Outline for October 7, 2014

1. Primitive operations
   1. enter r into A[s, o]
   2. delete r from A[s, o]
   3. create subject s (note that ∀x [A[s’, x] = A[x, s’] = ∅])
   4. create object o (note that ∀x [A[x, o’] = ∅])
   5. destroy subject s
   6. destroy object o
2. Commands and examples
   1. Regular command: create•file
   2. Mono-operational command: make•owner
   3. Conditional command: grant•rights
   4. Biconditional command: grant•read•if•r•and•c
   5. Doing “or” of 2 conditions: grant•read•if•r•or•c
3. Miscellaneous points
   1. Copy flag and right
   2. Own as a distinguished right
   3. Principle of attenuation of privilege
4. What is the safety question?
   1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
   2. Question: in a given arbitrary protection system, is safety decidable?
5. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
6. General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.
   1. Approach: represent Turing machine tape as access control matrix, transitions as commands
   2. Reduce halting problem to it
7. Related results
   1. The set of unsafe systems is recursively enumerable
   2. Monotonicity: no delete or destroy primitive operations
   3. The safety question for biconditional monotonic protection systems is undecidable.
   4. The safety question for monoconditional monotonic protection systems is decidable.
   5. The safety question for monoconditional protection systems without the destroy primitive operation is decidable.

ECS 235A, Computer and Information Security Fall Quarter 2014