Chapter 3

Access Control
Discretionary Access Control


Agenda

1.
2.

Access Control
Discretionary Access Control


Access Control
“Access control” is where security engineering meets computer science.
Its function is to control which (active) subject have access to a which (passive) object with some
specific access operation.

subject

Access

Reference

request

monitor

object

Access Control
Determine whether a principal can perform a requested operation on a target object

–
–
–

Principal: user, process, etc.
Operation: read, write, etc.
Object: file, tuple, etc.

Lampson defined the familiar access matrix and its two interpretations ACLs and capabilities
[Lampson70]


Why are we still talking about access control?
An access control policy is a specification for an access decision function
The policy aims to achieve

–
–

Permit the principal’s intended function (availability)
Ensure security properties are met (integrity, confidentiality)

•
•


Limit to “Least Privilege,” Protect system integrity, Prevent unauthorized leakage, etc.
Also known as ‘constraints’

Enable administration of a changeable system (simplicity)


Example: Access Control
Prof Alice manages access to course objects
‣ Assign access to individual (principal: Bob)
‣ Assign access to aggregate (course-students)
‣ Associate access to relation (students(course))
‣ Assign students to project groups (student(course, project, group))
Prof Alice wants certain guarantees
‣ Students cannot modify objects written by Prof Alice
‣ Students cannot read/modify objects of other groups
Prof Alice must be able to maintain access policy
‣ Ensure that individual rights do not violate guarantees
‣ However, exceptions are possible – students may distribute their results from previous assignments for
an exam


Access Control is Hard Because
Access control requirements are domain-specific

–

Generic approaches over-generalize

Access control requirements can change


–

Anyone could be an administrator

The Safety Problem [HRU76]

–

Can only know what is leaked right now

Access is fail-safe, but Constraints are not

–

And constraints must restrict all future states


Safety Problem
Determine if an unauthorized permission is leaked given

–
–

An initial set of permissions and
An access control system, mainly administrative operations

For a traditional approach, the safety problem is undecidable

–
–

–

Access matrix model with multi-operational commands
Main culprit is create – create object/subject with own rights
Prove reduction of a Turing machine to the multi-operational access matrix system


Safety Problem
Result led to
Safe, but limited models: take-grant, schematic protection model, typed access matrix model
Further support for models in which the constraints are implicit in the model

–

e.g., lattice models

Check safety on each policy change – constraint approach of RBAC


Compare to Other CS Problems
Processor design

–

Hard, but can get some smart people together to construct one, fixed, testable design

Network protocol design

–


TCP: A small number of control parameters necessary to manage all reasonable options, within a layered

architecture

–

Constraints, such as DDoS, are ad hoc

Software design

–

Specific goals in mind to achieve function, constraints are ad hoc


Access Control Models
Discretionary Access Matrix

–

UNIX, ACL, various capability systems

Mandatory (Usually) Access Matrix

–

TE, RBAC, groups and attributes, parameterized

Plus Transitions


–

DTE, SELinux, Java

Lattice Access Control Models

–

Bell-LaPadula, Biba, Denning

Predicate Models

–

ASL, OASIS, domain-specific models, many others

Safety Models

–

Take-grant, Schematic Protection Model, Typed Access Matrix


Administration
Discretionary Access Control

–

Users (typically object owner) can decide permission assignments


Mandatory Access Control

–

System administrator decides on permission assignments

Flexible Administrative Management

–

Access control models can be used to express administrative privileges


Type Enforcement [BoebertKain84]


Group and Attributes


Access Control
Discretionary Access Control

– Access Matrix Model
– Implementation of the Access Matrix
– Vulnerabilities of the Discretionary Policies
– Additional features of DAC


Discretionary Access Control
•


Discretionary Access Control is an individual user can set an access control mechanism to allow
or deny access to an object.

•
•
•

Relies on the object owner to control access.
DAC is widely implemented in most operating systems, and we are quite familiar with it.
Strength of DAC: Flexibility: a key reason why it is widely known and implemented in
mainstream operating systems.


Discretionary Access Control


Access to data objects (files, directories, etc.) is permitted based on the identity of
users.



Explicit access rules that establish who can, or cannot, execute which actions on
which resources.



Discretionary: users can be given the ability of passing on their privileges to other
users, where granting and revocation of privileges is regulated by an administrative
policy.



Discretionary Access Control

 DAC is flexible in terms of policy specification
 This is the form of access control widely implemented in standard multi-user platforms
Unix, NT, Novell, etc.


Limitation of DAC
Global policy: DAC let users to decide the access control policies on their data, regardless of whether those
policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure
consistency.
Information flow: information can be copied from one object to another, so access to a copy is possible even if
the owner of the original does not provide access to the riginal copy. This has been a major concern for military.
Malicious software: DAC policies can be easily changed by owner, so a malicious program (e.g.,a downloaded
untrustworthy program) running by the owner can change DAC policies on behalf of the owner.
Flawed software: Similarly to the previous item, flawed software can be “instructed” by attackers to change its
DAC policies.


Discretionary Access Control

Access control matrix

– Describes protection state precisely
– Matrix describing rights of subjects
– State transitions change elements of matrix
State of protection system


– Describes current settings, values of system relevant to protection


Access Control
Discretionary Access Control

– Access Control Matrix Model
– Implementation of the Access Matrix
– Vulnerabilities of the Discretionary Policies
– Additional features of DAC


Access Control Matrix Model
Access control matrix

–
–
–

Firstly identify the objects, subjects and actions.
Describes the protection state of a system.
State of the system is defined by a triple (S, O, A)

•
•
•

–

S is the set of subject,

O is the set of objects,
A is the access matrix

Elements indicate the access rights that subjects have on objects

•

Entry A[s, o] of access control matrix is the privilege of s on o


Description
objects (entities)
o1

subjects

s1
s2

…

sn

… om s1 … sn

Subjects S = { s1,…,sn }
Objects O = { o1,…,om }
Rights R = { r1,…,rk }
Entries A[si, oj] ⊆ R
A[si, oj] = { rx, …, ry } means subject si

has rights rx, …, ry over object oj


Boolean Expression Evaluation
ACM controls access to database fields

– Subjects have attributes
– Action/Operation/Verb define type of access
– Rules associated with objects, action pair
Subject attempts to access object

– Rule for object, action evaluated, grants or denies access


Example
Subject Annie

–

Attributes role (artist), groups (creative)

Verb paint

–

Default 0 (deny unless explicitly granted)

Object picture

–


Rule:
Annie paint picture if:
‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour ≥ 0 and time.hour < 5