Language - Based Security Scribe :

Access-control lists (ACLs) are a traditional way to enforce permissions for access control. A trusted entity (e.g., operating system) knows which principals (e.g., users, programs) have access to which resources (e.g., files). One problem with ACLs is that they do not keep track of why each principal was granted a certain set of permissions. This allows a malicious entity to misuse permissions, i.e., use permissions for purposes other than those for which they were intended. For example, consider the following scenario. The owner of a server o↵ers the server as a computation resource to many users. The system has a compiler installed, and the owner of the system wants to bill users according to how much they are using the compiler. To this end, the compiler appends an entry to a log file, /var/billing.log, every time a user compiles a file. At the end of every month, the owner of the system bills users according to the entries in /var/billing.log. To protect against malicious users, the system owner does not give users direct access to /var/billing.log. Instead, the system owner gives the compiler program, cc, permission to open and write to /var/billing.log. The idea is that users can only open the file /var/billing.log through the compiler—which is trusted to only modify the file in a correct way. To make this concrete, when the user executes the command