Access Control Matrix and Confused Deputy

Access Control Matrix
Arun Anoop M
AP-CSE
MESCE
02/16/15
ARUN ANOOP M,AP,CSE,MESCE
Topic
Introduction
Access Control List (ACL)
Capability List (C-List)
The confused deputy
Comparison between ACL and C-List
Summary
02/16/15
Introduction
Access control matrix is a model of system resources
protection.
It was first proposed by Butler W. Lampson , an
American computer scientist, in 1971.
For access control system, it likes using locked doors.
The doors can be opened by anyone who owns the right
keys. Another example is checking the movie ticket at a
theatre. Viewers with the valid tickets are allowed to pass
the door and watch the movie.
The derivative forms of access control matrix such as
access control list (ACL) and capability list (C-list) are
better applied.
02/16/15

Access control matrix consists of triple parts such as
subject, object, and access operation.
A subject is an active entity in a computer system such
as user.
An object is a passive entity or system resource such as
file.
In access control matrixs schema, the subjects and
objects are placed in a table.
Each row represents a subject and each column
represents an object.
The data inside the table are set of access operations
such as read, write, and execute. The access operations
are responsible for interactions between subjects and
02/16/15
ARUN ANOOP
M,AP,CSE,MESCE
4
objects.
A schematic view
A user requests access operations for
objects/resources.
The reference monitor checks request
validity and return either granting access
or denying access.
Access
Request
02/16/15
Reference
Monitor
Grant/ Deny
r = read
Table 1: Access Control Matrix [3]

w = write
x = execute
- = not allowed
Corresponding to table 1, there are three users (Bob, Alice, and Sam)
and one program (Acct. program) as subjects. They are aligned in row
order.
For column alignment, there are five objects that comprise OS,
accounting Program, accounting data, insurance data, and payroll data.
The accounting program performs as both subject and object. This
approach protects accounting data from corruption or changing by other
programs. If other subjects attempt to modify account data, that attempt
will be rejected.
Alice and Bob are still being able to read and execute the account
program (original orARUN
fallacious)
without corrupting it in any
02/16/15
ANOOP M,AP,CSE,MESCE
6
circumstances.
Access Control Matrix (ACM)

Key Points:
---------------1) Split the matrix
2) Store each row/column with its corresponding subject/object.
ACL & c-lists:
-----------------1) Whenever an object is accessed ..what will happen??
its column of ACM consulted to see if the operation is allowed. The
columns are called ACLs.
2) Whenever a subject tries to perform an operation.what will
happen?
its row of ACM consulted to see if the operation is allowed. This
approach is called c-lists.
02/16/15
Access Control List (ACL)
Table 1:The composition of an ACL entry [3]

According to table1 and table 2, if we look for insurance data we can write:
02/16/15
Access Control Lists (ACLs) cont.

From the figure 1, there are
three subjects (Alice, Bob and Fred)
and three objects (file1, file 2, and file
3).
According to figure 1, each file or
object has its own ACL.
File 1 links to two subjects that are
Alice and Fred.
File 1 allows a permission to read for
both subjects.
For ACL of file 2, it allows a
permission to write file 2 for Alice and
a permission to read file 2 for Bob.
02/16/15
Figure 1: Access Control

Lists (ACLs)
Capability List (C-List)

The second derivative of access control matrix is capability
list or C-list.
The access control matrix is spilt into rows, each row
represent one subject.
Each entry in the list is a capability which is a pair of object
and a set of access operations.
Permissions to access objects for each subject are listed in
each C-list.
02/16/15
10
Capability List (C-List) cont.6
From access control matrix, if we look for Alices C-list

we can write:
02/16/15
11
Capability (C-List) cont.

From figure 2,
there are three subjects
(Alice, Bob and Fred) and
three objects (file 1, file 2,
and file 3).
Figure 2: Capability (C-List)

02/16/15
Each subject is assigned

permission for operate on
each object.
For example, Alice has a
permission to write on file
2, read and write on file 3.
12
Confused Deputy
A deputy is a program that acts on behalf of users or
subjects.
Here compiler is a program that acts on behalf of Alice.
One of the known deputies is compiler. Compiler, a
program that transforms source code into a binary form,
must act as a deputy for many users.
This act causes a classical security problem which is
called confused deputy.
A confused deputy is a deputy that is inappropriately
manipulated.
This confused deputy problem is commonly found in
computer systems.
02/16/15
13
Confused Deputy cont.
Table 3: Access Control Matrix for confused Deputy [3]

*r = read
w = write
x = execute
- = not allowed
The compiler is granted a permission to write anything into a file named

Bill. The file Bill contains critical information for resources.
There is a user named Alice. Alice can invoke the compiler and give it a
file name to get debugging output.
If Alice invokes to compiler and provide Bill as the name of debugging
file, the compiler will get confused.
Although, Alice does not have a permission to write anything on file Bill,
the compiler which is the deputy of Alice will overwrite file Bill with
debugging information.
02/16/15
14
The confused deputy cont.
Figure 3: The confused deputy [3]

When the confused deputy problem occurs, C-list can prevent it but ACLs
have difficulties to avoid this problem.
Alice must give her C-List to compiler if she wants to invoke the compiler.
Once receiving C-list, the compiler checks all permissions related to the target
file.
The complier will know that Alice does not have the permission to overwrite file
Bill. On the other hand, ACLs do not have similar protection mechanism to
avoid the confusion.
02/16/15
15
Comparison between ACL and C-List
Figure 4: Comparison between Access control list and capability [3]
02/16/15
16
Comparison between ACL and C-List cont.

Access Control List and Capability List look similar
but there are many differences. The obvious and
significant difference is the direction of arrows of both
approaches
According to figure 4, the arrows for ACLs direct
from the resources (objects) to users (subjects) but the
arrows for C-lists direct from users to the resources.
02/16/15
17
Thank you
02/16/15
18

Access Control Matrix and Confused Deputy

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Access Control Matrix and Confused Deputy

Hochgeladen von

Copyright:

Verfügbare Formate

Access Control Matrix

ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE

ARUN ANOOP M,AP,CSE,MESCE