B"H Show Quick question: is the difference between a "subject" and an "object" in terms of data on a PC whether or not this data exists within running-memory ("subject") vs. on disk alone ("object"); that is my current impression from comments made by Conrad in his book about this topic and I wanted to bounce the idea off you folks. Another point of confusion here for me is this: in his definition of "subject" Conrad includes "entity", and cites as example both people actively accessing data, as well as that data actively running in memory. Yet, in his definition of object he states "passive data within the system". Would an "object" include entities other than data as does a "subject"? For example, how about a $100 bill, for example; would that count as an object too? Thanks, In any access-control model, the entities that can perform actions on the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects. Subjects and objects should both be considered as software entities, rather than as human users: any human
users can only have an effect on the system via the software entities that they control. Although some systems equate subjects with user IDs, so that all processes started by a user by default have the same authority, this level of control is not fine-grained enough to satisfy the principle of least privilege, and arguably is responsible for the prevalence of malware in such systems (see computer insecurity). In some models, for example the object-capability model, any software entity can potentially act as both subject and object. As of 2014, access-control models tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs).
Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject). Filesystem ACLsA filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as executable programs, running processes, or files. These entries are known as access-control entries (ACEs) in the Microsoft Windows NT, OpenVMS, and Unix-like operating systems such as Linux, macOS, and Solaris. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object. Networking ACLsOn some types of proprietary computer-hardware (in particular routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers as well as routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Adapted from: What is the difference between a subject and an object in access control?The subject of the access is the user or process that makes a request to access a resource. Access can mean reading from or writing to a resource. The object of an access is the resource a user or process wants to access.
What is an object in access control?The Control object represents a control on a form, report, or section, within another control, or attached to another control.
What are subjects when related to access controls?Subject: An entity capable of accessing objects. World: Users who are not included in the categories of owner and group may be able to access the resources with limited permissions. Object: Resource to which access is controlled. – An entity that contains and/or receives information.
What are some of the differences between access control lists and capabilities quizlet?What is the difference between an access control list and a capability ticket? Access control list lists the users and their permitted access rights. Capability ticket specifies authorized objects and their operations for a user.
|