CS 537 Notes, Section #29: Protection and Security

The purpose of a protection system is to prevent accidental or intentional misuse of a system.

There are three aspects to a protection mechanism:

Even the slightest flaw in any of these areas may ruin the whole protection mechanism.


Modern authentication is based on a three factor model: (1) what you have, (2) what you are, and (3) what you know.

What you know: This means some sort of password or PIN number. Passwords are commonly used by themselves and so are a relatively week form of authentication.

What you have: This means some sort physical device that you hold. It should be something that is difficult for forge or copy and, if stolen, is hard to use. Some examples:

What you are: this means using physical data about your body, called biometrics. It might be a finger or hand print, retinal scan, facial recognition, or even weight (or some combination of these).

You use two or three factor authentication for stronger security. Just using one factor alone has significant weakness. The most secure environments use all three factors, which means that the tricks that you have seen in the James Bond movies would not work that well in the real world.

Once identification is complete, the system must be sure to protect the identity since other parts of the system will rely on it.

Authorization Determination

Must indicate who is allowed to do what with what. Draw the general form as an access matrix with one row per user, one column per file. Each entry indicates the privileges of that user on that object. There are two general ways of storing this information: access lists and capabilities.

Access Lists: with each file, indicate which users are allowed to perform which operations.

Capabilities: with each user, indicate which files may be accessed, and in what ways.

Protection Matrix

Are the following things access-based or capability-based protection schemes?

Access Enforcement

Some part of the system must be responsible for enforcing access controls and protecting the authorization and identification information.

Copyright © 2010, 2013 Barton P. Miller
Non-University of Wisconsin students and teachers are welcome to print these notes their personal use. Further reproduction requires permission of the author.