Modelling a permissions system

How would you model a system that handles permissions for carrying out certain actions inside an application?


Security models are a large (and open) field of research. There’s a huge array of models available to choose from, ranging from the simple:

  • Lampson’s Access control matrix lists every domain object and every principal in the system with the actions that principal is allowed to perform on that object. It is very verbose and if actually implemented in this fashion, very memory intensive.

  • Access control lists are a simplification of Lampson’s matrix: consider it to be something akin to a sparse-matrix implementation that lists objects and principals and allowed actions, and doesn’t encode all the “null” entries from Lampson’s matrix. Access control lists can include ‘groups’ as a convenience, and the lists can be stored via object or via principal (sometimes, via program, as in AppArmor or TOMOYO or LIDS).

  • Capability systems are based on the idea of having a reference or pointer to objects; a process has access to an initial set of capabilities, and can get more capabilities only by receiving them from other objects on the system. This sounds pretty far-out, but think of Unix file descriptors: they are an unforgeable reference to a specific open file, and the file descriptor can be handed to other processes or not. If you give the descriptor to another process, it will have access to that file. Entire operating systems were written around this idea. (The most famous are probably KeyKOS and EROS, but I’m sure this is a debatable
    point. 🙂

… to the more complex, which have security labels assigned to objects and principals:

  • Security Rings, such as implemented in Multics and x86 CPUs, among others, and provide security traps or gates to allows processes to transition between the rings; each ring has a different set of privileges and objects.

  • Denning’s Lattice is a model of which principals are allowed to interact with which security labels in a very hierarchical fashion.

  • Bell-LaPadula is similar to Denning’s Lattice, and provides rules to prevent leaking top-secret data to unclassified levels and common extensions provide further compartmentalization and categorization to better provide military-style ‘need to know’ support.

  • The Biba Model is similar to Bell-LaPadula, but ‘turned on its head’ — Bell-LaPadula is focused on confidentiality, but does nothing for integrity, and Biba is focused on integrity, but does nothing for confidentiality. (Bell-LaPadula prevents someone from reading The List Of All Spies, but would happily allow anyone to write anything into it. Biba would happily allow anyone to read The List Of All Spies, but forbid nearly everyone to write into it.)

  • Type Enforcement (and its sibling, Domain Type Enforcement) provides labels on principals and objects, and specifies the allowed object-verb-subject(class) tables. This is the familiar SELinux and SMACK.

.. and then there are some that incorporate the passage of time:

  • Chinese Wall was developed in business settings to separate employees within an organization that provides services to competitors in a given market: e.g., once Johnson has started working on the Exxon-Mobil account, he is not allowed access to the BP account. If Johnson had started working on BP first, he would be denied access to Exxon-Mobil’s data.

  • LOMAC and high-watermark are two dynamic approaches: LOMAC modifies the privileges of processes as they access progressively-higher levels of data, and forbids writing to lower levels (processes migrate towards “top security”), and high-watermark modifies the labels on data as higher-levels of processes access it (data migrates towards “top security”).

  • Clark-Wilson models are very open-ended; they include invariants and rules to ensure that every state transition does not violate the invariants. (This can be as simple as double-entry accounting or as complex as HIPPA.) Think database transactions and constraints.

Matt Bishop’s “Computer security: art and science” is definitely worth reading if you’d like more depth on the published models.

Source : Link , Question Author : James P. , Answer Author : sarnold

Leave a Comment