The transfer of information and authority in a protection system

In the context of a capability-based protection system, the term “transfer” is used (here) to refer to the situation where a user receives information when he does not initially have a direct “right” to it. Two transfer methods are identified: <italic>de jure</italic> transfer refers to the case when the user acquires the direct authority to read the information; <italic>de facto</italic> transfer refers to the case when the user acquires the information (usually in the form of a copy and with the assistance of others), without necessarily being able to get the direct authority to read the information. The Take-Grant Protection Model, which already models <italic>de jure</italic> transfers, is extended with four rewriting rules to model <italic>de facto</italic> transfer. The configurations under which <italic>de facto</italic> transfer can arise are characterized. Considerable motivational discussion is included.

[1]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[2]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[3]  Lawrence Snyder,et al.  Formal Models of Capability-Based Protection Systems , 1981, IEEE Transactions on Computers.

[4]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[5]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[6]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[7]  Richard J. Lipton,et al.  The enforcement of security policies for computation , 1975, J. Comput. Syst. Sci..

[8]  Lawrence Snyder Theft and Conspiracy in the Take-Grant Protection Model , 1981, J. Comput. Syst. Sci..

[9]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[10]  Anita K. Jones,et al.  Protection in programmed systems. , 1973 .