The Transfer of Information and Authority in a Protection System
- M. Bishop and L. Snyder, “The Transfer of Information and Authority in a Protection System,”, Research Report #166, Department of Computer Science, Yale University, New Haven, CT 06520 (July 1979)
Although formal models have contributed to our understanding of capability-based protection systems, they have been properly criticized for concentrating on the movement of “authority” or “access privilege” within the system, rather than on the movement of the information. For example, the Take/Grant Model describes the exact conditions under which a particular user can get the authority to access a file. If the conditions are satisfied, then the user can access the information. But if they are not satisfied, it does not follow that the user cannot get at the information. There may be some way to transfer the information without the user ever getting direct authority to access it. The Take/Grant Model gives no information and other models are similarly mute.
In this paper we take a modest step towards elucidating the problem.