Difference between "Subject" and "Object"

B"H

Quick question: is the difference between a "subject" and an "object" in terms of data on a PC whether or not this data exists within running-memory ("subject") vs. on disk alone ("object"); that is my current impression from comments made by Conrad in his book about this topic and I wanted to bounce the idea off you folks.

Another point of confusion here for me is this: in his definition of "subject" Conrad includes "entity", and cites as example both people actively accessing data, as well as that data actively running in memory. Yet, in his definition of object he states "passive data within the system". Would an "object" include entities other than data as does a "subject"? For example, how about a $100 bill, for example; would that count as an object too?

Thanks,
Dovid

Find more posts tagged with

Comments

JDMurray

The subject is a something that can manipulate an object; an object is something that can be manipulated by a subject.

A subject is usually a human user or process running in memory.

An object is any resource that exists anywhere a subject can access it (in memory, on disk, across a communications channel, in "the cloud", etc.).

Subjects are active and objects are passive.

This is basically how the concepts of subjects and objects work in English grammar too.

Chassidic1

Thanks JD, much appreciated. Hey, while I got you "on the line" here, I had a question also about a comment Conrad makes next about subject clearance levels versus object labels. He gives as examples of object labels "secret," "top secret", etc. So, what would be examples of subject clearance levels? For example, if I am a subject with a clearance level to "secret" versus "top secret" documents, what symbol do I use to denote my clearance level? Is there some special name or number or something?

Also, Conrad notes that DAC is sometimes considered a form of MAC, sometimes not. I can see why - after all, somethings besides the subject's discretion determines their level of access (here: group membership). However, I cannot understand why DAC would be considered unique as compared to MAC...maybe because there are many groups ("roles") that exist within the operating system? Whereas in MAC the clearance/label is used and the group convention is, apparently not?

Just wondering,
Thanks again!
Dovid

JDMurray

I should start by saying that I have never read the Conrad book, so I am just giving my opinion based on what you are writing in this thread.

To a human (subject), a security clearance is an assigned level of trustworthiness that the human will follow the rules s/he has agreed to. In other words, the degree of ethical behavior a human can be expected to demonstrate.

To a resource (object), a security label specifies the level of sensitivity of that object to public exposure. When something labeled as Confidential exposed to the public it may be somewhat bad for the owner, while something Top Secret exposed to the public is potential catastrophic to the owning organization (and possibly to others as well).

The actual label used to represent a security clearance level is completely arbitrary, and is defined by an organization creating a data classification standard (e.g., US DoD). You can say something is "Top Secret" or "5" or "Banana"and it can means the same thing.

The same security labels are not necessarily the same across all organizations. E.g., "Secret" in one organization is not necessarily treated with the same level of protection as "Secret" in another organization.

Security clearances and security labels often have the same names so they many be matched for the purpose of determine authorization (e.g., a Secret clearance can see Secret material and lower). However, there are so many different dimensions of clearances (by employer, by customer, by program, by installation, passed a polygraph, "Need To Know," etc.) that a straight, one-to-one comparison is often not practical outside of academic examples, like those you find in IT security certification books.

JDMurray

Oh, on the "DAC can be MAC thing," realize that DAC is very flexible in its configuration. If you take a DAC environemnt (e.g. Windows) and configure it so the users cannot change any of their own permissions, you have a basic form of MAC. Conversely, it isn't possible to reconfigure a MAC environment to make it DAC.

Chassidic1

JD, thanks again' smart answers.

Before reading your post I thought that "secret" vs. "top secret", e.g. had an objective meaning based on the extent to which they would harm national security if disclosed (Heaven forbid). But I never stopped to think that this might apply: a) on other levels, e.g., not just national security, but, the security of a particular organization (e.g. within the nation); and that b) the damage assessment may be subjective. (For example, maybe it includes not just assets but reputation, etc.).

To the point about DAC, MAC: good one; I didn't think of that either. One system you can adjust to create the results of the other, but not vice versa.

My new goal here is - yes, still reviewing the same few systems of Access Control - the relative advantages of each. I understand why I might want DAC since not everyone appreciates having "the system" enforce rules on them without their own input. I also see the need on the flip side of preventing subjects from granting their friends (in the case of people) unnecessary access, which is possible with DAC; so, I see a need for MAC. The one question I have left at this moment is this:

If it is the case that I can adjust RBAC, in essence, to achieve MAC level results, why is this not the best in - if not all, at least - most situations? At a superficial view, it seems hard to beat...you have your groups; you throw your users into them; you can get very granular in individual "permissions" if need be. So, the process doesn't seem overly time consuming; it is built into, say, MS Windows Server; it can reach almost any level of granularity of access control...why ditch that flexibility for MAC, which cannot be adjusted in such a granular way, seemingly?

Thanks again,
Dovid

PS. I hope you do't mind the "101" questions. I like to engage the material, and, draw on people's more expert knowledge and experience.

JDMurray

It's easy to get into apples-and-oranges with access control. Realize that the different models of access control are all academic. Specific implementations of an access control model within a real system will have some violations of the philosophy of the access control model, slight though they may be.

Part of the integrity of MAC, Role-BAC, and Rule-BAC is that they can't be broken by reconfiguring them to some other access model, accidentally or otherwise. If you have a system where you can have multiple access models then that's a hybrid designed to put more bullet points on the marketing glossies (IMHO).

And no problem the "101" questions. I'm looking at the possibility of soon teaching InfoSec courses in a classroom, so I certainly need this practice in answering these types of questions without running to Google first.

I just found Eric Conrad's Web site at http://www.ericconrad.com/ He might have some additional information in his blog and whitepapers that is help to you.

shomersec

Let me know if you still have issues with the concept.

Heres what I got
A file, directory, and computer are NOT considered subjects.
An object is an entity that contains information.
Subjects are granted or denied access to objects.

A user, process, and group are subjects. Subjects actively request access to objects. Anything that requests access to an object is a subject. A program can be either a subject or an object, depending on its current use. A process is a particular instance of an application that is running. A group of processes that share access to the same resources is called a protection domain.

Chassidic1

Thanks again JD, much appreciated. Got to head home to home office to crank out my new questions of the day ;-p

Hey, if you're in NYC let me know, I'd be happy to recommend you to a school near my place looking for I.T. instructors.

Shomer, thank you also for taking the time to consider these topics. It seems to me at this time like, in the context of data, Conrad considers whatever is actively running a "subject" and whatever is not an "object."

As for Conrads site, I checked it, and then his google group or something like that; I emailed him and he said I could join but he'd prefer if I ask once but more questions than many times with fewer questions, in not so many words...

shomersec

interesting...i have conrads book too but whats Conrad's site are you referring to. im still looking for a good bank of questions for my studies...right now im using transcender and that's how i got the explanation i posted above.

20188802

Chassidic1 said:

Thanks JD, much appreciated. Hey, while I got you "on the line" here, I had a question also about a comment Conrad makes next about subject clearance levels versus object labels. He gives as examples of object labels "secret," "top secret", etc. So, what would be examples of subject clearance levels? For example, if I am a subject with a clearance level to "secret" versus "top secret" documents, what symbol do I use to denote my clearance level? Is there some special name or number or something?

Also, Conrad notes that DAC is sometimes considered a form of MAC, sometimes not. I can see why - after all, somethings besides the subject's discretion determines their level of access (here: group membership). However, I cannot understand why DAC would be considered unique as compared to MAC...maybe because there are many groups ("roles") that exist within the operating system? Whereas in MAC the clearance/label is used and the group convention is, apparently not?

Just wondering,
Thanks again!
Dovid

Can subject be data?

JDMurray

Wow, what a necro-thread to resurrect!

Data is typically thought of as inert and does nothing on its own. Data may be operated upon by Subjects, which perform actions on Objects. Processes are Subjects and the data they chew on are Objects. (Note that program code is data because it is not "living" until made a running process by a Subject.)

I like to think of data as an excavation site and intelligence are the cool fossils and artifacts that are found by the digging and mining actions of Subjects.