State is (S, O, A) where A is access control matrix
Rights (represent abstract notions)
Instantiating access control matrices
Example 1: UNIX file system
read, write, execute on files
read, write, execute on directories
Example 2: Boolean expression evaluation
Verbs and rules
Access Restriction Facility
Example 3: History and limiting rights
createsubjects (note that ∀ x [ A[s′, x] = A[x, s′] = ∅ ])
createobjecto (note that ∀ x [ A[x, o′] = ∅ ])
Commands and examples
Regular command: create•file
Mono-operational command: make•owner
Conditional command: grant•rights
Biconditional command: grant•read•if•r•and•c
Doing “or” of 2 conditions: grant•read•if•r•or•c
Copy flag and right
Own as a distinguished right
Principle of attenuation of privilege
What is the safety question?
An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
Question: in a given arbitrary protection system, is safety decidable?
Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.