April 1, 2026 Outline
April 1, 2026 Outline
Reading: text, §3.1–3.3; [1,2,3]
Assignments: Homework #1, due April 10; Project selection, due April 17
- Attribute-Based Access Control Matrix
- Attributes
- Predicates
- Modified primitive operations
- Commands
- What is the safety question?
- An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
- Question: in a given arbitrary protection system, is safety decidable?
- Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
- General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.
- Approach: represent Turing machine tape as access control matrix, transitions as commands
- Reduce halting problem to it
- Related results
- The set of unsafe systems is recursively enumerable
- Monotonicity: no delete or destroy primitive operations
- The safety question for biconditional monotonic protection systems is undecidable.
- The safety question for monoconditional monotonic protection systems is decidable.
- The safety question for monoconditional protection systems without the destroy primitive operation is decidable.
- Take-Grant Protection Model
- Counterpoint to HRU result
- Symmetry of take and grant rights
- Islands (maximal subject-only tg-connected subgraphs)
- Bridges (as a combination of terminal and initial spans)
- Sharing
- Definition: can•share(α, x, y, G0)
true iff there exists a sequence of protection graphs G0, …, Gn such that
G0 ⊢* Gn using only take, grant, create, remove rules and in Gn,
there is an edge from x to y labeled α
- Theorem: can•share(α, x, y, G0) iff
there is an edge from x to y labeled α in G0, or
all of the following hold:
- there is a vertex y′ with an edge from y′ to y
labeled α;
- there is a subject y′′ which terminally spans to y′, or
y′′ = y′;
- there is a subject x′ which initially spans to x, or
x′ = x; and
- there is a sequence of islands I1, …, In connected by bridges for which
x′ ∈ I1 and y′ ∈ In.
- Model Interpretation
- ACM very general, broadly applicable; Take-Grant more specific, can model fewer
situations
- Example: shared buffer managed by trusted third party
- can•steal(α, x, y, G0) definition and theorem
- Definition: can•steal(α, x, y, G0)
true iff there is no edge labeled α from x to y in G0 and
there exists a sequence of protection graphs G0, …, Gn such that the
following hold simultaneously:
- there is an edge from x to y labeled r in Gn;
- there is a sequence of rule applications ρ1, …, ρn
such that Gi-1 ⊢* Gi using ρi; and
- for all vertices v and w in Gi-1, 1 ≤ i < n, if there is an
edge from v to y in G0 labeled α, then ρi is
not of the form “v grants (α to y) to w”.
- Theorem: can•steal(α, x, y, G0) iff
all of the following hold:
- there is an edge from x to y labeled r in Gn;
- there is a subject vertex x′ such that x′ = x or
x′ initially spans to x; and
- there is a vertex s with an edge labeled α to y in G0
and for which can•share(t, x, s, G0) holds.
References
- X. Zhang, Y. Li, and D. Nalla, “An Attribute-Based Access Control Matrix Model,” Proceedings of the 2005 ACM Symposium on Applied Computing pp. 359–363 (Mar. 2005); DOI: 10.1145/1066677.1066760.
- M. Tripunitara and N. Li, “The Foundational Work of Harrison-Ruzzo-Ullman Revisited,” IEEE Transactions on Dependable and Secure Computing 10(1) pp. 280–309 (Jan. 2013); DOI: 10.1109/TDSC.2012.77.
- M. Bishop, “Conspiracy and Information Flow in the Take-Grant Protection Model,” Journal of Computer Security 4(4) pp. 331–359 (1996); DOI: 10.3233/JCS-1996-4404
