8.2 Discretionary Access Control Models

1
8.2 Discretionary Access Control Models

• Weiling Li

2
Outline

• I. Introduction
• Access Control Matrix (ACM)
• Implementations of ACM
• Comparison of Access Control List (ACL)
  Capability List (CL)
• II. Research
• A Privacy-Enhanced Access Control Model
• III. Future expectations

3
8.2.1 Access Control Matrix

• a fundamental and widely used Disc Access control
  Model for enforcing security policies.
• An access control is a function that given a
  subject and object pair(s,o) and a requested
  operation r , from s to o , returns a true value
  if the request is permitted and a false value
  otherwise.
• R P(s,o).matrix form
• P access matrix
• R set of allowable operations.( r is a
  particular operation belonging to set R ).
• s subject
• o object

4
Access Control Matrix

• In a resource ACM, subjects are users and objects
  are the files to be accessed.
• Access Rights may include read, write,
  execute and append.
• Special privileges may be the owner and copy
  privilege.1

5
Access Control Matrix

• In process ACM the subjects and objects are both
  processes.
• Operations are basically related to communication
  and synchronization.1

6
Access Control Matrix

• In Domain ACM, domain is defined as a set of
  objects with same access rights.1

7
Reducing the Size of ACM

• Subject rows in the ACM that have identical
  entries i.e subjects that have similar access
  rights on common objects , could be merged into
  groups.
• If a user belongs to more than one group, its
  access rights is the union of all access rights
  of all the groups it belongs to.
• Similarly Object columns with same entries could
  be merged into categories

8
Distributed Compartments

• A distributed compartment is a logical group
  composed of objects from physically distributed
  nodes.

9
Advantages of Distributed Compartment Model

• The grouping of subjects and objects is logical
  and application specific.
• The accesses are more transparent since they do
  not depend on the operating systems and
  administrative units.
• Since the application manages the distributed
  handles, it allows different security policies to
  be implemented

10
8.2.2 Implementations OF ACM

• For efficiency and organizational purposes ,
  access control matrices need to be partitioned
  and implemented independently.
• The Linked list structure that contains all
  entries in a column for a particular object is
  called a Access control List (ACL) for the
  object.
• Likewise all entries in a row for a subject is
  called a Capability List (CL) for the subject.

11
ACL CL

• ACL a subject client (s) presents and access
  request (s, r) to an object server. the object
  server validates the request against its ACL.
• CL the object server compares the access request
  (o, r) against the CL in the subject.

12
Lock Key implementation

• provides capability with some safety.
• combination of CL and ACL.

13
8.2.3 Comparison of ACL CL

• Comparisons in terms of managing functions
• Authentication
• Reviewing of Access Rights
• Propagation of Access Rights
• Revocation of Access Rights
• Conversion between ACL and CL

14
Authentication

• ACL Authenticates subjects, which is performed by
  the system
• While in CL, authentication is performed on
  capabilities of objects , by the object server.
• Objects have knowledge of the capabilities ,but
  do not know the users or processors. This is one
  of the reasons why many Distributed
  implementations favor the CL approach

15
Review Of Access Rights

• To know which subjects are authorized to use a
  certain objects.
• Easier to review ACL, because ACL contains
  exactly this information.
• It is difficult to review for a CL unless some
  type of activity log is kept for all subjects
  that are given the capability

16
Propagation Of Access Rights

• Propagation is Duplication of some or all the
  privileges from one subject to the others. It is
  not transfer of rights, it is only duplication.
• In ACL, propagation of rights is explicitly
  initiated by a request to the object server,
  which modifies or adds an entry to its ACL.
  Propagation of rights must adhere to the
  principle of least principles.
• In CL, theoretically it is propagate rights
  between subjects without intervention of object
  server. This could result in an uncontrollable
  system and hence is avoided.

17
Revocation Of Access Rights

• Revocation is trivial in ACL because it is easy
  to delete subject entries from the ACL.
• It is difficult for CL to revoke access
  selectively.

18
Conversion Between ACL CL

• Interactions among processes involving different
  Access control models would require gateways for
  conversions.
• Conversion to ACL is straightforward.
• Gateway Authenticates the process identifier and
  then verifies the operation in the capability
  list.
• The request is then converted to ACL and is
  presented to the remote host
• Converting a ACL request to CL is slightly more
  complex
• Gateway validates the ACL request and obtains
  the resource capability from the database server
• Capability is then presented to capability based
  object server.

19
II. Research

• a three-dimensional access control model enhanced
  with privacy compared with the traditional
  two-dimensional AC model 5

20
privacy-enhanced access control model

• A. Basic Model Elements
• Definition 1. The set of entities that can be
  accessed and consequently need to be protected in
  a system are called objects O. The set of
  entities that can issue requests to access
  objects are called subjects S. Subjects are
  active entities while objects are passive ones.
  Access rights are the different ways in which a
  subject is permitted to execute on an object in
  any access.
• Definition 2. Privacy-concerning subjects S is a
  subset of the subjects S whose privacy needs to
  be protected when any of the objects O is
  accessed. Privacy-concerning subjects with
  respect to an object is a subset of the
  privacy-concerning subjects S whose privacy
  could be violated when any access to the object
  is executed.

21
privacy-enhanced access control model

• B. Privacy Access Rights
• Definition 3. Privacy access rights are a set of
  two-tuples ltright, conditiongt in which right
  represents a specific type of access that a
  subject can execute on an object (e.g.,read,
  write, execute) and condition is a Boolean
  expression stating the condition under which the
  preceding access right can be authorized. When
  the Boolean expression is true, the preceding
  access right can be authorized by the system.

22
privacy-enhanced access control model

• Definition 4. A three-dimensional access control
  matrix is an enhancement of the traditional
  two-dimensional access control matrix with the
  third dimension representing the set of
  privacy-concerning subjects S. Any privacy
  access right ltright, conditiongt in an entry s,
  o, s in the matrix indicates the access right
  that subject s has on object o subject to privacy
  control by privacy-concerning subject s. In the
  matrix, the absence of a particular access right
  in an entry s,o, s would indicate that subject
  s is not a privacy-concerning subject with
  respect to object o for this particular access
  right while the presence of ltright, nogt in only
  one of the entries s, o, S would indicate that
  the access right is not permitted at all.

23
Three dimensional access control model
Figure 1 illustrates the three-dimensional access
control matrix with the subjects S, the objects O
and the privacy-concerning subjects S
representing one dimension of the matrix,
respectively. Each entry in the matrix could be
empty or could include one or more privacy access
rights that the corresponding subject s has on
the corresponding object o subject to privacy
control by the corresponding privacy-concerning
subject s. Each privacy access right is
expressed in the form ltright, conditiongt
indicating a particular access right along with a
condition that determines whether the access
right can be authorized.
Figure 1. Three-dimensional access control model
24
III. Future Expectations

• Tool support for analysis of access control and
  information flow is critical.
• Integrating different models of access control
  requires work, especially regarding efficient
  implementations.
• the development of global rules to resolve any
  possible inconsistencies among the conditions in
  the privacy access rights during the process of
  making access decisions.

25
References

• 1 Randy Chow Theodore Johnson,
  1997,Distributed Operating Systems
  Algorithms, (Addison-Wesley), p. 271 to 278.
• 2 http//en.wikipedia.org/wiki/Access_control
• 3 Ninghui Li and Mahesh V. Tripunitara, IEEE
  Symposium on Security and Privacy, May 2005.
  "Safety in Discretionary Access Control".
• 4 K. Gopinath, Communication System Software
  and Middleware, 2006, "Access Control in
  Communication Systems"
• 5 Fei Xu Jingsha He Xu Wu Jing Xu Networks
  Security, Wireless Communications and Trusted
  Computing, 2009. "A Privacy-Enhanced Access
  Control Model". NSWCTC '09. International
  Conference onVolume 2, 25-26 April 2009
  Page(s)703 - 706.

26

• QUESTIONS ?