Transcript Access Control Matrix

Access Control Matrix
Present by
Napasakorn Sukjay 51-7038-002-5
Poom Samaharn 51-7038-006-6
Topic
Introduction
Access Control Matrix
Access Control List (ACL)
Capability List (C-List)
The confused deputy
Comparison between ACL and C-List
Summary
Introduction
Access control matrix is a model of system
resource’s protection. It was first proposed by Butler W.
Lampson [1] , an American computer scientist, in 1971.
The protection schemes in this model do not allow
unauthorized users or subjects to use system resources.
In other words, a particular subject has limitedly
accessing rights to some specific objects if not all.
For access control system, it likes using locked
doors. The doors can be opened by anyone who owns
the right keys. Another example is checking the movie
ticket at a theatre. Viewers with the valid tickets are
allowed to pass the door and watch the movie.
Because of increasing in system complexity, the
derivative forms of access control matrix such as access
control list (ACL) and capability list (C-list) are better
applied. Those derivatives have some advantages and
disadvantages.
Access Control Matrix
Access control matrix consists of triple parts such as
subject, object, and access operation. A subject is an
active entity in a computer system such as user,
program, process, and thread. An object is a passive
entity or system resource such as file, directory,
database record and printer. In access control matrix’s
schema, the subjects and objects are placed in a table.
Each row represents a subject and each column
represents an object. The data inside the table are set of
access operations such as read, write, and execute. The
access operations are responsible for interactions
between subjects and objects.
A schematic view
A user requests access operations for
objects/resources.
The reference monitor checks request
validity and return either granting access
or denying access.
Access
Request
Reference
Monitor
Grant/ Deny
Principle of access control is as follows
1. Assign subjects on the system.
2. Assign objects which are recognized by
associated programs.
3. Assign access operations that subjects
can use.
4. Assign subjects which interact with
objects thru processes.
Access Control Matrix
r = read
Table 1: Access Control Matrix [3]
w = write
x = execute
- = not allowed
Corresponding to table 1, there are three users (Bob, Alice, and Sam) and
one program (Acct. program) as subjects. They are aligned in row order. For
column alignment, there are five objects that comprise OS, accounting Program,
accounting data, insurance data, and payroll data.
Noticeably, the accounting program performs as both subject and object.
This approach protects accounting data from corruption or changing by other
programs. If other subjects attempt to modify account data, that attempt will be
rejected. However, this protection can be intentionally avoided. The system
administrator, Sam, would substitute the accounting program with a fallacious
version. This would cause the protection failure of the original accounting
program. However, Alice and Bob are still being able to read and execute the
account program (original or fallacious) without corrupting it in any
circumstances.
Access Control List (ACL)
In practical, the system should better not to assign numerous
numbers of objects and subjects in a large access control matrix.
With a large amount of matrix entries and extreme scattering of data
[2], the large access control matrix would waste too much memory
space (e.g. 10,000 subjects x 1,000,000 objects = 1,000,000,000
matrix entries). It also takes quite a while to check and pair between
any subject and any object.
For better performance of authorization operation, the access
control matrix is split into two doable options or derivatives. The first
is access control list and the later is capability. The matrix is split
into columns which represents objects. These columns are called
“access control lists” (ACLs). An ACL acts for a column in the
access control matrix. ACL is attached to an object and specifies its
related subjects.
Access Control List (ACL)
The composition of an ACL entry
Table 1:The composition of an ACL entry [3]
Table 2: Access Control Matrix [3]
According to table1 and table 2, if we look for insurance data we can write:
Access Control Lists (ACLs) cont.
From the figure 1, there are
three subjects (Alice, Bob and Fred)
and three objects (file1, file 2, and file
3). Each object is set for particular
subject permissions. According to
figure 1, each file or object has its
own ACL. File 1 links to two subjects
that are Alice and Fred. File 1 allows
a permission to read for both
subjects. For ACL of file 2, it allows a
permission to write file 2 for Alice and
a permission to read file 2 for Bob.
Figure 1: Access Control
Lists (ACLs)
Capability List (C-List)
The second derivative of access control matrix is
“capability list or C-list”. In this case, the access control matrix
is spilt into rows, each row represent one subject. A capability
list is attached to a subject and specifies its related objects.
Each entry in the list is a capability which is a pair of object
and a set of access operations. Permissions to access objects
for each subject are listed in each C-list.
Capability List (C-List) cont.6
Table 1: Access Control Matrix [3]
From access control matrix, if we look for Alice’s C-list
we can write:
Capability (C-List) cont.
From figure 2,
there are three subjects
(Alice, Bob and Fred) and
three objects (file 1, file 2,
and file 3). Each subject is
assigned permission for
operate on each object.
For example, Alice has a
permission to write on file
2, read and write on file 3.
Figure 2: Capability (C-List)
Confused Deputy
A deputy is a program that acts on behalf of users or
subjects. One of the known deputies is “compiler”.
Compiler, a program that transforms source code into a
binary form, must act as a deputy for many users. This
act causes a classical security problem which is called
“confused deputy”. A confused deputy is a deputy that is
inappropriately manipulated. This “confused deputy”
problem is commonly found in computer systems.
Confused Deputy cont.
Table 3: Access Control Matrix for confused Deputy [3]
*r = read
w = write
x = execute
- = not allowed
From table 3, the compiler is granted a permission to write
anything into a file named “Bill”. The file “Bill” contains critical information
for resources. There is a user named “Alice”. Alice can invoke the compiler
and give it a file name to get debugging output. If Alice invokes to compiler
and provide “Bill” as the name of debugging file, the compiler will get
confused. Although, Alice does not have a permission to write anything on
file “Bill”, the compiler which is the deputy of Alice will overwrite file “Bill”
with debugging information.
The confused deputy cont.
Figure 3: The confused deputy [3]
When the “confused deputy” problem occurs, C-list can prevent it but
ACLs have difficulties to avoid this problem. The confusion prevention of C-list is
providing C-list to the compiler shortly before starting debugging process. Alice
must give her C-List to compiler if she wants to invoke the compiler. Once
receiving C-list, the compiler checks all permissions related to the target file. The
complier will know that Alice does not have the permission to overwrite file “Bill”.
On the other hand, ACLs do not have similar protection mechanism to avoid the
confusion.
Comparison between ACL and C-List
Figure 4: Comparison between Access control list and capability [3]
Comparison between ACL and C-List cont.
Access Control List and Capability List look similar
but there are many differences. The obvious and
significant difference is the direction of arrows of both
approaches
According to figure 4, the arrows for ACLs direct
from the resources (objects) to users (subjects) but the
arrows for C-lists direct from users to the resources. This
means that the capability pairing between users and
resources is generated by the system. Thus, the
permission of users to access files can be modified by
the system itself. Oppositely, the system with ACL
approach must need a special method for pairing users
to files. This is the first advantage of capability over the
ACL. The table 4 displays other advantages and
disadvantages between both.
ACL vs. C-List
Table 4: ACL vs. C-List [3]
Summary
Access control matrix is a model of system resource’s
protection. Access control matrix consists of subjects, objects, and
access operations. Subjects are placed in all rows on the matrix
table. Objects are placed in all columns. The table are useful for
manipulating and protecting system resources. For example, one
user can read a file but cannot overwrite it. In practical, the access
control matrix is split into two approaches. The first is ACL which
corresponds to the columns. The second is C-list which corresponds
to the row. ACL focuses on objects but C-List focuses on subjects.
Both have differences and the differences give some
advantages and disadvantages over other. One common problem
such as confused deputy can be prevented by C-list. However, ACL
is more commercially use because it does not have high overhead
and easy to implement.
References





[1] “Access Control Matrix”, Available at:
http://en.wikipedia.org/wiki/Access_Control_Matrix
,accessed February 2009.
[2] J.Crampton. “Access Control”, Available at:
http://faculty.ksu.edu.sa/mazyad/CEN448/Access
Control.ppt, accessed February 2009.
[3] M. Stamp. “Information Security Principles and
Practice” , John Wiley & Sons Inc., NJ. 2006
Thank you