This thesis presents a general model of access control. It uses a simple notion of an access permission token, which gives permission to reference an associated object. Sets of permission tokens are used to model the maximum reach of an object, and reasoning about access to groups of objects. Links between sets are used to model propagation. Restricting access to an object is important for example when dealing with aliasing, multiple references to a single object. Aliasing is ubiquitous in object-oriented programming, and while practical and even necessary for many purposes, it is also a common source of errors. Since an aliased object may change at any time without notice to the other holders of references to that object, one can generall...