The Transfer of Information and Authority in a Protection System




Although formal models have contributed to our understanding of capability-based protection systems, they have been properly criticized for concentrating on the movement of “authority” or “access privilege” within the system, rather than on the movement of the information. For example, the Take/Grant Model describes the exact conditions under which a particular user can get the authority to access a file. If the conditions are satisfied, then the user can access the information. But if they are not satisfied, it does not follow that the user cannot get at the information. There may be some way to transfer the information without the user ever getting direct authority to access it. The Take/Grant Model gives no information and other models are similarly mute.

In this paper we take a modest step towards elucidating the problem.


This was my first technical report, and my first exposure to the Take/Grant Protection Model. That later became the topic of my dissertation.