Lecture 3 - DAC and Access Matrices

Question 1

DAC?

Answer 1

Controls access based on the identity of the requestor and on access rules stating what requestors are and aren’t allowed to do

Question 2

How is a DAC typically implemented?

Answer 2

Access Matrix

Question 3

Why is an access matrix decomposed?

Answer 3

As it is sparse and hence inefficient

Question 4

Decomposition by rows?

Answer 4

Capability tickets

Question 5

Decomposition by columns?

Answer 5

ACL (Access Control List)

Question 6

Advantage of ACLs?

Answer 6

• can contain a default
• convenient for determining who has access given an object

Question 7

Disadvantages of ACLs?

Answer 7

Not convenient for determining the access rights
available to a specific user

Question 8

Advantages of CTs?

Answer 8

Given a user, it is easy to determine the set of
access rights

Question 9

Disadvantages of CTs?

Answer 9

Given a specific resource, it is difficult to determine the list of users
with specific access rights
* Tickets may be authorized to loan or given to others, dispersed
around the system —> security problem

Question 10

How to solve the security issue with CTs?

Answer 10

• The operating system hold all tickets on behalf of users, but in a
  region of memory inaccessible to users
• Include an unforgeable token (e.g., a large random pass word, or a
  cryptographic message authentication code) in the capability

Question 11

Another way to represent DAC?

Answer 11

Authorization Table
- an entry for each subject / object relation access rights

Digraph

Question 12

In a DAC model what is the protection state?

Answer 12

set of information at a given point in time that specifies the access rights for each subject with respect to each object

Question 13

Why do we have a DAC model?

Answer 13

to represent protection state, enforce access rights and allow subjects to alter protection state (and hence rights)

Question 14

What do we need to add to objects to represent the protection state?

Answer 14

• subjects
• processes
• devices
• memory locations

Question 15

Access rights are named what in the DAC model?

Answer 15

Access attributes

Question 16

In the model there is seperate access control modules for each type of object? TRUE or FALSE

Answer 16

TRUE

Question 17

Steps of accessing something in the model?

Answer 17

-subject issues a request of type alpha for X
- request causes system to generate message (S , alpha , X) to controller for X
- controller interrogates A to determine if alpha is in A[S ,X] and responds depending on access matrix

Question 18

No one can modify the access matrix in the model. TRUE or FALSE

Answer 18

FALSE, possible by certain subjects through the access matrix controller with access control system commands

Question 19

What is the copy flag?

Answer 19

a access attribute that allows transferring of that attribute with/without flag to another subject