Computer Security: Principles and

Practice

Chapter 4: Access Control

Access Control
• “The prevention of unauthorized use of a
resource, including the prevention of use of a
resource in an unauthorized manner“
• Central element of computer security
• Assume have users and groups
– authenticate to system
– assigned access rights to certain resources on system

2
Access Control Principles

3
Access control policies
• Discretionary access control (DAC): based on the
identity of the requestor and access rules
• Mandatory access control (MAC): based on comparing
security labels with security clearances (mandatory:
one with access to a resource cannot pass to others)
• Role-based access control (RBAC): based on user roles
• Attribute-based access control: based on the attributes
of the user, the resources and the current environment

4
Access Control Requirements

• Reliable input: a mechanism to authenticate

• Fine and coarse specifications: regulate access at
varying levels (e.g., an attribute or entire DB)
• Least privilege: min authorization to do its work
• Separation of duty: divide steps among different
individuals
• Open and closed policies: accesses specifically
authorized or all accesses except those prohibited
• Administrative policies: who can add, delete, modify
rules

5
Access Control Elements

• Subject: entity that can access objects

– a process representing user/application
– often have 3 classes: owner, group, world
• Object: access controlled resource
– e.g. files, directories, records, programs etc
– number/type depend on environment
• Access right: way in which subject accesses an
object
– e.g. read, write, execute, delete, create, search

6
Discretionary Access Control
• Often provided using an access matrix
– lists subjects in one dimension (rows)
– lists objects in the other dimension (columns)
– each entry specifies access rights of the specified
subject to that object
• Access matrix is often sparse
• Can decompose by either row or column

7
Access Control Structures

• Access control lists (decomposed by column)

• Capability tickets (decomposed by row)
• See page 119
• Also see alternative table representation on
page 120 (tabular but not sparse)

8
An Access Control Model

• Extend the universe of objects to include

processes, devices, memory locations, subjects

12
Access
Control
Function

13
Protection Domains: More Useful
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with protection
domains
• In terms of the access matrix, a row defines a protection
domain
• User can spawn processes with a subset of the access rights of
the user
• Association between a process and a domain can be static or
dynamic
• In user mode certain areas of memory are protected from use
and certain instructions may not be executed
• In kernel mode privileged instructions may be executed and
protected areas of memory may be accessed

15
UNIX File Concepts
• UNIX files administered using inodes (index
nodes)
• An inode:
– control structure with key info on file (attributes,
permissions, …)
– on a disk: an inode table for all files
– when a file is opened, its inode is brought to RAM
• Directories form a hierarchical tree
– may contain files or other directories
– are a file of names and inode numbers

16
UNIX File Access Control
• Unique user identification number
(user ID)
• Member of a primary group
identified by a group ID
• 12 protection bits
• 9 specify read, write, and execute
permission for the owner of the file,
members of the group and all other
users
• 2 speficiy SetID, SetGID
• 1 is the sticky bit (only owner can
remove, delete, …, a directory)
• The owner ID, group ID, and protection
bits are part of the file’s inode

17
UNIX File Access Control

• “set user ID”(SetUID) or “set group ID”(SetGID)

– system temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access control
decisions
– enables privileged programs to access files/resources not
generally accessible
• Sticky bit
– on directory limits rename/move/delete to owner
• Superuser
– is exempt from usual access control restrictions

18
 UNIX Access Control Lists
• Modern UNIX systems support ACLs
• Can specify any number of additional users/groups
and associated rwx permissions
• When access is required
– select most appropriate ACL
• owner, named users, owning/named groups, others
– check if have sufficient permissions for access

19
UNIX extended access control list

20
Role-Based
Access Control
Access based on
‘role’, not identity

Many-to-many
relationship between
users and roles

Roles often static

21
General RBAC, Variations
• A family of RBAC with four models
1. RBAC0: min functionality
2. RBAC1: RBAC0 plus role (permission) inheritance
3. RBAC2: RBAC0 plus constraints (restrictions)
4. RBAC3: RBAC0 plus all of the above
• RBAC0 entities
– User: an individual (with UID) with access to system
– Role: a named job function (tells authority level)
– Permission: equivalent to access rights
– Session: a mapping between a user and set of roles to
which a user is assigned

23
Attribute-based access control
• Fairly recent
• Define authorizations that express conditions on
properties of both the resource and the subject
– Each resource has an attribute (e.g., the subject that
created it)
– A single rule states ownership privileges for the
creators
• Strength: its flexibility and expressive power
• Considerable interest in applying the model to
cloud services

27
Types of attributes
• Subject attributes
• Object attributes
• Environment attributes

28
Subject attributes
• A subject is an active entity that causes
information to flow among objects or changes
the system state
• Attributes define the identity and
characteristics of the subject
– Name
– Organization
– Job title

29
Object attribute
• An object (or resource) is a passive information
system-related entity containing or receiving
information
• Objects have attributes that can be leveraged
to make access control decisions
– Title
– Author
– Date

30
Environment attributes
• Describe the operational, technical, and even
situational environment or context in which the
information access occurs
– Current date
– Current virus/hacker activities
– Network security level
– Not associated with a resource or subject
• These attributes have so far been largely
ignored in most access control policies

31
Sample ABAC scenario
1. A subject requests
access to an object
2. AC is governed by a set
of rules (2a): assesses
the attr of subject (2b),
object (2c) and env (2d)
3. AC grants subject access
to object if authorized

32