Lecture 3-4 – Access Control

Dr. Cong Wang

CS Department
City University of Hong Kong

Slides credits in part from D. Boneh, J. Mitchell, M. Goodrich, and W. Stallings

CS4293 Topics on Cybersecurity 1

 Access control
• Assumptions
– System knows who the user is
• Authentication via name and password, other credential
– Access requests pass through gatekeeper (reference monitor)
• System must not allow monitor to be bypassed

Reference
monitor

User
process access request ? Resource

policy
CS4293 Topics on Cybersecurity 2
Relationship Among Access Control
and Other Security Functions

CS4293 Topics on Cybersecurity 3

Functions related to Access Control
• Authentication: Verification that the credentials of a user
or other system entity are valid.

• Authorization: The granting of a right or permission to a

system entity to access a system resource.
– This function determines who is trusted for a given purpose.

• Audit: An independent review and examination of system

records and activities.
– in order to test for adequacy of system controls, to ensure
compliance with established policy and operational procedures,
to detect breaches in security, and to recommend any indicated
changes in control, policy and procedures.

CS4293 Topics on Cybersecurity 4

Access control matrix

CS4293 Topics on Cybersecurity 5

 Access Control Matrix
• Scenario: an entity may enable another entity to
access some resource
• often provided using an access matrix
• one dimension consists of identified subjects that may
attempt data access to the resources
• the other dimension lists the objects that may be
accessed
• each entry in the matrix indicates the access rights of
a particular subject for a particular object

CS4293 Topics on Cybersecurity 6

 Access control matrix [Lampson]
Objects

File 1 File 2 File 3 … File n

User 1 read write - - read

User 2 write write write - -

Subjects
User 3 - - - read read

User m read write read write read

CS4293 Topics on Cybersecurity 7

Enriched Entry in Access Matrix
Full example

CS4293 Topics on Cybersecurity 8

Another Example AC Matrix for Unix

CS4293 Topics on Cybersecurity 9

 Two implementation concepts
File 1 File 2 …
• Access control list (ACL) User 1 read write -
– Store column of matrix User 2 write write -
with the resource
User 3 - - read
• Capability
– User holds a “ticket” for …

each resource User Read write write

m
– Two variations
• store row of matrix with user, under OS control
• unforgeable ticket in user space

Access control lists are widely used, often with groups

Some aspects of capability concept are used in many systems
CS4293 Topics on Cybersecurity 10
 Access Control List Examples
• It defines, for each object, o, a list, L, called o’s access
control list, which enumerates all the subjects that
have access rights for o and, for each such subject, s,
gives the access rights that s has for object o.

/etc/passwd /usr/bin/ /u/roberto/ /admin/

root: r,w root: r,w,x root: r,w,x root: r,w,x

mike: r mike: r,x roberto: r,w,x backup: r,x
roberto: r roberto: r,x backup: r,x
backup: r backup: r,x

CS4293 Topics on Cybersecurity 11

 Capability Examples
/etc/passwd: r,w,x; /usr/bin: r,w,x;
root /u/roberto: r,w,x; /admin/: r,w,x
• Takes a subject-
centered approach to
access control. It mike /usr/passwd: r; /usr/bin: r,x

defines, for each

subject s, the list of the
objects for which s has roberto
/usr/passwd: r; /usr/bin: r;
/u/roberto: r,w,x

nonempty access
control rights, together
with the specific rights /etc/passwd: r,x; /usr/bin: r,x;

for each such object.

backup /u/roberto: r,x; /admin/: r,x

CS4293 Topics on Cybersecurity 12

 Figures 4.3b and c
For each object, an ACL lists users and
their permitted access rights.
A capability ticket specifies authorized objects
and operations for a particular user

Example of Access Control Structures

OS may hold all tickets on behalf of users and

Elements of the list may include make them inaccessible to users. Integrity of
individual users as well as groups of users.
tickets must be protected/guaranteed.
CS4293 Topics on Cybersecurity 13
 ACL vs Capabilities
• Access control list
– Associate list with each object
– Check user/group against list
– Relies on authentication: need to know user
• Capabilities
– Capability is unforgeable ticket
• Random bit sequence, or managed by OS
• Can be passed from one process to another
– Reference monitor checks ticket
• Does not need to know identify of user/process

CS4293 Topics on Cybersecurity 14

Role based Access Control

CS4293 Topics on Cybersecurity 15

 Roles (also called Groups)
• Role = set of users
– Administrator, PowerUser, User, Guest
– Assign permissions to roles; each user gets permission
• Role hierarchy
– Partial order of roles Administrator

– Each role gets

PowerUser
permissions of roles below
– List only new permissions User
given to each role
Guest

CS4293 Topics on Cybersecurity 16

 Role-Based Access Control
Individuals Roles Resources

engineering Server 1

Server 2
marketing

Server 3
human res

Advantage: users change more frequently than roles

CS4293 Topics on Cybersecurity 17
 The upper matrix relates
individual users to roles.

Access Control
Matrix for Roles
instead of Users

CS4293 Topics on Cybersecurity 18

 Efficiency of RBAC
• RBAC has the potential to offer greater administrative
efficiency for:
– giving permissions to new users;
– reviewing and removing old privileges;
– changes in a user’s job assignment;
– removal of privileges for leaving employees.
• There is usually a direct relationship between the cost of
administration and the number of associations that must
be managed.
• The larger the number of associations, the costlier and
more error-prone access control administration.
• In most organisations RBAC reduces the number of
associations that must be managed.

CS4293 Topics on Cybersecurity 19

Access Control in current OS

CS4293 Topics on Cybersecurity 20

 UNIX File Access Control
UNIX files are administered using inodes (index nodes)

• control structures with key information needed for a particular file

• several file names may be associated with a single inode
• an active inode is associated with exactly one file
• file attributes, permissions and control information are sorted in the
inode
• on the disk there is an inode table, or inode list, that contains the
inodes of all the files in the file system
• when a file is opened its inode is brought into main memory and stored
in a memory resident inode table

directories are structured in a hierarchical tree

• may contain files and/or other directories

• contains file names plus pointers to associated inodes
CS4293 Topics on Cybersecurity 21
UNIX Nature of
File Access Control

l unique user identification

number (user ID)
l member of a primary group
identified by a group ID
l belongs to a specific group
l 12 protection bits
l specify read, write, and
execute permission for the
owner of the file, members
of the group and all other
users
l the owner ID, group ID, and
protection bits are part of the
file’s inode
CS4293 Topics on Cybersecurity 22
Unix file access control list (Cont’d)
• Each file has owner and group
• Permissions set by owner setid
– Read, write, execute - rwx rwx rwx
– Owner, group, other ownr grp othr
– Represented by vector of
four octal values (12 bits)
• Only owner, root can change permissions
– This privilege cannot be delegated or shared
• 3 Setid bits
CS4293 Topics on Cybersecurity 23
 ACL example
• ls command Lists the contents of the current working directory
including:
– file permissions
• d indicates that the file is a directory
• first three permissions indicate those granted to the owner
• next three permissions indicate those granted to members of the owner
group
• final three permissions indicate those granted to other authenticated
users
– file name, owner and group owner

Permissions Owner Group … Name

drwxr-xr-x alice CS … Research

-rw-r----- alice CS … test.txt
-rwxr-xr-- bob EE … a.out

CS4293 Topics on Cybersecurity 24

 Setid bits on executable Unix file
• “set user ID”(SetUID)
• “set group ID”(SetGID)
• system temporarily uses rights of the file owner / group in addition to
the real user’s rights when making access control decisions
• enables privileged programs to access files / resources not generally
accessible
• sticky bit
• when applied to a directory it specifies that only the owner of any file
in the directory can rename, move, or delete that file
• superuser (one particular user ID)
• is exempt from usual access control restrictions
• has system-wide access
CS4293 Topics on Cybersecurity 25
 Access Control Lists (ACLs) in Modern UNIX

• modern UNIX systems support ACLs

• FreeBSD, OpenBSD, Linux, Solaris
• FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• any number of users and groups can be associated with a file
• read, write, execute protection bits
• a file does not need to have an ACL
• includes an additional protection bit that indicates whether the file
has an extended ACL
• when a process requests access to a file system object two
steps are performed:
• step 1 selects the most appropriate ACL
• owner, named users, owning / named groups, others
• step 2 checks if the matching entry contains sufficient permissions

CS4293 Topics on Cybersecurity 26