Lecture 23 Notes; May 21, 1997; Alan Jondle Access Control List(ACL) object -> (Subject, Rights) Capability List Subject(Object, Rights) Revocation ACL -> delete entry Capability Lists Global Object Table Give subject a pointer to an entry in a global object table global object table entries point to objects revoke permission by removing entry in global object table example - NFS file handle used between NFS server and client Tagged Architecture 1 word of data, combined with extra bit can set and clear extra bit only in supervisor mode if extra bit is set can only access data in supervisor mode This won't work on a network Cryptography digitally sign capability Keep the capability in a system area and access it via a system call Copy Right Capability based systems can use segmentation Trojan Horse A program with two functions overt - example edit a file covert - example delete all files a type of malicious logic Discretionary Trojan Horse Problem Mandatory Access Control does not solve within compartments Limited Protection Domain turn on/off Trojan Horse could reenable privilege capability list Reference Monitor Controls access to a resource should be verifyable should be complete should only be able to get to resource through the monitor should be tamperproof can't be changed without authorization Name-checking subsystem program read startup file read .asm file write .obj file catch access out of pattern Ring-based Mechanism access through gates, which validate permission to cross access brackets (low, high) access within range without going through gate, otherwise ring fault Multics 1964 Lock and Key AND-Lock C = F(k3, F(k2, F(k1, D))) OR-Lock C = (F(k1, D), F(k2, D), F(k3, D)) Query Control non-deducibility inference question example to get salary of x get average salary of ( all ) get average salary of ( all - x )