Subject, object, operation and permission - Revision history

Zarutian: added an ?hidden? link to an paulgraham article. Please remove it if it doesnt belong.

Zarutian — Sun, 14 Mar 2010 15:02:50 GMT

added an ?hidden? link to an paulgraham article. Please remove it if it doesnt belong.

New page

We use the terms '''subject''', '''object''', '''operation''' and '''permission''' consistently with a standard access control literature.

== Definition ==

From a security point of view, we recognize '''subjects''' and '''objects'''

'''Subjects''' are active entities (e.g. UNIX processes) with some behavior. '''Subjects''' can designate '''objects''' and try to perform some supported '''operations''' with them.

What kind of operations can be performed with an object depends on its type.

In general, the set of existing objects and subjects changes over time.

'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the [[protection matrix]].

== Notes ==

People (outside capability community) often confuse the following two terms:
* '''permissions''' (defined in this article)
* and [[authority]].
Real security audit cannot be performed without determining the [[authority]] of particular '''subjects'''.

== See also ==

These are standard notions and they are defined in various other places:
* in the [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 MINIX Book] (Section 5.5)
* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security in Wikipedia].

Kosik at 06:16, 20 June 2009

Kosik — Sat, 20 Jun 2009 06:16:40 GMT

←Older revision		Revision as of 06:16, 20 June 2009
Line 12:		Line 12:

	'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the [[protection matrix]].		'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the [[protection matrix]].
-
-	~~== See also ==~~
-
-	~~These are standard notions and they are defined in various other places:~~
-	* in the [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 MINIX Book] (Section 5.5)
-	* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security in Wikipedia].

	== Notes ==		== Notes ==
Line 25:		Line 19:
	* and [[authority]].		* and [[authority]].
	Real security audit cannot be performed without determining the [[authority]] of particular '''subjects'''.		Real security audit cannot be performed without determining the [[authority]] of particular '''subjects'''.
		+
		+	== See also ==
		+
		+	These are standard notions and they are defined in various other places:
		+	* in the [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 MINIX Book] (Section 5.5)
		+	* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security in Wikipedia].

Kosik: Relationship with the same notions defined in the standard literature was clarified.

Kosik — Sat, 20 Jun 2009 06:11:45 GMT

Relationship with the same notions defined in the standard literature was clarified.

←Older revision		Revision as of 06:11, 20 June 2009
Line 1:		Line 1:
		+	We use the terms '''subject''', '''object''', '''operation''' and '''permission''' consistently with a standard access control literature.
		+
	== Definition ==		== Definition ==

Line 13:		Line 15:
	== See also ==		== See also ==

-	~~Wikipedia also contains~~ [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security ~~similar definitions~~]~~. It contains arguable material~~.	+	These are standard notions and they are defined in various other places:
		+	* in the [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 MINIX Book] (Section 5.5)
		+	* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security in Wikipedia].

-	~~Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref~~=~~sr_1_14?ie~~=~~UTF8&s~~=~~books&qid~~=~~1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.~~	+	== Notes ==

	People (outside capability community) often confuse the following two terms:		People (outside capability community) often confuse the following two terms:

Kosik at 10:59, 19 June 2009

Kosik — Fri, 19 Jun 2009 10:59:38 GMT

←Older revision		Revision as of 10:59, 19 June 2009
Line 13:		Line 13:
	== See also ==		== See also ==

-	~~The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]~~	+	Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions]. It contains arguable material.
-	Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions]. ~~We do not encourage you to read that page~~.	+

	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.		Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.

Kosik: /* See also */

Kosik — Fri, 19 Jun 2009 10:58:55 GMT

Kosik at 08:51, 19 June 2009

Kosik — Fri, 19 Jun 2009 08:51:34 GMT

←Older revision		Revision as of 08:51, 19 June 2009
Line 13:		Line 13:
	== See also ==		== See also ==

-	~~During security audit, through permissions we should determine the~~ [~~[authority~~]~~] of a given subject; because it is~~ [~~[authority]~~] ~~what ultimately matters~~.	+	The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]
		+	Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions].

	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.		Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.
		+
		+	People (outside capability community) often confuse the following two terms:
		+	* '''permissions''' (defined in this article)
		+	* and [[authority]].
		+	Real security audit cannot be performed without determining the [[authority]] of particular '''subjects'''.

Kosik at 08:42, 19 June 2009

Kosik — Fri, 19 Jun 2009 08:42:27 GMT

←Older revision		Revision as of 08:42, 19 June 2009
Line 12:		Line 12:

	== See also ==		== See also ==
		+
		+	During security audit, through permissions we should determine the [[authority]] of a given subject; because it is [[authority]] what ultimately matters.

	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.		Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.

Kosik: /* See also */

Kosik — Tue, 16 Jun 2009 14:23:44 GMT

Kosik at 12:25, 16 June 2009

Kosik — Tue, 16 Jun 2009 12:25:03 GMT

←Older revision		Revision as of 12:25, 16 June 2009
Line 13:		Line 13:
	== See also ==		== See also ==

-	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book].	+	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term ''domain'' instead of ''subject''.

Kosik: /* Definition */

Kosik — Tue, 16 Jun 2009 12:17:04 GMT

Definition

←Older revision		Revision as of 12:17, 16 June 2009
Line 9:		Line 9:
	In general, the set of existing objects and subjects changes over time.		In general, the set of existing objects and subjects changes over time.

-	'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is [[protection matrix]].	+	'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the [[protection matrix]].

	== See also ==		== See also ==

	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book].		Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book].

←Older revision		Revision as of 10:58, 19 June 2009
Line 14:		Line 14:

	The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]		The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]
-	Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions].	+	Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions]. We do not encourage you to read that page.

	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.		Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.

←Older revision		Revision as of 14:23, 16 June 2009
Line 13:		Line 13:
	== See also ==		== See also ==

-	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term ''domain'' instead of ''subject''.	+	Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''.