Access Matrix: The Foundation of Access Control

In the realm of access control, the universe divides into two fundamental categories: those who act and those who are acted upon. This distinction—between active agents initiating operations and passive resources receiving operations—lies at the heart of every authorization decision ever made.

Yet this seemingly clear division hides subtle complexities. Is a running process a subject, an object, or both? What about a user account that can be modified by administrators? When a program reads a file and writes to another, how do we model this chain of access? Understanding subjects and objects in depth is essential for comprehending how access control actually works in real systems.

A subject is an active entity that can initiate operations on objects. Subjects are the originators of access requests—they "do things" within the system. In formal terms:

Definition:

A subject is an entity that can cause information to flow among objects or change the system state.

The key characteristic is agency—subjects can initiate actions. They make requests of the form "I want to perform operation X on object Y."

Categories of Subjects:

1. Users: Human beings interacting with the system through sessions
2. Processes: Executing programs acting on behalf of users or other processes
3. Threads: Individual execution contexts within processes
4. Services/Daemons: Long-running programs performing system functions
5. System principals: The kernel, system services, or privileged components
6. Remote principals: Network entities accessing resources across machine boundaries

The User vs. Process Distinction:

A critical subtlety: users are not directly subjects in most operating systems. Users cannot directly access files or execute operations—they must do so through processes. The process acts as their agent.

Consider the chain:

1. User Alice logs into the system
2. A shell process is created running as Alice (UID = Alice's ID)
3. Alice types cat secret.txt
4. The shell forks a new process, still running as Alice
5. This cat process requests to read secret.txt
6. The kernel checks: Does the process's owner (Alice) have read permission?

The process is the subject making the access request, but the user identity determines what rights apply. This is why we say processes "run as" or "on behalf of" users.

Different operating systems model subjects in different ways. Let's examine how major systems represent subjects:

Unix/Linux Model:

In Unix, the fundamental subject is the process. Each process has:

struct process {
    uid_t   uid_real;      // Real user ID (who started the process)
    uid_t   uid_effective; // Effective user ID (used for access checks)
    uid_t   uid_saved;     // Saved set-user-ID
    gid_t   gid_real;      // Real group ID
    gid_t   gid_effective; // Effective group ID  
    gid_t   gid_saved;     // Saved set-group-ID
    gid_t   groups[];      // Supplementary group list
};

Access decisions use the effective UID/GID, which allows privilege transitions via setuid programs.

Windows Model:

Windows uses Security Identifiers (SIDs) authenticated in access tokens:

TOKEN {
    User SID:           S-1-5-21-...-1001 (Alice)
    Group SIDs:         S-1-5-21-...-512 (Domain Admins)
                        S-1-5-32-545 (Users)
    Privileges:         SeBackupPrivilege
                        SeRestorePrivilege
    Integrity Level:    High
    Session ID:         1
}

Every process and thread has a token. Access checks compare the token against object security descriptors.

Service Accounts and Non-Human Subjects:

Modern systems increasingly feature non-human subjects:

• Daemon processes: Run as dedicated service accounts (nobody, www-data, mysql)
• Container identities: Each container may have distinct subject credentials
• Kubernetes ServiceAccounts: Pods authenticate as automated identities
• Cloud service principals: AWS roles assumed by EC2 instances, Lambda functions
• Workload identities: SPIFFE/SPIRE for service-to-service authentication

These non-human subjects follow the same access matrix model—they're just rows in the matrix without a human behind them.

An object is a passive entity that contains or receives information. Objects are the targets of access requests—they are "acted upon" by subjects. In formal terms:

Definition:

An object is an entity to which access is controlled. It is typically a passive container for information or a representation of a resource.

The key characteristic is passivity—objects do not initiate actions. They respond to requests made by subjects.

Categories of Objects:

1. Files: Regular files, directories, symbolic links
2. Memory: Segments, pages, shared memory regions
3. Devices: Block devices, character devices, network interfaces
4. IPC mechanisms: Pipes, sockets, message queues, semaphores
5. Kernel objects: Processes, threads (when viewed as resources)
6. Network resources: Ports, connections, URLs
7. Abstract resources: Capabilities, permissions, quotas

Object Identification:

Objects must be uniquely identifiable for access control to work. Different systems use different identification schemes:

• Unix: Inodes (for files), device major/minor numbers, PIDs
• Windows: Handles, Security Descriptors, GUIDs for named objects
• URLs: Scheme://authority/path for web resources
• ARNs: arn:partition:service:region:account:resource for AWS
• URNs: Uniform Resource Names in distributed systems

The naming scheme matters because it defines the granularity of protection. If you can't name something, you can't protect it separately from other things.

Objects vary in their security sensitivity and integrity requirements. Classification schemes help organize access control policies:

Sensitivity Levels:

Multi-level security (MLS) systems assign sensitivity labels to objects:

These levels create a lattice: subjects at one level can read same-or-lower levels (no read-up) and write same-or-higher levels (no write-down) under the Bell-LaPadula model.

Integrity Levels:

The Biba model inverts this for integrity:

• High integrity objects (trusted configurations, signed code)
• Low integrity objects (user data, network input)

Subjects at high integrity cannot be corrupted by low-integrity objects (no read-down for integrity).

Categories and Compartments:

Beyond levels, objects may belong to compartments or categories:

• Project A files, Project B files (separate compartments)
• NATO-only, FVEY-only (intelligence compartments)
• Engineering, Finance, HR (departmental categories)

A subject needs clearance for the level AND all compartments to access an object:

Object: Secret // NATO // Project Alpha
Subject needs: Secret clearance + NATO access + Project Alpha access

This is the lattice model of access control, where objects and subjects are ordered by a partial ordering defined by (level, compartments) pairs.

Labels in Practice:

SELinux implements this through security contexts:

user_u:role_r:httpd_content_t:s0:c0.c255

• s0: Sensitivity level
• c0.c255: Categories (compartments)

These labels are attached to objects (files, sockets, processes) and used for all access decisions.

One of the most subtle aspects of access control is that many entities are both subjects and objects simultaneously. A process initiates operations (subject behavior) but can also be operated upon by other processes (object behavior).

Process as Dual Entity:

Consider process P:

As a Subject:

• P opens and reads files
• P creates new processes
• P sends signals to other processes
• P makes system calls

As an Object:

• Other processes can send signals to P
• Debuggers can attach to and modify P
• The kernel can terminate or suspend P
• Parent process can wait on P's status

In the Access Matrix, P appears as both a row (subject) and a column (object):

Other Dual Entities:

Implications for Access Control:

The dual nature means:

1. Every column for a dual entity has an implicit corresponding row
2. Rights must distinguish "what can X do to Y" from "what can Y do to X"
3. Self-referential entries (A[P, P]) can make sense: "Can process P modify itself?"
4. Circular dependencies are possible: P can kill Q if Q hasn't killed P first

The connection between names and objects is crucial for security. Access control checks must happen on the right object, which means the mapping from name to object must be secure.

The Binding Problem:

When a subject requests access to "/home/alice/document.txt":

1. The name "/home/alice/document.txt" must be resolved to an actual object (inode)
2. Access control is checked against that object
3. Operations occur on that object

The vulnerability: If the binding changes between name resolution and access check (or between check and use), the wrong object may be accessed.

TOCTOU Attacks (Time-of-Check to Time-of-Use):

Thread 1 (victim):              Thread 2 (attacker):
------------------------------------------------------
if (access("file", R_OK) == 0)  
                                symlink("/etc/passwd", "file")
    open("file", O_RDONLY)      // Opens /etc/passwd!

Between the access() check and open(), the attacker changes what "file" points to. The check passed for one object, but the open operates on another.

Secure Binding Mechanisms:

Systems use various techniques to ensure name-to-object binding security:

1. Capabilities: Reference objects by unforgeable tokens, not names. Once you have the capability (file descriptor), the object is bound.

2. Object handles: Windows uses handles (integers) that map to kernel objects. The mapping is per-process and protected by the kernel.

3. Authenticated naming: Object names include integrity checks (hashes, signatures) to detect tampering.

4. Protected namespaces: The namespace itself (directory) is protected, so only authorized subjects can modify bindings.

5. Atomic check-and-open: System calls like openat(dirfd, path, O_NOFOLLOW) combine resolution and access checking atomically.

Namespace Containerization:

Linux namespaces create isolated naming contexts. A process in namespace A sees different objects for "/tmp" than a process in namespace B, even though they use the same name. This provides object isolation at the naming level.

Beyond simple access rights, subjects and objects can have structured relationships that affect access control:

Ownership:

The owner relationship grants special meta-rights. The owner typically can:

• Read, write, execute the object (full access)
• Change permissions (modify the access matrix column)
• Transfer ownership to others
• Delete the object

Ownership usually starts with creation: the subject that creates an object becomes its owner. In Unix, file ownership is stored in the inode (uid, gid fields).

Creator Relationship:

The creator of a process is its parent. This establishes:

• Inheritance of credentials (child starts with parent's IDs)
• Control rights (parent can signal, wait on child)
• Resource limits (child inherits parent's ulimits)

Delegation:

An owner may delegate rights to other subjects without transferring ownership:

• chmod to add group read permission
• GRANT SELECT to another database user
• Sharing a file descriptor with a child process

Delegation can be recursive if the copy flag (e.g., WITH GRANT OPTION) is set.

We've explored the two fundamental entity types in access control. Let's consolidate the key concepts:

What's Next:

Now that we understand who acts (subjects) and what is acted upon (objects), we'll explore what they can do: access rights. The next page examines the taxonomy of rights, how different operations map to rights, and the meta-rights that control the access matrix itself.