Outline for April 12, 2005

1. Take-Grant
   1. Introduce as counterpoint to HRU result
   2. Show symmetry
   3. Show islands (maximal subject-only tg-connected subgraphs)
   4. Show bridges (as a combination of terminal and initial spans)
2. Predicates
   1. can·share(r, x, y, G₀) iff there is an edge from x to y labelled r in G₀, or all of the following hold:
      1. there is a vertex y′ with an edge from y′ to y labelled r;
      2. there is a subject y′′ which terminally spans to y′, or y′′ = y′;
      3. there is a subject x′ which initially spans to x, or x′ = x; and
      4. there is a sequence of islands I₁, ..., I_n connected by bridges for which x′ is in I₁ and y′ is in I_n.
   2. Go through interpretation
3. Schematic Protection Model
   1. Model components
   2. Link function
   3. Filter function
   4. Example: Take-Grant as an instance of SPM
   5. Create operations and attenuation
4. Expressive power
   1. HRU vs. SPM
   2. Multiparent joint creates in HRU
   3. Adding multiparent joint creates to SPM (giving ESPM)
   4. Simulation of multiparent joint creates by 2-parent joint creates
   5. Monotonic ESPM, monotonic HRU equivalent
   6. Safety question in ESPM decidable if acyclic attenuating scheme
5. Comparing Expressive Power of Models
   1. Graph representation
   2. Go through 3-parent joint create as simulated by 2-parent joint create
   3. Correspondence between two schemes in terms of graph representation
   4. Formal definition of scheme A simulating scheme B
   5. Model expressive power
   6. Result: monotonic 1-parent models less expressive than monotonic multiparent models (so ESPM more expressive than SPM)
6. Typed Access Matrix Model
   1. Add notion of type for entities--set of types T, set of subject types TS ⊆ T
   2. New create rules: specify subject/object type
   3. In command, child type if something of that type created; otherwise, a parent type
   4. Show type graph and cycles in it
   5. Safety decidable for systems with acyclic MTAM schemes