950 likes | 2.84k Views
Access Control Matrix. Present by Napasakorn Sukjay 51-7038-002-5 Poom Samaharn 51-7038-006-6. Topic. Introduction Access Control Matrix Access Control List (ACL) Capability List (C-List) The confused deputy Comparison between ACL and C-List Summary. Introduction.
E N D
Access Control Matrix Present by Napasakorn Sukjay 51-7038-002-5 Poom Samaharn 51-7038-006-6
Topic Introduction Access Control Matrix Access Control List (ACL) Capability List (C-List) The confused deputy Comparison between ACL and C-List Summary
Introduction Access control matrix is a model of system resource’s protection. It was first proposed by Butler W. Lampson [1] , an American computer scientist, in 1971. The protection schemes in this model do not allow unauthorized users or subjects to use system resources. In other words, a particular subject has limitedly accessing rights to some specific objects if not all. For access control system, it likes using locked doors. The doors can be opened by anyone who owns the right keys. Another example is checking the movie ticket at a theatre. Viewers with the valid tickets are allowed to pass the door and watch the movie. Because of increasing in system complexity, the derivative forms of access control matrix such as access control list (ACL) and capability list (C-list) are better applied. Those derivatives have some advantages and disadvantages.
Access Control Matrix Access control matrix consists of triple parts such as subject, object, and access operation. A subject is an active entity in a computer system such as user, program, process, and thread.An object is a passive entity or system resource such as file, directory, database record and printer. In access control matrix’s schema, the subjects and objects are placed in a table. Each row represents a subject and each column represents an object. The data inside the table are set of access operations such as read, write, and execute. The access operations are responsible for interactions between subjects and objects.
A schematic view A user requests access operations for objects/resources. The reference monitor checks request validity and return either granting access or denying access. Access Request Reference Monitor Grant/ Deny
Principle of access control is as follows 1. Assign subjects on the system. 2. Assign objects which are recognized by associated programs. 3. Assign access operations that subjects can use. 4. Assign subjects which interact with objects thru processes.
Access Control Matrix Table 1: Access Control Matrix [3] • r = read w = write x = execute - = not allowed Corresponding to table 1, there are three users (Bob, Alice, and Sam) and one program (Acct. program) as subjects. They are aligned in row order. For column alignment, there are five objects that comprise OS, accounting Program, accounting data, insurance data, and payroll data. Noticeably, the accounting program performs as both subject and object. This approach protects accounting data from corruption or changing by other programs. If other subjects attempt to modify account data, that attempt will be rejected. However, this protection can be intentionally avoided. The system administrator, Sam, would substitute the accounting program with a fallacious version. This would cause the protection failure of the original accounting program. However, Alice and Bob are still being able to read and execute the account program (original or fallacious) without corrupting it in any circumstances.
Access Control List (ACL) In practical, the system should better not to assign numerous numbers of objects and subjects in a large access control matrix. With a large amount of matrix entries and extreme scattering of data [2], the large access control matrix would waste too much memory space (e.g. 10,000 subjects x 1,000,000 objects = 1,000,000,000 matrix entries). It also takes quite a while to check and pair between any subject and any object. For better performance of authorization operation, the access control matrix is split into two doable options or derivatives. The first is access control list and the later is capability. The matrix is split into columns which represents objects. These columns are called “access control lists” (ACLs). An ACL acts for a column in the access control matrix. ACL is attached to an object and specifies its related subjects.
Access Control List (ACL) The composition of an ACL entry Table 1:The composition of an ACL entry [3] Table 2: Access Control Matrix [3] According to table1 and table 2, if we look for insurance data we can write:
Access Control Lists (ACLs) cont. From the figure 1, there are three subjects (Alice, Bob and Fred) and three objects (file1, file 2, and file 3). Each object is set for particular subject permissions. According to figure 1, each file or object has its own ACL. File 1 links to two subjects that are Alice and Fred. File 1 allows a permission to read for both subjects. For ACL of file 2, it allows a permission to write file 2 for Alice and a permission to read file 2 for Bob. Figure 1: Access Control Lists (ACLs)
Capability List (C-List) The second derivative of access control matrix is “capability list or C-list”. In this case, the access control matrix is spilt into rows, each row represent one subject. A capabilitylist is attached to a subject and specifies its related objects. Each entry in the list is a capability which is a pair of object and a set of access operations. Permissions to access objects for each subject are listed in each C-list.
Capability List (C-List)cont.6 From access control matrix, if we look for Alice’s C-list we can write: Table 1: Access Control Matrix [3]
Capability (C-List) cont. From figure 2, there are three subjects (Alice, Bob and Fred) and three objects (file 1, file 2, and file 3). Each subject is assigned permission for operate on each object. For example, Alice has a permission to write on file 2, read and write on file 3. Figure 2: Capability (C-List)
Confused Deputy A deputy is a program that acts on behalf of users or subjects. One of the known deputies is “compiler”. Compiler, a program that transforms source code into a binary form, must act as a deputy for many users. This act causes a classical security problem which is called “confused deputy”. A confused deputy is a deputy that is inappropriately manipulated. This “confused deputy” problem is commonly found in computer systems.
Confused Deputy cont. Table 3: Access Control Matrix for confused Deputy [3] *r = read w = write x = execute - = not allowed From table 3, the compiler is granted a permission to write anything into a file named “Bill”. The file “Bill” contains critical information for resources. There is a user named “Alice”. Alice can invoke the compiler and give it a file name to get debugging output. If Alice invokes to compiler and provide “Bill” as the name of debugging file, the compiler will get confused. Although, Alice does not have a permission to write anything on file “Bill”, the compiler which is the deputy of Alice will overwrite file “Bill” with debugging information.
The confused deputy cont. Figure 3: The confused deputy [3] When the “confused deputy” problem occurs, C-list can prevent it but ACLs have difficulties to avoid this problem. The confusion prevention of C-list is providing C-list to the compiler shortly before starting debugging process. Alice must give her C-List to compiler if she wants to invoke the compiler. Once receiving C-list, the compiler checks all permissions related to the target file. The complier will know that Alice does not have the permission to overwrite file “Bill”. On the other hand, ACLs do not have similar protection mechanism to avoid the confusion.
Comparison between ACL and C-List Figure 4: Comparison between Access control list and capability [3]
Comparison between ACL and C-List cont. Access Control List and Capability Listlook similar but there are many differences. The obvious and significant difference is the direction of arrows of both approaches According to figure 4, the arrows for ACLs direct from the resources (objects) to users (subjects) but the arrows for C-lists direct from users to the resources. This means that the capability pairing between users and resources is generated by the system. Thus, the permission of users to access files can be modified by the system itself. Oppositely, the system with ACL approach must need a special method for pairing users to files. This is the first advantage of capability over the ACL. The table 4 displays other advantages and disadvantages between both.
ACL vs. C-List Table 4: ACL vs. C-List [3]
Summary Access control matrix is a model of system resource’s protection. Access control matrix consists of subjects, objects, and access operations. Subjects are placed in all rows on the matrix table. Objects are placed in all columns. The table are useful for manipulating and protecting system resources. For example, one user can read a file but cannot overwrite it. In practical, the access control matrix is split into two approaches. The first is ACL which corresponds to the columns. The second is C-list which corresponds to the row. ACL focuses on objects but C-List focuses on subjects. Both have differences and the differences give some advantages and disadvantages over other. One common problem such as confused deputy can be prevented by C-list. However, ACL is more commercially use because it does not have high overhead and easy to implement.
References [1] “Access Control Matrix”, Available at: http://en.wikipedia.org/wiki/Access_Control_Matrix ,accessed February 2009. [2] J.Crampton. “Access Control”, Available at: http://faculty.ksu.edu.sa/mazyad/CEN448/Access Control.ppt, accessed February 2009. [3] M. Stamp. “Information Security Principles and Practice” , John Wiley & Sons Inc., NJ. 2006