Outline for January 15, 2007

Greetings and Felicitations!

Stealing

Definition: can·steal(r, x, y, G_{0}) true iff there is no edge from x to y labeled r in G_{0}, and there exists a sequence of protection graphs G_{0}, ..., G_{n} such that G_{0} * G_{n} in which:

G_{n} has an edge from x to y labeled r

There is a sequence of rule applications ρ_{1}, ..., ρ_{n} such that G_{i}_{1}  G_{i}; and

For all vertices v, w in G_{i}_{1}, if there is an edge from v to y in G_{0} labeled r, then ρ_{i} is not of the form "v grants (r to y) to w"

Example

Theorem: can·steal(r, x, y, G_{0}) iff all of the following hold:

there is no edge from x to y labeled r in G_{0};

there is a subject x′ which initially spans to x, or x′ = x; and

there is a vertex s with an edge to y labeled r in G_{0} and for which can·share(t, x, s, G_{0}) holds

Conspiracy

Access set

Deletion set

Conspiracy graph

I, T sets

Theorem: can·share(r, x, y, G_{0}) iff there is a path from some h(p) ∈ I(x) to some h(q) ∈ T(y)

Schematic Protection Model

Model components

Link function

Filter function

Example: TakeGrant as an instance of SPM

Create operations and attenuation

Flow functions, maximal state

Safety analysis
Here is a PDF version of this document.