Access Control Models: Discretionary Access Control

Questions and Answers

What are the three types of access permissions in Unix?

Read, Write, Execute (correct)

Delete, Read, Write

Open, Read, Write

Create, Read, Write

Which bit in the ACL specifies if it is for a file or a folder?

The third bit

The first bit (correct)

The last bit

The second bit

Which user group has access to a file or folder represented by the last three bits in an ACL?

The system administrator

Anyone else (correct)

The owner

The group

What does 'suid' stand for in the context of Unix permissions?

Set User ID (C)

What happens when a program is marked as 'suid'?

The program runs with the permissions of the user who owns it (D)

How is 'sgid' different from 'suid'?

Sgid allows a program to run with the permissions of the group it belongs to (D)

Which of these options can be accomplished by using 'suid' and 'sgid'?

Allow a program to access restricted resources with the permissions of its owner or group (A)

Why can 'suid' and 'sgid' pose security risks?

They allow malicious users to bypass system security measures (C)

Which of the following is NOT a drawback of Discretionary Access Control (DAC)?

DAC policies distinguish between users and subjects. (C)

What does DAC stand for?

Discretionary Access Control (B)

Which of these books is recommended in the "Readings" section for learning more about access control?

CISSP Study Guide by E. Conrad, S. Misenar and J Feldman (D)

Based on the provided text, what is a common limitation of DAC policies?

They lack the ability to regulate information flow after access is granted. (C)

What does "Trojan Horses" refer to in the context of DAC shortcomings?

Malware disguised as legitimate software, potentially exploiting user privileges. (B)

What's a key difference between subjects and users in the context of DAC?

Subjects are processes that execute on behalf of users, while users are individuals interacting with the system. (C)

Which of the following is NOT a recommended reading material mentioned in the concluding remarks?

Chapter 23 of Bertino's Handbook on Securing Cyber-Physical Critical Infrastructure (D)

Which security measure specifically uses a 1-bit tag to indicate whether a capability can be changed or copied?

Hardware tags (C)

What type of security model is suited on a subject-basis, providing finer-grained control?

Capabilities (C)

Which of the following statements is true regarding Access Control Lists (ACLs)?

ACLs are preferred in most systems over capabilities. (A)

What is a key feature of Discretionary Access Control (DAC) models?

Users can transfer their privileges to other users. (A)

Which access control model is focused on the integrity and propagation control of subjects?

Capabilities (C)

In the Access Control Matrix (ACM) model, what does each cell in the matrix represent?

The rights that a subject has over an object. (A)

Which of the following is not specifically mentioned as a part of DAC models?

Enforcement of security policies by a central authority. (C)

What does the term 'Least privilege control' refer to in the context of capabilities?

Providing the minimum permissions necessary for subjects. (C)

In which way does cryptography contribute to capabilities?

By providing encryption for capabilities. (B)

What does a state in the Access Control Matrix model signify?

The current rights that subjects have over objects. (D)

Which aspect of the take-grant model was proposed by Lipton and Snyder?

Propagation of capabilities (B)

Which of the following statements about subjects in DAC models is accurate?

Subjects are considered objects as well. (C)

What is one major limitation of DAC models?

They allow users to modify their access rights without restrictions. (B)

Which of the following is NOT a feature of protected address space?

Making memories accessible to all programs (C)

What role do transitions play in the access control matrix model?

They represent how state changes occur when commands are executed. (C)

Which statement best describes the structure of a state in the Access Control Matrix?

It is a combination of subjects, objects, and a matrix of rights. (D)

What is the relation depicted by (S, O, A) ⇒σ(α) when the test of σ(α) is not satisfied?

(S', O', A') remains unchanged. (A)

What must exist if the test of σ(α) is satisfied at (S, O, A)?

A valid operation that leads to a new state. (C)

In the transition relation, what does the notation (S, O, A) ⇒ (S', O', A') represent?

A transition through multiple operations. (A)

What rights does Alice have over file1 based on the provided scenario?

Only read rights. (C)

What command is used to confer read access from Alice to Bob in the transition example?

CONFER READ (B)

Which statement is true about Bob's rights over file2 in the example?

Bob has only read rights. (A)

What is implied if the relation (S, O, A) ⇒α (S', O', A') holds?

There is a command that leads to a state change. (D)

What condition must be met for (S, O, A) ⇒σ(α) (S', O', A') to hold true?

There must be a σ that satisfies the transition condition. (D)

What does it mean when we say that a command leaks a right 'r' from a state Q?

The command allows access to the right after some operations. (A)

In terms of safety, what is a key aspect of a protection system C over R?

A state is unsafe if any commands leak rights from it. (C)

Which statement accurately describes a protection system?

It specifies the rules governing rights granting in a system. (C)

When is a state Q considered safe for a right r?

If no command in the system can leak r from a reachable state. (B)

What does the notation $Q_0 = (S_0, O_0, A_0)$ represent in the context of leakage?

The initial state of a protection system and its attributes. (D)

Which of the following statements about leaks in a protection system is true?

Any interesting protection system may have some commands that leak rights. (C)

What is a necessary condition for a command α to leak a right r from state Q?

There exists a valid substitution σ for the command's test. (C)

What happens if Alice gets writing rights to file2 in the given context?

Bob will gain reading access to file1 indirectly through file2. (B)

Study Notes

Access Control

• Discretionary Access Control (DAC) models enforce access control based on the identity of requesters.
• DAC models are considered "discretionary" because users can grant privileges to other users.
• DAC mechanisms typically include object ownership.
• DAC models are state-transition systems where a state defines the rights subjects have on objects at a specific time. A transition shows how the state changes when commands concerning subjects, objects, or rights are executed.

Outline

• Introduction to DAC
• Access control matrix model
• Model description
• Safety problem
• Implementation of DAC
• Other related DAC models
• A major weakness of DAC models
• Concluding remarks on DAC models

The Access Control Matrix Model

• The most common DAC model is the access control matrix (ACM) or Harrison et al. (1976).

Basic Features of the ACM

• It is a state-transition system.
• States are matrices where rows represent subjects, columns represent objects, and cells specify a subject's rights on an object.
• Transitions between states are caused by commands.
• Subjects can also be objects.

States

• A state is a triple (S, O, A), where:
  • S is a set of subjects.
  • O is a set of objects.
  • A is a matrix whose elements are subsets of a set of rights (R).

Primitive Operations

• Changing rights in the system is based on precisely defined rules.
• These rules are formalized by commands comprised of primitive operations.
• Primitive operations alter the state. Types of primitive operations include creating/destroying subjects/objects, and granting/removing rights.

Commands

• A command is a construct with the form:
• command (X1, ..., Xk) where X₁ are subject or object type variables. Op1, ..., Opn... commands.
• A command is evaluated according to conditions (if r ∈ (Xs, Xo)) and acts according to defined operations (op).
• Commands only ascertain the existence of rights, not their lack.

Examples of Commands

• Various examples of commands (CREATE, CONFER_READ, REMOVE_READ, TRANSFER_READ) illustrate how specific actions modify the related state.

Substitution

• To execute commands, formal parameters are replaced with actual values (substitution).
• Subjects are substituted for subject-type variables and objects for object-type variables.
• Substitutions are applied homomorphically to primitive operations and commands.

Transition Relation

• Given an operation (op) and a substitution (σ), a binary relation (⇒σ(op)) describes how states change.
• If the test of σ(a) isn't met, the state remains unchanged. If satisfied, the states transition via intermediate states (Q₀, Q₁, ..., Qₙ), using operations (op₁ , ..., opₙ) in the command body (α).

Examples of Transitions

• Examples illustrate how commands, like CONFER_READ, change permissions.

Safety

• A protection system (C) is a set of commands.
• A state (Q) is "safe" for a right (r) if no command in C, when executed on Q with a specific substitution, changes the state in a way that leaks the right (r).

Undecidability of Safety

• The safety problem, determining if protection systems are safe, can be complex. Decidability depends on various factors, such as the kinds of commands and conditions involved.

Implementation

• ACM implementations often suffer from scalability issues.
• Compact storage and management solutions are necessary. Common approaches include authorization tables, access control lists (ACLs), and capability lists.

Access Control Lists (ACLs)

• ACLs are columns of the ACM, associated with objects, granting access permissions.
• ACLs are useful in environments where users manage their own security and permissions.
• ACL maintenance can be tedious in large and ever-changing user populations.

Access Control Lists in Unix

• Unix files and folders have access permissions for the owner, group, and world, determined by bits.

Access Control Lists in Windows

• Windows ACLs allow permissions for users and groups to be assigned to many different object types.

Capability Lists

• Capability lists (C-lists) are rows in the ACM, associated with subjects.
• C-lists are stored as pairs (o, r) of objects and associated rights, which allow controlled access from subjects to objects.
• Problems exist in representing objects and preventing unauthorized modifications (unforgeability) in C-lists.

ACLs vs. Capabilities

• ACLs focus on subject authentication and object-based access reviews.
• Capabilities focus on access integrity, subject-based access review, and short-lived, dynamically controlled subjects.

Other Related DAC Models

• The take-grant model, proposed by Lipton and Snyder (1977). Subjects are not considered objects, and states are directed graphs with rights labeled arcs.

The Schematic Model

• Proposed by Sandhu (1988), filling the expressiveness gap between the HRU model (intractible) and take-grant model (simple) but offering the decidability of safety.

Adding new features to the DAC model

• Support for positive and negative permissions (used to express exceptions), weak and strong permissions, implicit permissions (derived in the system), context-based permissions, and content-dependent permissions.

A Major Weakness of DAC Models

• Security relies on users obeying access restrictions, not inherent to the model.

Concluding Remarks

• DAC enforces access control based on requester identity.
• DAC models ignore the distinction between users and subjects.
• DAC doesn't protect against malicious programs exploiting privileges.
• DAC doesn't control information flow after a process acquires it.
• Further improvements are needed regarding separation of users and subjects, and controlling information flow.

Description

This quiz explores Discretionary Access Control (DAC) models, focusing on their principles, implementation, and security concerns. You'll learn about the access control matrix and the state-transition systems that define subjects' rights on objects. Dive into the strengths and weaknesses of DAC models to understand their practical applications.