Académique Documents
Professionnel Documents
Culture Documents
A generic term for the process by which a computer system controls the interaction between users and system resources To implement a security policy, which may be determined by
Policy requirements may include
organisational requirements statutory requirements (medical records, for example) confidentiality (restrictions on read access) integrity (restrictions on write access) availability
A user requests access (read, write, print, etc.) to a resource in the computer system The reference monitor
establishes the validity of the request and returns a decision either granting or denying access to the user
Access Request
Reference Monitor
System Decision
Consider a paper-based office in which certain documents should only be read by certain individuals We could implement security by
storing documents in filing cabinets issuing keys to the relevant individuals for the appropriate cabinets
The reference monitor is the set of (locked) filing cabinets An access request (an attempt to open a filing cabinet) is granted if the key fits the lock (and denied otherwise)
Consider now a night club where only certain individuals are allowed into the club We can implement security by
employing a bouncer providing the bouncer with a guest list (that is, a list of people permitted to enter the club)
The reference monitor is the security guard + the guest list An access request is granted only if
a club-goer can prove their identity (authentication) she is on the guest list
Subject
Active entity in a computer system
User, process, thread
Object
Passive entity or resource in a computer system
Files, directories, printers
Principal and subject are both used to refer to the active entity in an access operation A principal is generally assumed to be an attribute or property associated with a subject
User ID Public key Process Thread
An interaction between an object and a subject A subject may observe (read) an object
Information flows from object to subject
a subject is a club-goer the only objects are the club and the guest list access operations could include enter club and delete guest (that is, change the guest list) a subject is a user of the files in the cabinets an object is a filing cabinet or a file in one of the cabinets access operations could include read and write (for files) and also remove key from user
Files are opened for read or for write access so that the OS can avoid conflicts like two users simultaneously writing to the same file
The append (or blind write or write-only) access mode allows users to alter an object without observing its contents
Rarely useful (audit log files being the main exception) Implemented in Multics