Access Control

Definition

Access Control

Access control is the enforcement of a security policy that determines which subjects (users, processes) may perform which operations on which objects (files, devices, resources).

Formally, an access control system consists of:

A set of subjects $S$

A set of objects $O$

A set of operations (rights) $R$

An access policy that grants or denies requests

Protection Domain

Protection Domain

A protection domain defines the set of objects a subject may access and the operations permitted on each.

A subject operates within exactly one domain at any time. The domain determines the boundaries of what the subject can do.

Domain Switching

A process may switch domains during execution. This occurs when privileges need to change, for example to access restricted resources.

Unix Domain Switching via SETUID

In Unix, a protection domain is defined by the User ID (UID) and Group ID (GID). A process switches domains by executing a file with the SETUID bit set. The process temporarily assumes the UID of the file owner, acquiring the corresponding rights.

Access Matrix

Access Matrix

The access matrix is a formal model where rows represent domains $D = {d_{1}, d_{2}, \dots}$ and columns represent objects $O = {o_{1}, o_{2}, \dots}$ . Each cell $A [d_{i}, o_{j}] \subseteq R$ contains the set of access rights domain $d_{i}$ holds for object $o_{j}$ .

A = d_{1} d_{2} d_{3} o_{1} {r, w} \emptyset {x} o_{2} \emptyset {r} {r, x} o_{3} {x} {r, w} \emptyset

The matrix is typically sparse. Practical systems decompose it along one dimension.

Access Control Lists

Access Control List

An Access Control List (ACL) is a column-wise decomposition of the access matrix. Each object stores a list of $⟨ domain, rights ⟩$ pairs.

For object $o_{j}$ , the ACL is:

ACL (o_{j}) = {⟨ d_{i}, A [d_{i}, o_{j}]⟩ ∣ A [d_{i}, o_{j}] \neq = \emptyset}

Unix File ACL

A Unix file stores permissions as an ACL:

Owner: read, write, execute

Group: read, execute

Others: read

Changing permissions for an object is efficient: modify only that object’s ACL.

Capability Lists

Capability List

A capability list is a row-wise decomposition of the access matrix. Each domain stores a list of $⟨ object, rights ⟩$ pairs.

For domain $d_{i}$ , the capability list is:

C-list (d_{i}) = {⟨ o_{j}, A [d_{i}, o_{j}]⟩ ∣ A [d_{i}, o_{j}] \neq = \emptyset}

File Descriptor as Capability

In Unix, a file descriptor acts as a capability. The kernel validates the descriptor on each operation; user processes cannot forge valid descriptors.

Capabilities are typically implemented as protected tokens (tickets) that cannot be forged, for example via encryption or kernel-managed references. Checking access is fast: the domain presents its capability, and the system verifies its authenticity.

Lock-Key System

Lock-Key System

In a lock-key system, each object $o_{j}$ has a set of locks $L_{j}$ (unique bit patterns), and each domain $d_{i}$ holds a set of keys $K_{i}$ . Access is granted if $K_{i} \cap L_{j} \neq = \emptyset$ .

The lock-key mechanism provides a middle ground between ACLs and capabilities. Like capabilities, possession of a key grants authority. Like ACLs, the object maintains information (locks) about who may access it.

Lukas' Notes

Access Control

Definition

Protection Domain

Domain Switching

Access Matrix

Access Control Lists

Capability Lists

Lock-Key System

Graph View

Table of Contents

Backlinks