Definition: can•share(α, x, y,
G0) iff there exists a sequence of protection
graphs G0, . . ., Gn such that
that G0 |−*Gn
using only take, grant, create, remove rules and in
Gn, there is an edge from x to y
labeled α
Theorem: can•share(α, x, y,
G0) iff there is an edge from x to y
labeled α in G0, or all of the following
hold:
there is a vertex y′ with an edge from
y′ to y labeled α;
there is a subject y′′ which terminally
spans to y′, or y′′ =
y′;
there is a subject x′ which initially spans to
x&, or x′ = x; and
there is a sequence of islands I1, . . .,
In connected by bridges for which
x′ ∈ I1 and y′
∈ In.
Model Interpretation
ACM very general, broadly applicable; Take-Grant more specific,
can model fewer situations
Theorem: G0 protection graph with exactly one
subject, no edges; R set of rights. Then G0, . .
., Gn iff G0 is a finite
directed graph containing subjects and objects only, with edges
labeled from nonempty subsets of R, and with at least one
subject with no incoming edges
Example: shared buffer managed by trusted third party
Stealing
Definition: can•steal(α, x, y,
G0) iff there is no edge from x to y labeled α in G0, and there
exists a sequence of protection graphs G0, . . ., Gn such that G0 |−*Gn in which:
Gn has an edge from x to y labeled α
There is a sequence of rule applications ρ1, . . ., ρn such that Gi−1 |−Gi; and
For all vertices v, w ∈ Gi−1, if there is an edge from v to y in G0 labeled α, then ρ, is not of the form “v grants (α to y) to w”
Example
Conspiracy
Access set
Deletion set
Conspiracy graph
I, T sets
Theorem: can•steal(α, x, y,
G0) iff there is a path from some h(p) ∈ I(x) to some h(q) ∈ T(y)