Group 4 1120131-1120140

A generic term for the process by which a computer system controls the interaction between users and system resources To implement a security policy, which may be determined by
Policy requirements may include
organisational requirements statutory requirements (medical records, for example) confidentiality (restrictions on read access) integrity (restrictions on write access) availability

A user requests access (read, write, print, etc.) to a resource in the computer system The reference monitor
establishes the validity of the request and returns a decision either granting or denying access to the user

Access Request

Reference Monitor

System Decision

Consider a paper-based office in which certain documents should only be read by certain individuals We could implement security by
storing documents in filing cabinets issuing keys to the relevant individuals for the appropriate cabinets

The reference monitor is the set of (locked) filing cabinets An access request (an attempt to open a filing cabinet) is granted if the key fits the lock (and denied otherwise)

Consider now a night club where only certain individuals are allowed into the club We can implement security by
employing a bouncer providing the bouncer with a guest list (that is, a list of people permitted to enter the club)

The reference monitor is the security guard + the guest list An access request is granted only if
a club-goer can prove their identity (authentication) she is on the guest list

Subject
Active entity in a computer system
User, process, thread

We will assume that a subject is synonymous with a user

Object
Passive entity or resource in a computer system
Files, directories, printers

Principal and subject are both used to refer to the active entity in an access operation A principal is generally assumed to be an attribute or property associated with a subject
User ID Public key Process Thread

A subject may be represented by more than one principal

An interaction between an object and a subject A subject may observe (read) an object
Information flows from object to subject

A subject may alter (write to) an object

Information flows from subject to object

In our club example

In the filing cabinet example

a subject is a club-goer the only objects are the club and the guest list access operations could include enter club and delete guest (that is, change the guest list) a subject is a user of the files in the cabinets an object is a filing cabinet or a file in one of the cabinets access operations could include read and write (for files) and also remove key from user

In a multi-user OS users open files to get access

Write access mode is usually implemented as read/write mode

Files are opened for read or for write access so that the OS can avoid conflicts like two users simultaneously writing to the same file

The append (or blind write or write-only) access mode allows users to alter an object without observing its contents
Rarely useful (audit log files being the main exception) Implemented in Multics

A user editing a file should not be asked to open it twice

Sometimes an object can be used without opening it in read or write mode

Directories Binary executable files Cryptographic keys

We include the execute access operation

This may mean different things in different contexts and in different systems