Access control lists in password capability environments

详细信息    查看全文

• 作者：Lanfranco Lopriore ^{l.lopriore@iet.unipi.it" class="auth_mail" title="E-mail the corresponding author}Author Vitae
• 关键词：Access control list ; Access right ; Domain ; One-way function ; Password capability ; Protection
• 刊名：Computers & Security
• 出版年：2016
• 出版时间：September 2016
• 年：2016
• 卷：62
• 期：Complete
• 页码：317-327
• 全文大小：669 K

文摘

With reference to a protection system featuring active subjects that attempt to access passive, typed objects, we propose a set of mechanisms supporting the distribution, verification, review and revocation of access privileges. In our approach, a protection domain is a collection of access rights for the protected objects. An access control list is associated with each object to specify the access rights in each domain. Objects are grouped into clusters. To access the objects in a given cluster, a subject presents a gate referencing this cluster. The gate is a form of password capability that identifies one or more domains. The gate grants the access rights specified for these domains by the access control lists of the objects in the cluster. A subject that holds a gate and is aimed at distributing the access privileges in this gate in restricted form can reduce the gate to eliminate domains; the gate reduction procedure requires no intervention of the protection system. A small set of protection primitives allows subjects to manage objects and access control lists. Forms of revocation of access permissions are supported, at both levels of gates and access control lists.