Access Control

operating-systems security

Definition

Access Control

Access control is the implementation of a security policy that determines which subjects (users, processes) are allowed to perform which operations on which objects (files, hardware).

Protection Domains

A protection domain defines a set of objects and the operations allowed on them.

• Unix: A domain is defined by the User ID (UID) and Group ID (GID).
• Domain Switching: A process can change its domain (e.g., in Unix via exec of a file with the SETUID bit set).

Access Matrix

The Access Matrix is a formal model where rows represent Domains and columns represent Objects. Each cell $A[i,j]$ contains the set of access rights.

Implementations of the Matrix

Access Control Lists

The matrix is decomposed by columns. Each object has a list of domains and their corresponding rights.

• Pros: Easy to change permissions for a specific file.

Capability Lists

The matrix is decomposed by rows. Each domain (or process) has a list of objects it can access and the permitted operations.

• Security: Capabilities are usually implemented as “tickets” that cannot be forged (e.g., via encryption).

Lock-Key System

Each object has a set of unique bit patterns (locks), and each domain has a set of keys. Access is granted if a subject’s key matches one of the object’s locks.

Bell-LaPadula Model

A formal model for information flow based on security classifications (e.g., Top Secret, Secret, Public).

• Simple Security Property: Subject $S$ can read Object $O$ only if $SC(S)\ge SC(O)$ (No Read Up).
• The *-Property (Star Property): Subject $S$ can write to Object $O$ only if $SC(S)\le SC(O)$ (No Write Down).
• Goal: To prevent information from flowing from a high-security level to a lower one.