April 5, 2017 Outline

Reading: Chapters from revised text, §2, 3.1–3.2; [TL13]

  1. Primitive operations
    1. enter r into A[s, o]
    2. delete r from A[s, o]
    3. create subject (note that ∀x [ A[s′, x] = A[x, s′] = ∅ ])
    4. create object o (note that ∀x [ A[x, o′] = ∅ ])
    5. destroy subject s
    6. destroy object o
  2. Commands and examples
    1. Regular command: createfile
    2. Mono-operational command: makeowner
    3. Conditional command: grantrights
    4. Biconditional command: grantreadifrandc
    5. Doing “or” of 2 conditions: grantreadifrorc
    6. General form
  3. Miscellaneous points
    1. Copy flag and right
    2. Own as a distinguished right
    3. Principle of attenuation of privilege
  4. What is the safety question?
    1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
    2. Question: in a given arbitrary protection system, is safety decidable?
  5. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.

You can also obtain a PDF version of this. Version of April 5, 2017 at 9:41AM