Discretionary access policies and models
The policy of discretionary (selective) access is implemented in most secure systems and historically is the first one worked out in theoretical and practical terms.
The first descriptions of models of discretionary access to information appeared back in the 1960s and are presented in detail in the literature. The most famous are the ADEPT-50 model (late 1960s), the Hartson five-dimensional space (early 1970s), the Harisson-Ruzzo-Ullman model (mid-1970s), and the Take-Grant model (1976). The authors and researchers of these models have made significant contributions to the theory of security information systems, and their work laid the foundation for the subsequent creation and development of secure information systems.
Discretionary access models are directly based on the subject-object model and develop it as a set of some sets of interacting elements (subjects, objects, etc.). The set (area) secure access in discretionary access models is defined by a discrete set of triples "user (subject) - flow (operation) - object".
In the model, based on the way the secure access area is represented and the access permission mechanism, it is analyzed and proved that the system will remain in a safe state for a finite number of transitions.
Models based on the access matrix. In practice, discretionary models based on the access matrix have been most widely used. In these models, the secure access area is constructed as a rectangular matrix (table), the rows of which correspond to access subjects, the columns to access objects, and the cells record the authorized operations (rights) of the subject over the object. The matrix uses the following notation: w - "write", r - "read", e - "execute".
The access rights in the matrix cells in the form of permitted operations on objects determine the types of secure access of the subject to the object. To express the types of permitted operations, special designations are used that form the basis (alphabet) of some language for describing access control policies. Thus, within the framework of discretionary policy, each cell contains a subset of the subject-operation-object triples.
The access matrix is an object associated with the security monitor that contains information about the access control policy in a particular system. The structure of the matrix, its creation and modification are determined by specific models and specific software and technical solutions of the systems in which they are implemented.
The principle of organizing the access matrix in real systems determines the use of two approaches - centralized and distributed.
With a centralized approach, the access matrix is created as a separate independent object with a special order of placement and access to it. The number of access objects and subjects in real systems can be large. To reduce the number of columns in the matrix, access objects can be divided into two groups - a group of objects to which access is not restricted, and a group of discretionary access objects. In the access matrix, user rights are represented only to objects of the second group. The most famous example of this approach is the "access bits" in UNIX systems.
With a distributed approach, the access matrix is not created as a separate object, but is represented either by "access lists" distributed across system objects or "opportunity lists" distributed across access subjects. In the first case, each object of the system, in addition to identifying characteristics, is also endowed with a kind of list directly related to the object itself and representing, in fact, the corresponding column of the access matrix. In the second case, each subject receives a list with a list of objects allowed for access (a row of the access matrix) during its initialization.
Both centralized and distributed principles of access matrix organization have their advantages and disadvantages inherent in generally centralized and decentralized principles of organization and management.
According to the access control principle, two approaches are distinguished:
forced access control;
voluntary access control.
In the case of forced management, only the subjects of the system administrator have the right to create and change the access matrix, who, when registering a new user to work in the system, creates a new row of the access matrix with appropriate filling, and when a new object subject to selective access arises, forms a new column of the access matrix. This approach is most widely represented in databases.
The principle of voluntary access control is based on the principle of ownership of objects. The owner of the access object is the user who initialized the stream, as a result of which the object appeared in the system, or who defined it in another way. The access rights to an object are determined by their owners.
Filling in and changing the cells of the access matrix is carried out by the subjects of the users who own the corresponding objects. This approach provides access control in those systems in which the number of access objects is significant or uncertain. This situation is typical for operating systems.
All discretionary models are vulnerable to attacks using "Trojan" programs, since they control only the access operations of subjects to objects, and not the flow of information between them. Therefore, when a Trojan program transfers information from an object accessible to this user to an object accessible to an intruder, then formally no rule of the discretionary security policy is violated, but information leaks occur.