Access Control MatrixArun Anoop MAP-CSEMESCE**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

TopicIntroductionAccess Control MatrixAccess Control List (ACL)Capability List (C-List)The confused deputyComparison between ACL and C-List Summary **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

IntroductionAccess control matrix is a model of system resources protection. It was first proposed by Butler W. Lampson , an American computer scientist, in 1971. For access control system, it likes using locked doors. The doors can be opened by anyone who owns the right keys. Another example is checking the movie ticket at a theatre. Viewers with the valid tickets are allowed to pass the door and watch the movie.The derivative forms of access control matrix such as access control list (ACL) and capability list (C-list) are better applied. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Access Control MatrixAccess control matrix consists of triple parts such as subject, object, and access operation. A subject is an active entity in a computer system such as user.An object is a passive entity or system resource such as file.In access control matrixs schema, the subjects and objects are placed in a table. Each row represents a subject and each column represents an object. The data inside the table are set of access operations such as read, write, and execute. The access operations are responsible for interactions between subjects and objects. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

A schematic viewA user requests access operations for objects/resources.The reference monitor checks request validity and return either granting access or denying access.Access RequestReference MonitorGrant/ Deny**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Access Control MatrixTable 1: Access Control Matrix [3]r = read w = write x = execute- = not allowed

Corresponding to table 1, there are three users (Bob, Alice, and Sam) and one program (Acct. program) as subjects. They are aligned in row order. For column alignment, there are five objects that comprise OS, accounting Program, accounting data, insurance data, and payroll data.The accounting program performs as both subject and object. This approach protects accounting data from corruption or changing by other programs. If other subjects attempt to modify account data, that attempt will be rejected. Alice and Bob are still being able to read and execute the account program (original or fallacious) without corrupting it in any circumstances.**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Access Control Matrix (ACM)Key Points:----------------Split the matrixStore each row/column with its corresponding subject/object.

ACL & c-lists:------------------Whenever an object is accessed ..what will happen?? its column of ACM consulted to see if the operation is allowed. The columns are called ACLs.Whenever a subject tries to perform an operation.what will happen? its row of ACM consulted to see if the operation is allowed. This approach is called c-lists.

**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Access Control List (ACL)According to table1 and table 2, if we look for insurance data we can write:Table 2: Access Control Matrix [3]Table 1:The composition of an ACL entry [3]**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Access Control Lists (ACLs) cont.Figure 1: Access Control Lists (ACLs)From the figure 1, there are three subjects (Alice, Bob and Fred) and three objects (file1, file 2, and file 3).

According to figure 1, each file or object has its own ACL. File 1 links to two subjects that are Alice and Fred. File 1 allows a permission to read for both subjects. For ACL of file 2, it allows a permission to write file 2 for Alice and a permission to read file 2 for Bob. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Capability List (C-List) The second derivative of access control matrix is capability list or C-list. The access control matrix is spilt into rows, each row represent one subject. Each entry in the list is a capability which is a pair of object and a set of access operations. Permissions to access objects for each subject are listed in each C-list. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Capability List (C-List) cont.6From access control matrix, if we look for Alices C-list we can write:Table 1: Access Control Matrix [3]**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Capability (C-List) cont.From figure 2, there are three subjects (Alice, Bob and Fred) and three objects (file 1, file 2, and file 3).

Each subject is assigned permission for operate on each object. For example, Alice has a permission to write on file 2, read and write on file 3. Figure 2: Capability (C-List)**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Confused DeputyA deputy is a program that acts on behalf of users or subjects. Here compiler is a program that acts on behalf of Alice.One of the known deputies is compiler. Compiler, a program that transforms source code into a binary form, must act as a deputy for many users. This act causes a classical security problem which is called confused deputy.A confused deputy is a deputy that is inappropriately manipulated. This confused deputy problem is commonly found in computer systems. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Confused Deputy cont.The compiler is granted a permission to write anything into a file named Bill. The file Bill contains critical information for resources. There is a user named Alice. Alice can invoke the compiler and give it a file name to get debugging output. If Alice invokes to compiler and provide Bill as the name of debugging file, the compiler will get confused. Although, Alice does not have a permission to write anything on file Bill, the compiler which is the deputy of Alice will overwrite file Bill with debugging information. *r = read w = write x = execute- = not allowedTable 3: Access Control Matrix for confused Deputy [3]**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

The confused deputy cont.

Figure 3: The confused deputy [3]When the confused deputy problem occurs, C-list can prevent it but ACLs have difficulties to avoid this problem. Alice must give her C-List to compiler if she wants to invoke the compiler. Once receiving C-list, the compiler checks all permissions related to the target file. The complier will know that Alice does not have the permission to overwrite file Bill. On the other hand, ACLs do not have similar protection mechanism to avoid the confusion. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Comparison between ACL and C-ListFigure 4: Comparison between Access control list and capability [3]**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Comparison between ACL and C-List cont.Access Control List and Capability List look similar but there are many differences. The obvious and significant difference is the direction of arrows of both approaches According to figure 4, the arrows for ACLs direct from the resources (objects) to users (subjects) but the arrows for C-lists direct from users to the resources. **ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

Thank you**ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE