CSC662

COMPUTER SECURITY

03d - ACCESS CONTROL

AND AUTHORIZATION

These slides are prepared from Prof Pavel Laskov‘s lecture slide
Version 2.0

RESOURCE ACCESS –
RECAPITULATED

1
ACCESS CONTROL EXAMPLE
Unix
Every file associated with a “mode”
Read, Write, and eXecute rights, for
owner, group, world
e.g., dr--r-xrwx
getacl, setacl functions support
additional ACL entries for users,
groups, and objects
Windows
NTFS allows specifying which
users, groups can do what to a file,
folder, registry, and other system
objects
A few groups are pre-defined, e.g.,
admin, power-users, users

ACCESS CONTROL OVERVIEW

Given a subject, which objects can it access and

how?
Given an object, which subjects can access it and
how?

2
MAIN CONCEPTS
Subject is an entity that initiates an access
request.
Object is an entity an access to which is
requested.
Rights represent different types of access.
Reference monitor makes authorization decisions.
Goals of access control:
Granting access
Limiting access
Preventing access
Revoking access

SUBJECTS

Subjects are any active entities in a

system.
Subjects operate on behalf of principals.
Each subject must be bound to a unique
principal; a principal may be bound to
several subjects.
Examples:
Principal: user ID.
Subject: process ID.

3
OBJECTS

Objects represent passive resources

of a system: memory, les,
directories, nodes on a network, etc.
The distinction of objects and
subjects is made purely in terms of
access requests.
Depending on circumstances, a
resource may be an object or a
subject.

REFERENCE MONITOR AND

ACCESS POLICIES
Reference monitor is an abstract notion of a
mechanism for controlling access requests.
Access rights represent various access
operations supported by a system:
read delete
write search
append change owner
execute change permissions
Access policies map principals, objects and
access rights.

4
ACCESS CONTROL STRUCTURES
Access control structures are mechanisms for
implementing access policies:
access control matrix
capabilities
access control lists
intermediate controls (groups, negative
permissions, roles, protection rings etc.)
Requirements for access control structures:
an ability to express control policies
veri ability of correctness.
scalability and manageability

ACCESS CONTROL MATRIX

Access control matrix is a basic control structure.

Advantages: Disadvantages:
clarity of de nition poor scalability
easy to verify poor handling of
changes

5
CAPABILITIES
Capability is a subject-centered description of
access rights:
Alice:{edit.exe: execute}, {fun.com: execute, read}
Bob: {bill.doc: read, write}, {edit.exe: execute},
{fun.com: execute, read, write}

Advantages: Disadvantages:
easy ownership poor overview of
transfer access rights per object
easy inheritance of dif culty of revocation
access rights need for extra integrity
protection

ACCESS CONTROL LIST (ACL)

ACL is an object-centered description of
access rights:
bill.doc: {Bob: read, write}
exit.exe: {Alice: execute}, {Bob: execute}
fun.com: {Alice: execute, read}, {Bob: execute,
read, write}
Advantages: Disadvantages:
easy access to poor overview of
object access rights access rights per
relative easiness of subject
management using dif culty of revocation
abstractions dif culty of sharing

6
ACCESS CONTROL ABSTRACTION
Group: an collection of related subjects
easy sharing
easy addition and removal of users
Negative permission: explicit revocation of access
rights
Privilege: a mapping of users to access rights
concise de nition of access rights
{admin: read, write, execute}, /etc/passwd: {Alice, admin}
Protection ring: a hierarchy of access right levels
0 – operating system kernel
1 – operating system
2 – services
3 – user processes

DISCRETIONARY ACCESS
CONTROL (DAC)
Access control is carried out by a resource owner.
By associating ownership with principals, access
rights are easily transferred to other subjects.
Deployed in a majority of common systems.

Advantages: Disadvantages:
simple and ef cient intentional abuse of
access rights access rights
management unintentional abuse
scalability of access rights
no control over
information ow

7
MANDATORY ACCESS CONTROL
(MAC)
Centralized access control by means of system-wide
policy.
Access control rights are xed by an Administrators.
A limited number of implementations, e.g. SELinux,
Systrace.

Advantages: Disadvantages:
strict control over major usability
information ow problems
strong exploit cumbersome
containment administration

ROLE BASED ACCESS CONTROL

(RBAC)
A “logical” layer that links users and allowed resources
A role specifies the need or circumstances in which a user needs a
resource
User-Role and Role-Resource relations simplify User-Resource relations

Telemarketers Admin
Credit Manager
Roles Layer  Roles can be
 Employee hierarchical
 Org role(s)
 Geography 1
 Member of 2 3
committee
 Reporting to
 In charge of
process
 Weekend shift Credit Credit Mgmt Security
Marketing HQ
Screen Alert

8
ROLE BASED ACCESS CONTROL
(RBAC)
RBAC attempt to handle the complexity of access
control by extensive used of abstractions:
Data types are de ned for all objects.
Procedures are high level access control methods with a more
complex semantics than elementary access control rights.
Procedures can be only applied to certain data types.
Procedures are grouped into roles assigned to users. A user
can have more than one role and more than one user can
have the same role.
Role hierarchies can be used to match natural relations
between roles.
Example: A Lecturer can create a role Student and give
it a privilege “read course material”.

REFERENCE MONITOR
A reference monitor is an abstract device that
mediates all accesses of objects to subjects.

Core requirements for a reference monitor

implementation:
Tamper-resistance
Complete mediation (guaranteed invocation)
Easiness of veri cation and testing

9
REFERENCE MONITOR DESIGN
CHOICES

REFERENCE MONITOR
PLACEMENTS
Hardware: low-level objects, no “layer
below”, full system integrity
Operating system kernel: abstract low-level
objects, hard to subvert, encapsulation
Operating system: conventional objects,
not tamper-proof, most common
Services: databases, JVM, .NET, CORBA
high-level abstract objects, very common
Applications: application-speci c objects
and access rights

10
KEY POINTS
Access control methods implement policies that
control which subjects can access which objects in
which way.
Most common practical access control instruments
are ACLs, capabilities and various abstractions.
From the design point of view, access control
systems can be classi ed into discretionary (DAC),
mandatory (MAC) and role-based (RBAC).
Reference monitors are instruments for realization
of access control policies. They can be deployed at
all levels of system hierarchy.

Thank You

11