January 12, 2024 Outline

Reading: text, 3.3–3.4
Due: Homework #1, due January 19; Project selection, due January 26

Module 7 (Reading: text: §3.3)

9. Take-Grant Protection Model
   1. Counterpoint to HRU result
   2. Symmetry of take and grant rights
   3. Islands (maximal subject-only tg-connected subgraphs)
   4. Bridges (as a combination of terminal and initial spans)

Module 8 (Reading: text: §3.3.1–3.3.2)

10. Sharing
    1. Definition: can•share(α, x, y, G₀) true iff there exists a sequence of protection graphs G₀ …, G_n such that G₀ ⊢^* G_n using only take, grant, create, remove rules and in G_n, there is an edge from x to y labeled α
    2. Theorem: can•share(r, x, y, G₀) iff there is an edge from x to y labeled r in G₀, or all of the following hold:
       1. there is a vertex y′ with an edge from y′ to y labeled r;
       2. there is a subject y′′ which terminally spans to y′, or y′′ = y′;
       3. there is a subject x′ which initially spans to x, or x′ = x; and
       4. there is a sequence of islands I₁, …, I_n connected by bridges for which x′ ∈ I₁ and y′′ ∈ I_n.
11. Model Interpretation
    1. ACM very general, broadly applicable; Take-Grant more specific, can model fewer situations
    2. Example: shared buffer managed by trusted third party

Module 9 (Reading: text: §3.3.3–3.3.5)

12. can•steal(r x, y, G₀) definition and theorem
    1. Definition: can•steal( α, x, y, G₀) true iff there is no edge labeled α from x to y in G₀ and there exists a sequence of protection graphs G₀, …, G_n and there exists a sequence of protection graphs such that the following hold simultaneously:
       1. there is an edge from x to y labeled α in G_n;
       2. there is a sequence of rule applications ρ₁, … ρ_n; and
       3. for all vertices v and w in G_i−1, 1 ≤ i <n, if there is an edge from v to y in G₀ labeled α, then ρ_i is not of the form “v grants (α to y) to w”.
    2. Theorem: can•steal(α, x, y, G₀) iff all of the following hold:
       1. there is no edge from x to y labeled α in G_n;
       2. there is an edge from x to y labeled α in G_n;
       3. there is a subject vertex x′ such that x′ = x or x′ initially spans to x; and
       4. there is a vertex s with an edge labeled α to y in G₀ and for which can•steal(t, x, s, G₀) holds.
13. Conspiracy
    1. What is of interest?
    2. Access, deletion sets
    3. Conspiracy graph
    4. Number of conspirators

Module 10 (Reading: text, §3.4)

14. Schematic Protection Model (SPM)
    1. Protection type, ticket, function, link predicate, filter function
    2. Take-Grant as an instance of SPM

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235B, Foundations of Computer and Information Security Version of January 12, 2024 at 1:32PM

You can also obtain a PDF version of this.