-
Notifications
You must be signed in to change notification settings - Fork 0
/
sarm.html
132 lines (122 loc) · 6.34 KB
/
sarm.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<title>Access rights management: slower means better — Nothing special</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="_static/classic.css" />
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="copyright" title="Copyright" href="copyright.html" />
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="nav-item nav-item-0"><a href="index.html">Nothing special</a> »</li>
<li class="nav-item nav-item-this"><a href="">Access rights management: slower means better</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="access-rights-management-slower-means-better">
<h1>Access rights management: slower means better<a class="headerlink" href="#access-rights-management-slower-means-better" title="Permalink to this heading">¶</a></h1>
<p>Proper management of resource access rights in computer systems is one of the
most complicated and, one might say, convoluted problems of computer system
design. Even more so, access rights are too often managed by means of badly
designed protocols, which are prone to abuse. However, proper design of
rights management protocol is impossible without an appropriate analysis of
protocol entities involved. In fact, root causes of security failures
experienced by rights management systems can easily be attributed to
incorrect identification of foundational entities of those systems.</p>
<p>There exist a considerable body of publications and software dedicated to
the issues of access rights and identity management. Unfortunately, many of
these works suffer from over formalization and other common “design by
committee” drawbacks, making them very difficult to implement and use
properly. Invariably, implementational difficulties translate into future
security failures. Thus, design of a quality access right management system
should not only be formally correct and featureful, but must also pay a close
attention to “mental ergonomics” of its developers and end-users.</p>
<section id="basic-traits-of-rights-management-systems">
<h2>Basic traits of rights management systems<a class="headerlink" href="#basic-traits-of-rights-management-systems" title="Permalink to this heading">¶</a></h2>
<p>Prior to management any sort of “rights”, one shall establish the nature of
objects and subjects, concept of “rights” applies to. In regard to computer
system, identifying the object is rather easy.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Just like with any system, access to a computer system always involves
observation or modification (control) of its state variables. Following
the accepted terminology (due to R. E. Kalman), we can formulate the
following rule. For every access channel established with the system, two
non-exhaustive, overlapping sets of system variables will be available: set
of controllable system state variables and (usually larger) set of observable
ones. These sets together form the “access rights set” (ARS) of the channel.</p>
</div>
<p>The issue of subjects, accessing the computer system is way more complicated.
First, it is clear, that computer system can only respond to an information,
emerging from a “near end” of an access channel. It has no material way to
“perceive” what’s going on on the “far end” of the mentioned access channel and
thus must rely on “identity proofs” of various strength to establish the
appropriate ARS.</p>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<div>
<h3><a href="index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Access rights management: slower means better</a><ul>
<li><a class="reference internal" href="#basic-traits-of-rights-management-systems">Basic traits of rights management systems</a></li>
</ul>
</li>
</ul>
</div>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/sarm.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
<input type="submit" value="Go" />
</form>
</div>
</div>
<script>document.getElementById('searchbox').style.display = "block"</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
>index</a></li>
<li class="nav-item nav-item-0"><a href="index.html">Nothing special</a> »</li>
<li class="nav-item nav-item-this"><a href="">Access rights management: slower means better</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
© <a href="copyright.html">Copyright</a> 2010 - 2023, Alex Dubov <[email protected]>.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 6.1.3.
</div>
</body>
</html>