix entries). It also takes quite a while to check and pair between any subject and any object. For better performance of authorization operation, the
access control matrix is split into two doable options or derivatives. The first is access control list and the later is capability. The matrix is split into columns which represents objects. These columns are
called “access control lists” (ACLs). An ACL acts for a column in the access control matrix. ACL is attached to an object and specifies its
related subjects.
Access Control List (ACL)
According to table1 and table 2, if we look for insurance data we can write:
Table 2: Access Control Matrix [3]
Table 1:The composition of an ACL entry [3]
The composition of an ACL entry
Access Control Lists (ACLs) cont.
Figure 1: Access Control Lists (ACLs)
From the figure 1, there are three subjects (Alice, Bob and Fred)
and three objects (file1, file 2, and file 3). Each object is set for particular subject permissions. According to figure 1, each file or object has its
own ACL. File 1 links to two subjects that are Alice and Fred. File 1 allows
a permission to read for both subjects. For ACL of file 2, it allows a
permission to write file 2 for Alice and a permission to read file 2 for
Bob.
Capability List (C-List)
The second derivative of access control matrix is “capability list or C-list”. In this case, the access control matrix is spilt into rows, each row represent one subject. A capability list is attached to a subject and specifies its related objects. Each entry in the list is a capability which is a pair of object
and a set of access operations. Permissions to access objects for each subject are listed in each C-list.
Capability List (C-List) cont.6
From access control matrix, if we look for Alice’s C-list we can write:
Table 1: Access Control Matrix [3]
Capability (C-List) cont.
From figure 2, there are three subjects
(Alice, Bob and Fred) and three objects (file 1, file 2, and file 3). Each subject is assigned permission for operate on each object. For example, Alice has a permission to write on file 2, read and write on file 3.
Figure 2: Capability (C-List)
Confused Deputy
A deputy is a program that acts on behalf of users or subjects. One of the known deputies is “compiler”.
Compiler, a program that transforms source code into a binary form, must act as a deputy for many users. This act causes a classical security problem which is called
“confused deputy”. A confused deputy is a deputy that is inappropriately manipulated. This “confused deputy” problem is commonly found in computer systems.
Confused Deputy cont.
From table 3, the compiler is granted a permission to write anything into a file named “Bill”. The file “Bill” contains critical information
for resources. There is a user named “Alice”. Alice can invoke the compiler and give it a file name to get debugging output. If Alice invokes to compiler
and provide “Bill” as the name of debugging file, the compiler will get confused. Although, Alice does not have a permission to write anything on file “Bill”, the compiler which is the deputy of Alice will overwrite file “Bill”
with debugging information.
*r = read w = write x = execute - = not allowed
Table 3: Access Control Matrix for confused Deputy [3]
The confused deputy cont.
Figure 3: The confused deputy [3]
When the “confused deputy” problem occurs, C-list can prevent it but ACLs have difficulties to avoid this problem. The confusion prevention of C-list is
providing C-list to the compiler shortly before starting debugging process. Alice must give her C-List to compiler if she wants to invoke the compiler. Once
receiving C-list, the compiler checks all permissions related to the target file. The complier will know that Alice does not have the permission to overwrite file “Bill”. On the other hand, ACLs do not have similar protection mechanism to avoid the
confusion.
Comparison between ACL and C-List
Figure 4: Comparison between Access control list and capability [3]
Comparison between ACL and C-List cont.
Access Control List and Capability List look similar but there are many differences. The obvious and
significant difference is the direction of arrows of both approaches
According to figure 4, the arrows for ACLs direct from the resources (objects) to users (subjects) but the
arrows for C-lists direct from users to the resources. This means that the capability pairing between users and
resources is generated by the system. Thus, the permission of users to access files can be modified by
the system itself. Oppositely, the system with ACL approach must need a special method for pairing users to files. This is the first advantage of capability over the
ACL. The table 4 displays other advantages and disadvantages between both.
ACL vs. C-List
Table 4: ACL vs. C-List [3]
Summary
Access control matrix is a model of system resource’s protection. Access control matrix consists of subjects, objects, and
access operations. Subjects are placed in all rows on the matrix table. Objects are placed in all columns. The table are useful for manipulating and protecting system resources. For example, one user can read a file but cannot overwrite it. In practical, the access control matrix is split into two approaches. The first is ACL which
corresponds to the columns. The second is C-list which corresponds to the row. ACL focuses on objects but C-List focuses
on subjects.Both have differences and the differences give some
advantages and disadvantages over other. One common problem such as confused deputy can be prevented by C-list. However, ACL is more commercially use because it does not have high overhead
and easy to implement.
References
[1] “Access Control Matrix”, Available at: http://en.wikipedia.org/wiki/Access_Control_Matrix
,accessed February 2009. [2] J.Crampton. “Access Control”, Available at:
http://faculty.ksu.edu.sa/mazyad/CEN448/AccessControl.ppt, accessed February 2009. [3] M. Stamp. “Information Security Principles and
Practice” , John Wiley & Sons Inc., NJ. 2006
Thank you