Outline for January 15, 2007

1. Greetings and Felicitations!
2. Stealing
   1. Definition: can·steal(r, x, y, G₀) true iff there is no edge from x to y labeled r in G₀, and there exists a sequence of protection graphs G₀, ..., G_n such that G₀ |-* G_n in which:
      1. G_n has an edge from x to y labeled r
      2. There is a sequence of rule applications ρ₁, ..., ρ_n such that G_i-1 |- G_i; and
      3. For all vertices v, w in G_i-1, if there is an edge from v to y in G₀ labeled r, then ρ_i is not of the form "v grants (r to y) to w"
   2. Example
   3. Theorem: can·steal(r, x, y, G₀) iff all of the following hold:
      1. there is no edge from x to y labeled r in G₀;
      2. there is a subject x′ which initially spans to x, or x′ = x; and
      3. there is a vertex s with an edge to y labeled r in G₀ and for which can·share(t, x, s, G₀) holds
3. Conspiracy
   1. Access set
   2. Deletion set
   3. Conspiracy graph
   4. I, T sets
   5. Theorem: can·share(r, x, y, G₀) iff there is a path from some h(p) ∈ I(x) to some h(q) ∈ T(y)
4. Schematic Protection Model
   1. Model components
   2. Link function
   3. Filter function
   4. Example: Take-Grant as an instance of SPM
   5. Create operations and attenuation
   6. Flow functions, maximal state
   7. Safety analysis