January 12, 2023 Outline

Reading: text, §2, 3.1–3.4.4, [1,2]
Due: Homework #1, due January 24; Project Selection, due January 26

  1. Attribute-Based Access Control Matrix [1]
    1. Attributes
    2. Predicates
    3. Modified primitive operations
    4. Commands
  2. What is the safety question?
    1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
    2. Question: in a given arbitrary protection system, is safety decidable?
  3. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
  4. General case: It is undecidable whether a given state of a given protection system is safe for a given generic right. [2]
    1. Approach: represent Turing machine tape as access control matrix, transitions as commands
    2. Reduce halting problem to it
  5. Related results
    1. The set of unsafe systems is recursively enumerable
    2. Monotonicity: no delete or destroy primitive operations
    3. The safety question for biconditional monotonic protection systems is undecidable.
    4. The safety question for monoconditional monotonic protection systems is decidable.
    5. The safety question for monoconditional protection systems without the destroy primitive operation is decidable.
  6. Take-Grant Protection Model
    1. Counterpoint to HRU result
    2. Symmetry of take and grant rights
    3. Islands (maximal subject-only tg-connected subgraphs)
    4. Bridges (as a combination of terminal and initial spans)
  7. Sharing
    1. Definition: can•share(α, x, y, G0) is true iff there exists a sequence of protection graphs G0, …, Gn such that G0* Gn, there is an edge from x to y labeled α
    2. Theorem: can•share(r, x, y, G0) iff there is an edge from x to y labeled r in G_0, or all of the following hold:
      1. there is a vertex y′ with an edge from y′ to y labeled r;
      2. there is a subject y′′ which terminally spans to y′, or y′′ = y′;
      3. there is a subject x′ which initially spans to x, or x′ = x; and
      4. there is a sequence of islands I0, …, In connected by bridges for which x′I1 and y′′In.
  8. Model Interpretation
    1. ACM very general, broadly applicable; Take-Grant more specific, can model fewer situations
    2. Example: shared buffer managed by trusted third party
  9. can•steal(r, x, y, G0) definition and theorem
  10. Conspiracy
    1. What is of interest?
    2. Access, deletion sets
    3. Conspiracy graph
    4. Number of conspirators
  11. Schematic Protection Model
    1. Protection type, ticket, function, link predicate, filter function
    2. Take-Grant as an instance of SPM
    3. Create rules and attenuation


  1. X. Zhang, Y. Li, and D. Nalla, “An Attribute-Based Access Control Matrix Model,” Proceedings of the 2005 ACM Symposium on Applied Computing pp. 359–363 (Mar. 2005);
    DOI: 10.1145/1066677.1066760.
  2. M. Tripunitara and N. Li, “The Foundational Work of Harrison-Ruzzo-Ullman Revisited,” IEEE Transactions on Dependable and Secure Computing 10(1) pp. 280–309 (Jan. 2013);
    DOI: 10.1109/TDSC.2012.77.

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235B, Foundations of Computer and Information Security
Version of January 16, 2023 at 5:49PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh