April 4, 2025 Outline

Reading: text,§3.3–3.4
Assignments: Homework #1, due April 14; Project selection, due April 16

Module 7 (text, §3.3)

  1. Take-Grant Protection Model
    1. Counterpoint to HRU result
    2. Symmetry of take and grant rights
    3. Islands (maximal subject-only tg-connected subgraphs)
    4. Bridges (as a combination of terminal and initial spans)

Module 8 (text, §3.3.2–3.3.2)

  1. Sharing
    1. Definition: can•share(α, x, y, G0) true iff there exists a sequence of protection graphs G0, …, Gn such that G0* Gn using only take, grant, create, remove rules and in Gn, there is an edge from x to y labeled α
    2. Theorem: can•share(α, x, y, G0) iff there is an edge from x to y labeled α in G0, or all of the following hold:
      1. there is a vertex y′ with an edge from y′ to y labeled α
      2. there is a subject y′ which terminally spans to y′, or y′ = y
      3. there is a subject x′ which initially spans to x, or x′ = x; and
      4. there is a sequence of islands I1, …, In connected by bridges for which x′ ∈ I1 and y′ ∈ In.
  2. Model Interpretation
    1. ACM very general, broadly applicable; Take-Grant more specific, can model fewer situations
    2. Example: shared buffer managed by trusted third party

Module 9 (text, §3.3.3–3.3.4)

  1. can•steal(α, x, y, G0) definition and theorem
    1. Definition: can•steal(α, x, y, G0) true iff there is no edge labeled α from x to y in G0 and there exists a sequence of protection graphs G0, …, Gn such that the following hold simultaneously:
      1. there is an edge from x to y labeled r in Gn;
      2. there is a sequence of rule applications ρ1, …, ρn such that Gi−1* Gn using ρi; and
      3. for all vertices v and w in Gi−1n, if there is an edge from v to y in G0 labeled α, then ρi is not of the form “v grants (α to y) to w”.
    2. Theorem: can•steal(α, x, y, G0) iff all of the following hold:
      1. there is an edge from x to y labeled r in Gn;
      2. there is a subject vertex x′ such that x′ = x or x′ initially spans to x; and
      3. there is a vertex s with an edge labeled α to y in G0 and for which can•share(t, x, s, G0) holds.
  2. Conspiracy
    1. What is of interest?
    2. Access, deletion sets
    3. Conspiracy graph
    4. Number of conspirators

Module 10 (text, §3.4)

  1. Schematic Protection Model
    1. Protection type, ticket, function, link predicate, filter function


UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235B, Foundations of Computer and Information Security
Version of April 4, 2025 at 10:45AM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh