April 4, 2025 Outline

Reading: text,§3.3–3.4
Assignments: Homework #1, due April 14; Project selection, due April 16

Module 7 (text, §3.3)

1. Take-Grant Protection Model
   1. Counterpoint to HRU result
   2. Symmetry of take and grant rights
   3. Islands (maximal subject-only tg-connected subgraphs)
   4. Bridges (as a combination of terminal and initial spans)

Module 8 (text, §3.3.2–3.3.2)

2. Sharing
   1. Definition: can•share(α, x, y, G₀) true iff there exists a sequence of protection graphs G₀, …, G_n such that G₀ ⊢^* G_n using only take, grant, create, remove rules and in G_n, there is an edge from x to y labeled α
   2. Theorem: can•share(α, x, y, G₀) iff there is an edge from x to y labeled α in G₀, or all of the following hold:
      1. there is a vertex y′ with an edge from y′ to y labeled α
      2. there is a subject y′ which terminally spans to y′, or y′ = y′
      3. there is a subject x′ which initially spans to x, or x′ = x; and
      4. there is a sequence of islands I₁, …, I_n connected by bridges for which x′ ∈ I₁ and y′ ∈ I_n.
3. Model Interpretation
   1. ACM very general, broadly applicable; Take-Grant more specific, can model fewer situations
   2. Example: shared buffer managed by trusted third party

Module 9 (text, §3.3.3–3.3.4)

4. can•steal(α, x, y, G₀) definition and theorem
   1. Definition: can•steal(α, x, y, G₀) true iff there is no edge labeled α from x to y in G₀ and there exists a sequence of protection graphs G₀, …, G_n such that the following hold simultaneously:
      1. there is an edge from x to y labeled r in G_n;
      2. there is a sequence of rule applications ρ₁, …, ρ_n such that G_i−1 ⊢^* G_n using ρ_i; and
      3. for all vertices v and w in G_{i−1n, if there is an edge from v to y in G0 labeled α, then ρi is not of the form “v grants (α to y) to w”.}
   2. Theorem: can•steal(α, x, y, G₀) iff all of the following hold:
      1. there is an edge from x to y labeled r in G_n;
      2. there is a subject vertex x′ such that x′ = x or x′ initially spans to x; and
      3. there is a vertex s with an edge labeled α to y in G₀ and for which can•share(t, x, s, G₀) holds.
5. Conspiracy
   1. What is of interest?
   2. Access, deletion sets
   3. Conspiracy graph
   4. Number of conspirators

Module 10 (text, §3.4)

6. Schematic Protection Model
   1. Protection type, ticket, function, link predicate, filter function

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235B, Foundations of Computer and Information Security Version of April 4, 2025 at 10:45AM

You can also obtain a PDF version of this.