Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Example:
Subjects
Smith
Jones
read
Lee
write
of execution
On first access by a subject, copy access rights from access control list to a
shadow register with the subject
The access rights in the shadow register acts as a capability
Subsequent accesses by this subject use the shadow register
Potential drawback:
The list can be very large, containing the access rights of all subjects that can
access this object
Note: the aggregate storage requirement is about the same as for capabilities
Option: use protection groups
Self control: owner process (e.g., creator of the object) can modify list
Hierarchical control:
When object created, owner process specifies what other processes can modify access
control list
Processes organized in a hierarchy: a process can change the access control list of all
processes below it in the hierarchy
Multics
Unix
Access control list has three entries: owner, group, and other
Access rights: read, write, execute
Principles
Operation
Advantages:
Disadvantages:
Example
verification should be made that the process has the right to perform this operation
on the access matrix:
Command syntax:
command < command id > (<formal parameters>)
if < conditions >
then
< list of primitive operations >
end.
Command execution
All checks in the condition part are evaluated. The <conditions> part has checks
in the form r in P[s,o]
If all checks pass, primitive operations in <list of primitive operations> are
executed
10
reference monitor will reject an access not allowed by the access matrix
Each object has an owner
The owner of an object can give (confer) a right to the object to another
subject
Example: command to create a file and assign own and read rights to it
command create-read (process, file)
create object file
enter own into P [process, file]
enter read into P [process, file]
end.
11
12
Principles:
Model:
Take: If node x has access right take to node y, then subject x can take any
access right that it has on y to another node
Grant: If node x has access right grant to node y, then the entity represented
by node y can be granted any of the access rights that node x has
13
r, w
z
x
r, w
14
Node x has grant access to node y and also has read and write access
to node z
Node x can grant read access for z to node y ( a directed edge
labeled r from y to z is added in the graph)
r, w
z
g
r, w
z
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
15
Take
Grant
Create: A new node is added to the graph
16
Bell-LaPadula Model
Used to control information flow
Model components
Subject that creates an object has control attribute to that object and is
the controller of the object
Subject can pass any of the four access rights of the controlled object to
another subject
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
17
A subject cannot have read access to an object with classification higher than the
clearance level of the subject
A subject has append (I.e., write) access only to objects which have classification
(I.e., security level) higher than or equal to the current security clearance level of
the subject
A subject has read access only to objects which have classification (I.e., security
level) lower than or equal to the current security clearance level of the subject
A subject has read-write access only to objects which have classification (I.e.,
security level) equal to the current security clearance level of the subject
18
can write
.
.
.
Level i+1
Level i
Level i-1
.
.
.
Level 1
can read
19
Subjects:
Each file has a unique owner (user who created the file)
Each file has two access fields
20
Protection domain
21
Representation
22
Protection:
Access rights:
Kernel rights: kernel supports the basic access rights (read, write, copy)
Auxiliary rights: user defined object operations
Kernel uses a 24-bit mask to encode access rights: kernel rights have
fixed positions
CS-550 (M.Soneru): Protection and Security - 2 [SaS]
23
Amoeba
Distributed OS (Tanenbaum)
Object-based, client-server model
object number
rights
check
24