We need some sort of way to know the current state of a system. We achieve that by having a “state” of a system which includes a collection of system settings and values. These can include entities like memory locations, register addresses, primary and secondary data storage devices, and other components crucial to the operating system. A subset of this state is a “protective state” of a system. This subset is relevant to the system’s security.
So how do we mathematically represent the protection state of a system?
One way is to implement Access Control matrix. In this matrix we describe rights of subjects (ie. users) over objects (ie. Network resources). This table can be dubbed as “Who can do what to whom?”. So this model has 3 components: subjects, objects, and rights. The table’s interpretation is as follows:
A[subject_1, object_1] = {right_1, right_2,…}
Each entry is a set of rights and object set always encloses subject set.
The state changes in time, therefore we need a transition process. We can make changes to the Access Control Matrix. The following are the basic operations you can perform on an ACM:
create subject s
create object o
destroy subject s
destroy object o
enter r intoA[s, o]
delete r fromA[s, o]
We can also use commands to execute such processes:
command create_file(p, f)
create object f;
enter owninto A[p, f];
enter rinto A[p, f];
enter winto A[p, f];
End
This commans creates a file object and sets its permissions or rights.
In an ACM model, in general, the safety problem is undecidable. That means no program can solve it. But in special cases, the safety problem is decidable if all commands are mono-operational which means that the command only includes one operation.
The cons of Access Control Matrix:
If we had 1,000 subjects and 100,000 files, we would then need 101,000 columns and 1000 rows in our ACM table. Where most of these elements will be empty or similar. Hence ACM is good for theoretical studies but bad for implementation.
Recent Comments