See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/282219117

SECURITY FUNDAMENTALS: ACCESS CONTROL MODELS

Article · August 2015

CITATIONS READS

14 34,942

3 authors, including:

Tawfik Mudarri Samer Al-Rabeei

Technical University of Kosice - Technicka univerzita v Kosiciach Technical University of Kosice - Technicka univerzita v Kosiciach
21 PUBLICATIONS 96 CITATIONS 45 PUBLICATIONS 92 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Tawfik Mudarri on 27 September 2015.

The user has requested enhancement of the downloaded file.

INTERNATIONAL JOURNAL OF INTERDISCIPLINARITY IN THEORY AND PRACTICE
ITPB - NR.: 7, YEAR: 2015 – (ISSN 2344 - 2409)

SECURITY FUNDAMENTALS: ACCESS CONTROL MODELS

Tawfik Mudarri 1 - Samer Abdo AL-RABEEI 2

Abstract:. This paper deals with Access control constrains what a user can do directly, as well as what programs executing on
behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of
security. This article explains access control and its relationship to other security services such as authentication,
auditing. And administration. It then reviews the access matrix model, and follows with a discussion of access control
policies characterize and describe what should be protected and how.

Keywords: Access control , Mandatory Access Control , Discretionary Access Control , Bell-LaPadula , Role Based ,
Clark and Wilson model

1 INTRODUCTION

Security is the most important issue in the 3 ACCESS CONTROL MODEL’S

information system. Security model as an important
way to protect privacy and integrity of messages has In the past three decades, various types of
watched illegal users is a formal method to verify and access control models have been proposed. In this
describe complex information system. [1] It is widely chapter, we review the background and describe
used not only in abstract definition of the security different approaches of access control model.
requirements for the system, hut also in system design
and implementation the purpose of access control is to
limit the actions or operations that a legitimate user of 3.1 Access Control Matrix
a computer system can perform.
The access control matrix was defined by
Lampson . Access control matrix is a two-dimensional
2 ACCESS CONTROL matrix representing subjects on the rows and objects on
the columns.[3]
Computer system handles multiple sources, Each entry in the matrix contains the access
such as, memory, disk, network interface, and printer attributes, specifying the access privileges held by
(object access). The user (subject access) to those subject S to object O. Table 1 shows the example of
resources of a computer system accesses. access control matrix.
The subject is an active entity in the process
access (no access). The object is a passive entity to Table 1 Example of access control matrix.[4]
which it is connected (the object access).
In general, access to objects protected by File Test.t c_co Sys_clk printer
xt mp
means of access rights. Access control provides a
User_1 ORW R X R W
reference monitor. The subject of the authorization
User_2 R R X R W
process to get access rights to the object (which can do
admin - ORW OX ORW O
with object). The subject may not be authorized to
access each object, and also not to all types of access to
Subjects: user 1, user 2, admin (administrator)
the object is able to provide.
Objects: File, test.txt (text file), c_compat (C
Access rights to object entity included in the
compiler), sys_clk (system clock), printer
list of access control ACL - Access Control List.[2]
Privileges: R (read) W (write), X (execution), O
(owner)

Methods of implementation of access control

must provide two opposing requirements:
• It must help express required access control
policy.
• Must be able to check whether the policy is
properly grasped
Figure 1 Access Control List Implementation using matrix management
approach is based on the fact that access rights can be

259
defined individually for each combination of subject x
object. Rows of the matrix are assigned subject and
object columns. [6]
Each element of the matrix (ACM) expresses
the access rights of the subject with the object O. This
method is an early concept for practical
implementation is not used, because a large number of
subjects and objects in the system is the matrix of large
sparse matrix becomes a standard, the majority of
subjects does not have access to some object
Access matrix can be represented as a list of
triples (subject, object, access rights), for example
(USER_1, test.txt, R), searching a large number of
such triples is not sufficiently effective.
3.2 Access Control List
In Access Control List (ACL) implementation,
each object is associated with an ACL,
indicating for each subject in the system the
accesses the subject is authorized to execute on
the object. This approach corresponds to
storing the matrix by columns.
According to the previous access control
matrix lists for individual objects is:
• File: user_1:ORW, user_2:R
• Test.txt: user_1:R, user_2:R, admin:ORW
• c_comp: user_1:X, user_2:X , admin:OX
• sys_clk: user_1:R, user_2:R , admin:ORW
• printer: user_1:W, user_2:W , admin.
Management of access rights based on
individual entities can be difficult. Therefore, the users
associate into groups and users access rights are
derived from the access rights groups.[2]
Access control model in Unix provides a
simple ACL, each of which has three items that grant
access rights entities under access rights user, group,
and others.
Figure 2 Example of Access Control List
260
3.3 Discretionary Access Control Model
Discretionary Access Control (DAC) Model
restricts the accessibility to objects based on the
identity of subjects and/or groups to which they belong.
Each request of a user to access an object is checked
against the specified authorizations in the access
control matrix. If there exists an authorization stating
that the user can access the object in the specific mode,
the access is granted, otherwise it is denied. As the
name implies, the controls are discretionary in the
sense that a user or process given discretionary access
to information is capable of passing that information
along to another subject. To provide this discretionary
control, DAC policies usually include a concept of
object ownership, where the object owner has control
permission to grant access permission to the object for
other subjects.
DAC policies are very flexible and widely
used in the industry. However, they do not provide a
high security assurance for two reasons: First, the
granting access is transitive.[4]
For example, a user who is able to read data
can pass his read privilege to other users not authorized
to read it unbeknownst to the object owner. Second,
DAC policies are vulnerable to Trojan Horse attacks. A
Trojan Horse program is the one that appears to be
doing one thing on the surface but actually does
something more underneath without the cognizance of
the user. Because programs inherit the identity of the
invoking user, the intruder can bypass the Access
control policies by giving the authorized user the
Trojan Horse program, which on the surface performs
the desirable function for that user, while at the same
time reads the contents of user’s files and writes them
to the reachable location for both the authorized user
and the intruder. In this manner, the intruder can now
access the information which was supposed to be
protected from him. [5]
3.4 Mandatory Access Control Model
The Mandatory Access Control (MAC)
policies are known to be defined to prevent the Trojan
Horse problem. An important goal of MAC is to
enforce information flow policies to ensure
confidentiality and integrity. This can be done by
augmenting the discretionary access control with the
mandatory access control. [4] To grant the
accessibility, MAC takes a two-step approach. First,
each subject’s access privileges stored in the
discretionary access control matrix are checked.
However, having authorizations stored in the access
control matrix is not sufficient to perform the
operation. In addition, the operation must be authorized
by the MAC policy, over which subjects have no
control. MAC policies govern access on the basis of
classification of subjects and objects in the system.
With regard to this model, security levels are assigned
to subjects and objects. The security level associated
with an object, also called security classification,
reflects the sensitivity of the information contained in
the object, i.e., the potential damage which could result
from unauthorized disclosure of the information. The
security level associated with a subject, also called
security clearance, reflects the subject’s trustworthiness
not to disclose sensitive information to subjects not
cleared to see it .Security levels may related with each
other through the dominance relationship. The
dominance relationship is defined as follow :
2. 2. Integrity * -Property. If the subject has a
right to read the object (o) the level of
integrity I (o) then s can have write access
to the object p only in the case that I(o)≥I(p)
[1]
3.7 Clark and Wilson model

Definition 1 (Dominance) The role of this model integrity to ensure

A ≥ B (read as A dominates B ) if and only if
the information can flow from B to A. The strictly
dominates relation > is defined by A > B if and only if
A ≥ B and A ≠ B. We say that A and B are comparable
if A ≥ B or B ≥A, otherwise A and B are incomparable.
Together with the dominance relationship,
these security levels generally form a lattice
structure. Hence, MAC policy is sometimes
referred to as a lattice-based policy .We now discuss
different types of the mandatory access control
model.[4] [5]
3.5 The Bell-LaPadula Model
It is probably the most famous security model
was developed in the times of the initial draft joint
efforts secure multi user operating system. If these
systems processed classified information at different
security levels, systems have to promote multi-level
security (MLS - Multi Level Security) policies.[1]
BLP model is a final automaton capturing
aspects the confidentiality of the Access Control.
The access permissions are defined by a
matrix control approach and through security levels
Security policies impede the flow of
information down from a higher security level to a
lower security level.
BLP takes into account the information flow
that occurs when a person follows the (observed) or
changing the object.
BLP model assumes:
consistency between the internal data, and external
requirements for these dates. Introduces the concept of
well-formed transaction as a sequence of operations
that cause the transition system from one consistent
state to another consistent state. [8]Uses the principle
of separation of tasks, which says that he who commits
the transaction and that which carried it out to be
different entities. For the definition of policy, the
access trio <user ID, TPi {CDIj, CDIk}>.
3.8 Role Based Access Control
Responding to the problem of a large number
of definitions of access rights of the large number of
objects and subjects. Simplifying the administration,
higher performance, easier scalability (adding,
removing objects and subjects).[5]
Users are assigned to the role. Objects are
assigned to groups. Roles have defined rights and can
be hierarchically organized with the support of of
succession rights. [7]

S - set of subjects with elements s

Figure 3 Role Based Access Control
O- set of objects with elements o
A - the set of access operations (execute, read,
write and append) 4. Security Policy
L - set security levels with partial arrangement
≤ Characterize and description which shall be
protected and how, with the ultimate aim is to specify
3.6 Biba integrity model deliberately intended protection resources from
unauthorized use and misuse.
Objectives of the organization of information
This security model is an analogy to lookalike
security. Responsibility, resources, timetable and
model Bell-LaPadula except , That its purpose is not to
guiding principles. Principles of information, property
confidentiality of data, but data integrity. Biba integrity
and personal security coordination. List of regulations
level defines the level of opposite the sensitivity of the
and authorizations. Methods and means of information
model Bell-Lapa doula , Subjects and objects are
protection for the personal, physical and organizational
classified according to the level of integrity, which is
level. Definition of vulnerabilities and threats.
referred to as I (a) and I (on). The two properties:
Principles for Addressing security incidents.
Organizational security policy - a set of rules
1. Simple Integrity Property. Subject can be
and guidelines that regulate the process for the
modified (have write) the object only if
management of the organization, protection and
I(s)≥I(o).

261
 distribution of resources to achieve security objectives. AUTHORS ADDRESSES
Defines how security organization as a whole (the
1
physical security over privacy to the protection of Ing. Tawfik Mudarri
human rights). Automated security policy - a set of Faculty of Electrical Engineering and Informatics, Letná 9,
constraints and properties that specify how computer 042 00 Košice,
systems prevents information and computing resources Department of Computers and Informatics
to violate security policies of the organization.[9] E-mail: tawfik.mudarri@tuke.sk
2
Ing. Samer Abdo AL-RABEEI, PhD.
5 CONCLUSION E-mail: Samir.abdo@gmail.com

In this paper, we present a Access control

models such as Access Control Matrix , Discretionary
Access Control Model , Mandatory Access Control
Model and other models , in this way access control
seeks to prevent activity that could lead to a breach of
security. and we discussed of access control policies
characterize and describe what should be protected.

REFERENCES

[1] Ladislav Hudec: Bezpečnosť počítačových

systémov:
http://www2.fiit.stuba.sk/~lhudec/CS/CS.htm
[2] Butler W. Lampson. Protection. In Proceedings of
the 5th Princeton Symposium on Information
Sciences and Systems, pages 437–443, Princeton
University, March 1971.
[3] G. Scott Graham and Peter J. Denning.
Protection–Principles and Practice. In
Proceedings of the Spring Joint Computer
Conference, pages 417–429, May 1972
[4] Virginia Nunes Leal Franqueira . Access Control
from an Intrusion Detection Perspective1 , Centre
for Telematics and Information Technology,
University of Twente , February 2006
http://doc.utwente.nl/65612/1/AccessReport.pdf
[5] Harvey Mudd College and Ryan Ausanka-Crues
in Methods for Access Control: Advances and
Limitations
http://www.cs.hmc.edu/~mike/public_html/course
s/security/s06/projects/ryan.pdf
[6] David E. Bell and Leonard J. LaPadula. Secure
Computer System: Unified Exposition and
Multics Interpretation. Technical report, The
MITRE Corporation, March 1976.
http://csrc.nist.gov/publications/history/bell76.pdf
[7] Ravi S. Sandhu Edward J. Coynek , Hal L.
Feinsteink and Charles E. Youmank. Lattice-
Role-Based Access Control Models , October 26,
1995 http://csrc.nist.gov/rbac/sandhu96.pdf
[8] Biba integrity model :
http://cs.brown.edu/cgc/net.secbook/se01/handout
s/Ch09-Models.pdf
[9] Frank Stajano , Jong-Hyeon Lee , Ross
Anderson. Security Policies
http://www.cl.cam.ac.uk/~rja14/Papers/security-
policies.pdf

262

View publication stats