General Concepts
- Protection
- The set of mechanisms that control the access of processes and users to system resources.
- Access Control
- A process that defines and enforces what authenticated users or processes are allowed to do.
- Authentication
- The process of verifying the identity of a user or process before granting access to resources.
- Subject
- An active entity, such as a user or process, that can initiate actions and request access to resources.
- Object
- A passive entity, such as a file, device, or record, to which access is controlled.
- Access Control Matrix
- A conceptual table mapping subjects to objects and specifying the rights each subject has over each object.
- Access Control List (ACL)
- A list stored with an object that specifies which users or groups can access it and what actions they may perform.
- Access Control Entry (ACE)
- A single entry within an Access Control List that defines the permissions granted or denied to one user or group.
- Capability
- A token or entry stored with a subject that lists which objects it can access and with what rights.
- Capability List
- The collection of all capabilities held by a subject, specifying which objects it can access and what rights it has for each.
- Principle of Least Privilege
- A design principle stating that users and processes should operate with the minimum privileges required to perform their tasks.
- Privilege Separation
- The division of a program into privileged and unprivileged parts to reduce the amount of code that runs with elevated rights.
- Need-to-Know Principle
- The idea that users should access only the information necessary for their specific responsibilities.
- Administrative Overhead
- The management complexity created by large numbers of users, roles, labels, or compartments in an access control system.
Operating System and Hardware Foundations
- Scheduler
- The component of the operating system that allocates CPU time among processes, ensuring fairness and preventing starvation.
- Hardware Timer
- A programmable device that generates periodic interrupts, allowing the operating system to regain control of the processor and support preemptive multitasking.
- Memory Management Unit (MMU)
- A hardware component that translates virtual addresses into physical addresses and enforces per-page access permissions such as read, write, and execute.
- Page Table
- A per-process data structure maintained by the operating system that defines how virtual memory pages map to physical memory and what access rights each page has.
- Privilege Levels
- The hardware-enforced execution modes that determine what operations code can perform; typically include user mode for applications and kernel mode for the operating system.
- Kernel Mode
- A privileged processor mode that allows the operating system to execute sensitive instructions, manage memory mappings, and handle hardware interrupts.
- User Mode
- An unprivileged processor mode used for application execution; access to hardware and kernel data structures must occur through system calls.
- System Call
- A controlled mechanism for transferring execution from user mode to kernel mode so that applications can request operating system services.
- Trusted Computing Base (TCB)
- The set of hardware and software components critical to enforcing a system’s security policy, including the kernel and supporting mechanisms.
Discretionary Access Control (DAC)
- Discretionary Access Control (DAC)
- An access control model where the owner of an object determines who else may access it and what operations they can perform.
- UNIX / POSIX Permissions
- A DAC implementation that assigns each file an owner, group, and permission bits (read, write, execute) for user, group, and others.
- rwx meaning
- The three permission bits in UNIX that represent read (r), write (w), and execute (x) access rights.
- User Permissions
- The permissions assigned to the file’s owner in UNIX-style systems.
- Group Permissions
- The permissions assigned to the file’s owning group in UNIX-style systems.
- umask
- A process setting that defines which permission bits are removed from newly created files, limiting default access.
- setuid / setgid
- Special permission bits on executables that allow a program to run with the privileges of its file’s owner or group rather than the user who executes it.
- chmod
- A UNIX command used to change the permission bits of a file or directory.
- chown
- A UNIX command used to change the owner of a file or directory.
- chgrp
- A UNIX command used to change the group ownership of a file or directory.
- inode
- The internal data structure in UNIX file systems that stores file metadata, including ownership, permissions, and pointers to file blocks.
- Extended Attributes (Linux ACLs)
- An extension of traditional UNIX permissions that allows per-user and per-group entries beyond owner, group, and others.
- user ID (uid)
- The numeric identifier assigned to each user in UNIX-like systems; determines file ownership and access rights.
- effective user ID (euid)
- The user ID currently in effect for a running process; used by the kernel to determine access permissions during operations.
- race condition
- A timing flaw where a resource’s permissions or state change between the time they are checked and used, potentially leading to unauthorized access.
Mandatory Access Control (MAC)
- Mandatory Access Control (MAC)
- An access control model where a system-wide policy based on security labels determines access, overriding user discretion.
- Multilevel Security (MLS)
- A system that enforces Bell–LaPadula rules, assigning classification levels to data and clearance levels to users to control information flow.
- Bell–LaPadula Model (BLP)
- A confidentiality model enforcing “no read up” and “no write down” rules to prevent information from leaking from higher to lower classifications.
- Simple Security Property
- In Bell–LaPadula, the rule that a subject cannot read data above its clearance level (no read up).
- Star (∗) Property
- In Bell–LaPadula, the rule that a subject cannot write to data below its classification level (no write down).
- Discretionary Security Property
- The Bell–LaPadula rule that allows additional, owner-defined controls as long as they do not violate mandatory rules.
- Multilateral Security
- An extension of Bell–LaPadula that introduces compartments at each classification level to separate projects or domains and enforce need-to-know access.
- Compartment
- A subset of data within a classification level, representing a specific project or information domain requiring separate authorization.
- Lattice Model
- A mathematical framework describing how security labels relate by dominance, combining classification and compartment rules.
- Biba Model
- An integrity model that reverses Bell–LaPadula rules to prevent low-integrity data from modifying or contaminating high-integrity information.
- Simple Integrity Property
- In Biba, the rule that a subject cannot read data at a lower integrity level (no read down).
- Star (∗) Integrity Property
- In Biba, the rule that a subject cannot write data to a higher integrity level (no write up).
- Microsoft Mandatory Integrity Control (MIC)
- A simplified implementation of the Biba model in Windows that labels processes and objects with integrity levels and enforces a no-write-up rule to protect system files.
- Type Enforcement (TE)
- A MAC mechanism that assigns domains to processes and types to objects, defining allowed interactions through a security policy.
- SELinux / SEAndroid
- Systems implementing Type Enforcement to confine processes and isolate applications on Linux and Android.
Role-Based Access Control (RBAC)
- Role-Based Access Control (RBAC)
- A model that assigns permissions to roles representing job functions and associates users with one or more roles.
- Role Hierarchy
- A feature of RBAC where senior roles inherit the permissions of junior roles, mirroring organizational structure.
- Separation of Duties (SoD)
- A policy that divides responsibilities so no single individual can perform all steps of a sensitive or fraudulent operation.
- Role Explosion
- A problem in large RBAC systems where too many narrowly defined roles make administration complex.
Attribute-Based Access Control (ABAC)
- Attribute-Based Access Control (ABAC)
- An access model that uses attributes of users, objects, and the environment to make dynamic access decisions.
- Example Attributes
- Characteristics used in ABAC decisions, such as a user’s department, an object’s classification, or environmental factors like time or network location.
- Policy Decision Point (PDP)
- The component that evaluates an ABAC rule and decides whether to grant access.
- Policy Enforcement Point (PEP)
- The component that enforces the decision made by the PDP in an ABAC system, often distributed across multiple systems.
Chinese Wall Model
- Chinese Wall Model
- A dynamic access control model that prevents conflicts of interest by restricting users from accessing data of competing organizations after prior access.
- Conflict of Interest (CoI) Class
- A group of competing organizations where access to one member’s data blocks access to the others.
- Dynamic Separation of Duties
- A form of separation of duties where restrictions depend on a user’s past actions or session history rather than static role definitions.
- Access History
- A record of prior accesses used in dynamic models such as the Chinese Wall to enforce conflict-of-interest restrictions.
- Sanitizing Data
- The process of anonymizing or generalizing information so it can be used across conflict classes without revealing client-specific or confidential details.