CS 556 – Computer Security Spring 2018cs556/lecture-notes/access-control-matrix.pdf ·...
42
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 1 / 42 CS 556 – Computer Security Spring 2018 Dr. Indrajit Ray Email: [email protected] Department of Computer Science Colorado State University Fort Collins, CO 80523, USA
Transcript of CS 556 – Computer Security Spring 2018cs556/lecture-notes/access-control-matrix.pdf ·...
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 42
CS 556 – Computer Security
Spring 2018
Dr. Indrajit Ray
Email: [email protected]
Department of Computer Science
Colorado State University
Fort Collins, CO 80523, USA
ACCESS CONTROL
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 42
Access Control
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 42
Authentication
Authorization Enforcement
who is trying to access a
protected resource?
how does the system
enforce the specified
authorization?
who should be allowed to
access which protected
resources?
who should be allowed to
change the access?
Access Control ModelsAccess Control Architectures
Authorization
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 42
● One of the most important techniques for computer security
✦ Often neglected
● Process of expressing access policies in computer systems
● Expressed in terms of subjects (active entities) accessing
objects (passive as well as active entities)
Access Control Models
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 42
● Discretionary Access Control
✦ Access Matrix Models
✦ HRU and TAM
✦ Recent Trends in DAC
● Mandatory Access Control
✦ Bell LaPadula Model
✦ Information Flow Model
● Access Control Models for Security in Commercial Sector
✦ Mandatory Access Control for Integrity - Biba Model
✦ Lippner’s Integrity Matrix Model
✦ Chinese Wall for Confidentiality
✦ Clark-Wilson Model
● Role-based Access Control
● Attribute Based Access Control
DISCRETIONARY ACCESS CONTROL
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 42
Discretionary Access Control (DAC)
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 42
● Definition [Bishop p.53] If an individual user can set an access
control mechanism to allow or deny access to an object, that
mechanism is a discretionary access control (DAC), also called
an identity-based access control (IBAC).
DAC (cont’d)
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 42
● DAC policies govern the access of subjects to objects on the
basis of subjects’ identity, objects’ identity and permissions
● When an access request is submitted to the system, the access
control mechanism verifies whether there is a permission
authorizing the access
● Such mechanisms are discretionary in that they allow subjects to
grant other subjects authorization to access their objects at their
discretion
UNIX PERMISSIONS MODEL
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 42
Unix File Concepts
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 42
● All objects are considered files
● Unix files administered using inodes
✦ Control structure with key info on file: attributes, permissions
etc.
✦ Inode table for all files on a disk – copied to memory when
disk mounted.
● Directories are a file of names and inode numbers
✦ May contain files or other directories
Unix File and Inode Structure
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 42
Unix File Access Control
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 42
● Associated with each file is set of 12 protection bits
✦ Sets of 3 for owner, group and other - specifies read, write
and execute privileges
✦ Remaining three define other files attributes some of which
define how file can be accessed
■ setUID, setGID
■ Sticky bit – if set, cannot delete or rename file unless
user is also owner of directory
Unix File Access Control
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 42
ACCESS MATRIX MODEL
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 42
Access Matrix Model
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 42
● Simplest language for expressing authorizations
● Proposed in 1971 by Lampson, Graham and Denning
● A matrix is used to express the access rights that a subject has
towards an object
✦ Each cell in the matrix contains an expression that
represents the rights
Access Matrix Model (cont’d)
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 42
A B C D E
O B J E C T S
U
V
W
X
SUBJECTS
r, w r
r
r, w
w
r, wown
r, w
w, own
rr, wown
Implementing Access Matrix
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 42
● Access Control Triples
✦ Most popular in database systems
● Capabilities
✦ Widely used in distributed systems
● Access Control Lists (ACLs)
✦ Widely used in centralized systems
ACCESS CONTROL TRIPLES
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 42
Access Control Triples
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 42
Subjects Objects A[s,o]
U
U
U
V
W
W
X
X
X
B
A
C
A
E
B
E
r, wA
C r, w, own
r
r, w
w, own
r, w
r
r
w
X r, w, ownD
Access Control Triples (cont’d)
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 42
● Advantages
✦ Useful in database management systems that incorporates
powerful secondary storage management tools as well as
very good search capabilities
Access Control Triples (cont’d)
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 42
● Disadvantages
✦ Grows large very quickly
■ The considered level of granularity for subjects and
objects can cause this. For example, if we have a public
file that is world readable and writable, then the table
contains two triples (r, w) for each subject
✦ It may not be convenient to keep a whole authorization table
in main memory because there may be many inactive
subjects / objects
CAPABILITIES
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 22 / 42
Capabilities
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 23 / 42
● Store the access matrix by rows
● With each subject Si in the access matrix a list of pairs <O j,
A[Si, O j]> is associated for each object O j, such that A[Si, O j]
is not null
✦ Each element of the list indicates an object and the
privileges held by the subject on that object
Capabilities
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 24 / 42
E
C
A r, w
r, w, own
r
E
A
B
C
A
D
w, own
r, w
r
r
w
r, w, own
B r, wU
X
W
V
Capabilities
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 25 / 42
● Advantages
✦ Easy to maintain and query system on a per subject basis
■ For example, it is easy to find what are all the objects that
a particular subject has access to
■ When a new subject is introduced in the system,we need
to add only one entry corresponding to that subject
Capabilities
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 26 / 42
● Disadvantages
✦ It is difficult to compute the set of subjects that have access
right on a given object
✦ If an object is removed from the system, then the revocation
of rights is time consuming; similarly if a new object is
created, granting of rights is time consuming
Capabilities
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 27 / 42
● Useful in distributed systems where objects are remotely located
● Can be efficiently implemented using message passing
techniques
ACCESS CONTROL LISTS
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 28 / 42
Access Control Lists
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 29 / 42
● Storing the access matric by columns
● With each object O j, a list of pairs <Si, A[Si, O j]> is stored for
each subject Si, such that A[Si, O j] is not null
✦ This is the Unix style
Access Control Lists
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 30 / 42
X
U
W
r, w
w, own
r
V r, w
rX
U r, w, own
X w
r
r, w
U
W
X r, w, own
A
B
D
E
C
Access Control Lists
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 31 / 42
● Advantages
✦ Easy to maintain and query the system on a per object basis
■ For example, all subjects granted access to a particular
object can be easily found
■ If an object is deletd, it suffices to delete only one entry in
the system to reflect the change
Access Control Lists
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 32 / 42
● Disadvantages
✦ It is difficult to compute the set of objects that a given
subject can access
✦ Granting and revocation of rights on a per subject basis is
difficult
Access Control Lists
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 33 / 42
● Useful in centralized systems where all objects are co-located
● Useful if the number of subjects is fairly static
Limitation of Access Matrix Model
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 34 / 42
● The Access Matrix Model is not dynamic
✦ No transfer of access right from one subject to another
✦ No changing of access rights
✦ No creation or deletion of subjects or objects
● Authorization system = Authorization policies + How to change
them
✦ Safety
ACCESS CONTROL ADMINISTRATION
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 35 / 42
Administration of Privileges
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 36 / 42
Unrestricted Discretion
A B C D E
O B J E C T S
U
V
W
X
SUBJECTS
r, w r
r
r, w
w
r, wown
r, w
w, own
rr, wown
w, own
r, w
Unrestricted Discretion
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 37 / 42
● If a subject U has ownership (own) right on an object C, then U
can confer any right on object C to any other subject, say V,
including ownership right.
● If V gets ownership right from U then V, in turn, can confer any
right on object C to itself and to any other subject, say W.
✦ W, in turn, can do the same. Thus the right on C is
propagated without restriction.
Attenuation of Privilege
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 38 / 42
● Principle says you cant give rights you do not possess
✦ Restricts addition of rights within a system
✦ Usually ignored for owner
■ Why? Owner gives herself rights, gives them to others,
deletes her rights
Propagation of Access
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 39 / 42
Constrained Discretion - Copy Right
A B C D E
O B J E C T S
U
V
W
X
SUBJECTS
r, w r
r
r, w
w
own
r, w
w, own
rr, wown
rc
r
rc, r
Constrained Discretion - Copy Right
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 40 / 42
● Allows possessor to give rights to another
● If a subject U has a read-copy (rc) right on an object C, then U
can confer the read right on object C to any other subject, say V.
● However, V cannot propagate the read right to W. Thus V is
prevented from propagating the access right on object C, any
further.
● write-copy (wc) has similar semantics
Propagation of Access
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 41 / 42
Constrained Discretion - Grant / Transfer Right
A B C D E
O B J E C T S
U
V
W
X
SUBJECTS
r, w r
r
r, w
w
own
r, w
w, own
rr, wown
rc, rg
r, w
Constrained Discretion - Grant Right
ACCESS CONTROL
DISCRETIONARY
ACCESS CONTROL
UNIX PERMISSIONS
MODEL
ACCESS MATRIX
MODEL
ACCESS CONTROL
TRIPLES
CAPABILITIES
ACCESS CONTROL
LISTS
ACCESS CONTROL
ADMINISTRATION
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 42 / 42
● If a subject U has a grant (g) right on any object D, then U can
confer any other right on object D to another subject V, except
the ownership right and grant right.
● Depending on the right acquired by V, it can, in turn, propagate a
right further to other subjects.
● Transfer right has similar semantics except that U loses the
privilege and the possibility to grant it once a transfer has
occurred.
