Undecidability of Safety for the Schematic Protection Model with Cyclic Creates

Abstract In the schematic protection model subjects are classified into protection types. Creation is authorized by a can-create binary relation on types. It is shown that with arbitrary cycles in can-create safety is undecidable. Whereas it has been previously shown safety is decidable for acyclic can-create. It is also shown that safety remains undedicable even if all creates are attenuating in that tickets (capabilities) given to a subject on its creation are attenuated copies of tickets available to its parent. This contrasts with decidable safety for attenuating cycles of length one. It appears safety is decidable for the practically useful cases while undecidability results from undue laxity in authorizing creation.

[1]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[2]  Ravi S. Sandhu,et al.  The schematic protection model: its definition and analysis for acyclic attenuating schemes , 1988, JACM.

[3]  Lawrence Snyder,et al.  Formal Models of Capability-Based Protection Systems , 1981, IEEE Transactions on Computers.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Ravinderpal Singh Sandhu,et al.  SSR MODEL FOR SPECIFICATION OF AUTHORIZATION POLICIES: A CASE STUDY IN PROJECT CONTROL. , 1984 .

[6]  Ravi S. Sandhu,et al.  Some Owner Based Schemes With Dynamic Groups In The Schematic Protection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[7]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[8]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[9]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[10]  Abe Lockman,et al.  Unidirectional Transport of Rights and Take–Grant Control , 1982, IEEE Transactions on Software Engineering.

[11]  Naftaly H. Minsky Selective and locally controlled transport of privileges , 1984, TOPL.

[12]  Ravinderpal Singh Sandhu,et al.  Design and Analysis of Protection Schemes Based on the Send-Receive Transport Mechanism , 1983 .

[13]  Ravi S. Sandhu,et al.  The Demand Operation in the Schematic Protection Model , 1989, Inf. Process. Lett..