Outline for April 7, 2006

Reading: text, §3.3.3—3.4

1. Greetings and felicitations!
2. Stealing
   1. Definition: can•steal(r, x, y, G₀) true iff there is no edge from x to y labeled r in G₀, and there exists a sequence of protection graphs G₀, ..., G_n such that G₀ ⊢^* G_n:
      1. G_n has an edge from x to y labeled r
      2. There is a sequence of rule applications ρ₁, ..., ρ_n such that G_n−1 ⊢ G_i; and
      3. For all vertices v, w in G_n−1, if there is an edge from v to y in G₀ labeled r, then ρ_i is not of the form “v grants (r to y) to w”
   2. Example
   3. Theorem: can•steal(r, x, y, G₀) iff all of the following hold:
      1. there is no edge from x to y labeled r in G₀;
      2. there is a subject x′ which initially spans to x, or x′ = x; and
      3. there is a vertex s with an edge labeled r to y in G₀ and for which can•share(r, x, y, G₀) holds
3. Conspiracy
   1. Access set
   2. Deletion set
   3. Conspiracy graph
   4. I, T sets
   5. Theorem: can•share(r, x, y, G₀) iff there is a path from some h(p) ∈ I(x) to some h(q) ∈ T(Y)
4. Schematic Protection Model
   1. Model components
   2. Link function
   3. Filter function
   4. Example: Take-Grant as an instance of SPM
   5. Create operations and attenuation