Access Matrix: The Foundation of Access Control

Every modern operating system faces a fundamental question: Who is allowed to do what to which resources? This seemingly simple question hides enormous complexity. A system may have thousands of users, millions of files, hundreds of running processes, and countless combinations of possible operations. How can we systematically represent, reason about, and enforce these access decisions?

In 1971, Butler Lampson formalized an elegant solution in his seminal paper "Protection." He introduced the Access Matrix Model—a mathematical abstraction that captures the complete protection state of a system in a simple two-dimensional structure. This model has become the theoretical foundation upon which all modern access control mechanisms are built, from Unix file permissions to Windows ACLs, from database authorization to cloud IAM policies.

Before examining the Access Matrix, we must understand why formal protection models exist. Early computing systems had no notion of protection—any program could access any memory, any data, any device. This was acceptable for single-user, single-program systems, but the advent of time-sharing and multi-user systems in the 1960s created an urgent need for controlled resource access.

The Protection Problem:

Consider a multi-user system where:

• Users should access their own files but not others'
• Some files should be shared among specific user groups
• System files should be readable but not modifiable
• Some operations (like shutting down) should be restricted to administrators
• Processes should be isolated from each other

Without a formal model, protection mechanisms become ad-hoc, inconsistent, and riddled with security holes. Each protection decision becomes a special case, making security auditing impossible and vulnerabilities inevitable.

Why Mathematical Abstraction?

A formal model provides:

1. Precise Definitions: Unambiguous meaning for security concepts
2. Completeness: A framework that covers all possible access scenarios
3. Reasoning Tools: Mathematical techniques to prove security properties
4. Implementation Guidance: Clear requirements for mechanism designers
5. Comparison Basis: A common language to evaluate different systems

The Access Matrix Model emerged as the answer to these needs—simple enough to be understood, yet powerful enough to model any protection scenario.

The Access Matrix is a two-dimensional array that represents the complete protection state of a system at any given instant. Its structure is elegantly simple:

Definition:

An Access Matrix A is defined as:

$$A[s, o] = {r_1, r_2, ..., r_k}$$

Where:

• s ∈ S is a subject (an active entity that can initiate operations)
• o ∈ O is an object (a passive entity that can be operated upon)
• r ∈ R is an access right (a specific operation that can be performed)
• A[s, o] is the cell containing the set of rights that subject s has over object o

The matrix has one row for each subject and one column for each object. Each cell contains zero or more access rights, representing what operations that subject may perform on that object.

A Concrete Example:

Consider a simple system with three users (Alice, Bob, Carol) and three files (budget.xls, report.doc, config.sys):

This matrix completely specifies the protection state:

• Alice owns budget.xls and can read/write it; she can only read report.doc
• Bob owns report.doc, can read budget.xls, and can read config.sys
• Carol owns config.sys and can only read report.doc

Any access decision can be answered by looking up the appropriate cell: "Can Bob write to budget.xls?" Look at A[Bob, budget.xls] = {read}. Answer: No, because 'write' is not in that cell.

The Access Matrix represents the protection state of the system at a single point in time. However, protection states are not static—they evolve as users create files, processes spawn, and administrators modify permissions.

Protection State:

Formally, the protection state is a triple:

$$State = (S, O, A)$$

Where:

• S = current set of subjects
• O = current set of objects
• A = current access matrix (S × O → 2^R)

State Transitions:

Changes to the protection state occur through primitive operations that modify the matrix:

1. create subject s: Add a new row for subject s
2. delete subject s: Remove the row for subject s
3. create object o: Add a new column for object o
4. delete object o: Remove the column for object o
5. enter right r into A[s, o]: Add right r to cell [s, o]
6. delete right r from A[s, o]: Remove right r from cell [s, o]

Commands and Authorization:

In practice, subjects do not directly invoke primitive operations. Instead, they issue commands that may trigger sequences of primitives. Commands typically check authorization before executing:

command grant_read(granter, grantee, object):
    if "own" in A[granter, object]:        # Authorization check
        enter "read" into A[grantee, object]  # State modification
    else:
        DENY

This pattern—check authorization in the current state, then modify state—is the fundamental flow of all access control systems.

The Access Matrix's elegance lies in its universality. Every access control system—regardless of its specific implementation—can be understood as maintaining some representation of an Access Matrix. Let's examine how various real-world systems map to this model:

Unix File Permissions:

Unix's classic permission model is a highly constrained Access Matrix:

• Subjects: owner, group, others (three categories)
• Objects: files, directories, devices
• Rights: read (r), write (w), execute (x)

The matrix cell A[user, file] is determined by which category the user falls into:

-rwxr-x--- maps to:
  A[owner, file] = {read, write, execute}
  A[group, file] = {read, execute}
  A[others, file] = {}

Windows ACLs:

Windows implements a more complete Access Matrix:

• Each object has an Access Control List (ACL)
• Each ACL entry specifies (subject, rights) pairs
• Rights include: Read, Write, Execute, Delete, Change Permissions, Take Ownership, etc.

Database GRANT/REVOKE:

SQL access control directly implements matrix operations:

• GRANT SELECT ON table TO user → enter 'select' into A[user, table]
• REVOKE UPDATE ON table FROM role → delete 'update' from A[role, table]

Abstract Properties Preserved:

Despite their different syntaxes and implementation strategies, all these systems preserve the fundamental Access Matrix properties:

1. Finite, enumerable subjects and objects: Every system has a bounded set of principals and resources
2. Well-defined rights: Operations are discrete and identifiable
3. State-based authorization: Access decisions depend on current matrix contents
4. State modification operations: Some mechanism exists to change rights

Understanding the Access Matrix means understanding the common foundation beneath all these variations.

A sophisticated feature of the Access Matrix is that subjects can also be objects. This allows the matrix to express control relationships between entities themselves, not just their access to passive resources.

Subjects Appearing in Columns:

When subjects appear as objects, new rights become meaningful:

Here, the cell A[Alice, Bob] = {wakeup, signal} means Alice can send wakeup or signal operations to Bob (perhaps Bob is a process). The cell A[System, Alice] = {terminate, suspend} means the System can terminate or suspend Alice.

Control Rights:

Typical rights for subject-as-object include:

• signal: Send a signal to a process
• terminate: Kill a process
• suspend/resume: Pause/continue execution
• exec: Execute as this subject identity
• su/sudo: Switch user identity to this subject

Domains as Objects:

In systems using protection domains (discussed in the previous module), domains themselves appear as objects in the matrix. The switch right controls domain transitions:

This matrix shows:

• From Domain 1, you can switch to Domain 2
• From Domain 2, you can switch to Domain 1 or Domain 3
• From Domain 3, no domain switching is allowed

This elegantly models the protection ring concept: inner rings can switch to outer rings, but not vice versa (enforced by which cells contain the 'switch' right).

The Access Matrix enables formal reasoning about security properties. Several important properties can be expressed and analyzed using the matrix framework:

Principle of Least Privilege:

Formally: For each subject s, the set of rights in all cells of row s should be the minimum necessary for s to perform its function.

$$\forall s \in S: \bigcup_{o \in O} A[s, o] = MinimumRequired(function(s))$$

Separation of Duty:

Formally: Certain rights should never co-exist in the same subject's row.

$$\forall s \in S: \neg(approvePayment \in A[s, payroll] \land createPayment \in A[s, payroll])$$

Information Flow:

The matrix implicitly defines information flow paths. If A[s, o₁] contains 'read' and A[s, o₂] contains 'write', then information can flow from o₁ to o₂ via subject s.

$$o_1 \rightarrow o_2 \text{ if } \exists s: read \in A[s, o_1] \land write \in A[s, o_2]$$

Decidability Constraints:

Harrison, Ruzzo, and Ullman (HRU) proved that while the general safety problem is undecidable, restricted versions are decidable:

1. Mono-conditional commands: Only one condition checked → decidable but NP-complete
2. Mono-operational commands: Only one state change per command → decidable in linear time
3. No creation of subjects/objects: Fixed matrix size → decidable

Practical systems often fall into these tractable categories, enabling formal security verification.

The HRU Model (Harrison, Ruzzo, and Ullman, 1976) formalized the Access Matrix with a rigorous computational framework. It defines exactly how commands operate on the matrix and establishes fundamental limits on what can be computed about access control.

Formal Definition:

An HRU system consists of:

• R: a finite set of access rights
• C: a finite set of commands
• Config: configurations (S, O, A) representing protection states

Each command has the form:

command name(X₁, X₂, ..., Xₖ):
    if r₁ in A[Xs₁, Xo₁] and
       r₂ in A[Xs₂, Xo₂] and
       ...and
       rₘ in A[Xsₘ, Xoₘ]
    then
        op₁; op₂; ...; opₙ

Where each op is one of the six primitive operations we defined earlier.

The Safety Theorem:

The central result of HRU is the safety theorem:

Definition (Safety): An initial configuration is safe for a right r with respect to command set C if there is no sequence of commands in C that, starting from the initial configuration, can cause r to be entered into a cell where it did not previously exist.

Theorem (HRU, 1976): The safety question is undecidable for arbitrary HRU systems. That is, there exists no algorithm that, given an arbitrary HRU system and initial configuration, can always correctly determine if the system is safe.

Proof Sketch:

The proof works by showing that HRU systems can simulate a Turing machine:

1. Subjects represent tape cells
2. Rights represent tape symbols
3. Commands simulate tape head movement and symbol writing
4. Halting corresponds to a right entering a specific cell

Since the halting problem is undecidable, safety must also be undecidable.

We've explored the Access Matrix Model—the theoretical foundation underlying all access control mechanisms. Let's consolidate the key concepts:

What's Next:

In the following pages, we'll examine the components of the Access Matrix in greater depth. We'll explore subjects and objects in detail, analyze the taxonomy of access rights, study implementation strategies (Access Control Lists and Capability Lists), and address the critical challenge of matrix size in real systems.