How would you model a system that processes permissions to perform certain actions within an application?
Security models are a large (and open) field of research. There are a huge number of models available to choose from: from simple:
The Lampson Access Control Matrix lists each domain object and each principal in the system with actions that the primary participant can perform on this object. This is very verbose and, if it is really implemented in this way, is very heavily used in memory.
Access control lists are a simplification of the Lampson matrix: think of it as something like a sparse matrix implementation that lists objects and principles and allowed actions, and doesn't encode all the “null” entries from the Lampson matrix. Access control lists can include “groups” as a convenience, and lists can be stored through the object or through the main one (sometimes through a program, as in AppArmor or TOMOYO or LIDS ).
Capability systems are based on the idea of having a link or pointer to objects; a process has access to an initial set of capabilities and can get more features only by receiving them from other objects in the system. It sounds pretty far, but think about Unix file descriptors: they are an integral link to a particular open file, and the file descriptor can be transferred to other processes or not. If you pass the handle to another process, it will have access to this file. Around this idea, entire operating systems were written. (The most famous are probably KeyKOS and EROS, but I'm sure this is a moot point. :)
... to more complex ones that have security labels assigned to objects and principles:
Protective rings , for example, implemented in the Multics and x86 processors, among others, provide traps or security gates that allow processes to transition between the rings; Each ring has a different set of privileges and objects.
Denning Lattice is a model by which managers can interact with which security labels are very hierarchical.
Bell-LaPadula is similar to Denning Lattice and contains rules to prevent top-secret data from leaking to unclassified levels and general extensions to provide further fragmentation and categorization to better provide military support for the “need to know”.
The Biba Model is similar to Bell-LaPadula, but has “turned its head” - Bell-LaPadula focuses on privacy, but does nothing for integrity, and Biba focuses on integrity, but does nothing for privacy. (Bell La Padula forbids anyone to read the List of All Spies, but will gladly allow someone to write anything in it. Biba will gladly allow someone to read the List of All Spies, but will forbid almost everyone to write into it.)
Type Enforcement (and its sibling, forced use of a domain type) provides labels on principals and objects and indicates a valid verb object -subject (class). These are familiar SELinux and SMACK.
.. and then there are some that include travel time:
The Chinese Wall was designed in business settings to separate employees within an organization that provides services to competitors in this market: for example, as soon as Johnson began working on an Exxon-Mobil account, he was not allowed access to the BP account. If Johnson started working on BP first, he would be denied access to Exxon-Mobil data.
LOMAC and high-watermark are two dynamic approaches: LOMAC modifies process privileges, as they gain access to higher levels of data and prohibits writing to lower levels (processes move to "upper security"), and high-watermark modifies data labels, access levels to them (data migrate to the "upper protection").
Clark-Wilson models are very open; they include invariants and rules guaranteeing that each state transition does not violate invariants. (It can be as simple as double-sided accounting or as complex as HIPPA .) Think about database transactions and limitations.
Matt Bishop's “Computer Security: Art and Science” is definitely worth a read if you want to know more about published models.
I prefer RBAC . Although, you may find it very similar to ACLs , but they differ semantically .
Follow the links: