Access control is an important aspect of secure computing. In general, access control involves deciding whether to permit access to a resource. The entity that requests access is referred to as a principal. A resource may be anything that can be accessed from a computer: data, a database, objects, hardware, programs, and so on. Often, the access determination may go beyond simply granting or denying access by determining a form of access. Thus access may be restricted in various ways, so that some principals are granted only limited access.
The access permission logic that determines whether to grant access, and what form of access to grant to a particular principal is sometimes referred to as a “reference monitor.” The reference monitor is typically a trusted piece of code that makes all access decisions. The reference monitor is presented with the identity of a principal making a request, the identity of a resource, and the specific form of access desired. The reference monitor then makes the access control decision by deciding whether to accept the proffered identity, and by consulting access control information associated with the resource.
Present access control systems use an arrangement whereby each human user, after login, is identified by a small identifier. Such an identifier may be a Services Set Identifier (SSID) in WINDOWS®, or a User Identifier (User ID) in UNIX-based systems. The access control data for an operation is an access control list kept with a resource, and takes the form of a set whose members are either principals or identifiers for groups. A group, in turn, is a set whose members are either principals or identifiers for further groups. Access is permitted or denied based on the presence of the proffered principal in the closure of the access control list and its constituent groups.
Thus, a user directs an automated process, such as MICROSOFT WORD®; to access a resource, such as a document. The automated process makes such a request by passing the small identifier associated with the user to the reference monitor. Upon receiving the access request from an automated process initiated by a user, the reference monitor will consult the access control list associated with the resource. It will determine if the requesting user is identified. If the user's small identifier can be found on the list—either directly or as part of a group—then the automated process initiated by the user may be allowed to access the requested resource.
The above described access control design unfortunately has many limitations and drawbacks. These have become increasingly critical in recent years as the diversity of the programs installed in computer systems, and the diversity of attacks on computer systems, have increased.
For example, the notion that the principal is identified solely with a logged-in user doesn't allow for expression of important real-world security situations. The human user is not really the entity making an access request. The request is being made by a program. Present designs assume that every program executing in a user's session is acting on the user's behalf and with the user's full trust. That might have been true historically, but it is certainly not true today. For example, while modern computer users most likely approve when MICROSOFT WORD® performs operations on resources that are WORD® documents, but would disapprove if some ad-ware program was doing so. Similarly, the modern user might reasonably object if WORD® was spontaneously accessing the user's QUICKEN® database.
A second example of the limitations and drawbacks of the above-described access control systems stems from the fact that the classical notion of “logged-in” is inflexible. It is all or nothing, and implies that all mechanisms for authenticating a user are equally trusted. Equivalently, it requires that all authentication mechanisms are part of the trusted computing base. In reality, there may be various routes for logging into a computer system, and not all are created equal. Users who log in via a less secure path may not be trusted to access resources to which they might otherwise be entitled.
In view of these and other deficiencies in present access control technologies, the invention herein provides improved systems and methods for making access determinations in computer systems.