Outline for April 7, 2005

Miscellaneous ACM points

Copy flag

Own as a special right

Principle of Attenuation of Privilege

What is the safety question?

An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.

Question: in a given arbitrary protection system, is safety decidable?

Monooperational protection systems: decidable

Theorem: there is an algorithm that decides whether a given monooperational system and initial state is safe for a given generic right.

General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.

Represent TM as ACM; reduce halting problem to it

TakeGrant

Introduce as counterpoint to HRU result

Show symmetry

Show islands (maximal subjectonly tgconnected subgraphs)

Show bridges (as a combination of terminal and initial spans)

Predicates

can·share(r, x, y, G_{0}) iff there is an edge from x to y labelled r in G_{0}, or all of the following hold:

there is a vertex y′ with an edge from y′ to y labelled r;

there is a subject y′′ which terminally spans to y′, or y′′ = y′;

there is a subject x′ which initially spans to x, or x′ = x; and

there is a sequence of islands I_{1}, ..., I_{n} connected by bridges for which x′ is in I_{1} and y′ is in I_{n}.

Go through interpretation

Schematic Protection Model

Model components

Link function

Filter function

Example: TakeGrant as an instance of SPM

Create operations and attenuation
Here is a PDF version of this document.