A Practical Formal Model for Safety Analysis in Capability-Based Systems

We present a formal system that models programmable abstractions for access control. Composite abstractions and patterns of arbitrary complexity are modeled as a configuration of communicating subjects. The subjects in the model can express behavior that corresponds to how information and authority are propagated in capability systems. The formalism is designed to be useful for analyzing how information and authority are confined in arbitrary configurations, but it will also be useful in the reverse sense, to calculate the necessary restrictions in a subject's behavior when a global confinement policy is given. We introduce a subclass of these systems we call "saturated", that can provide safe and tractable approximations for the safety properties in arbitrary configurations of collaborating entities.

[1]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[2]  Vijay A. Saraswat,et al.  Concurrent constraint programming , 1989, POPL '90.

[3]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Carl E. Landwehr,et al.  On Access Checking in Capability-Based Systems , 1987, IEEE Trans. Software Eng..

[6]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[7]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[8]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[9]  Peter Van Roy,et al.  Concepts, Techniques, and Models of Computer Programming , 2004 .

[10]  Joshua D. Guttman,et al.  Programming Cryptographic Protocols , 2005, TGC.

[11]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[12]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[13]  Peter Van Roy,et al.  Multiparadigm Programming in Mozart/Oz, Second International Conference, MOZ 2004, Charleroi, Belgium, October 7-8, 2004, Revised Selected and Invited Papers , 2005, MOZ.

[14]  Radha Jagadeesan,et al.  Default timed concurrent constraint programming , 1995, POPL '95.

[15]  Peter Van Roy,et al.  The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language , 2004, MOZ.

[16]  Jonathan S. Shapiro,et al.  The Structure of Authority: Why Security Is Not a Separable Concern , 2004, MOZ.

[17]  Frank D. Valencia,et al.  Temporal Concurrent Constraint Programming: Denotation, Logic and Applications , 2002, Nord. J. Comput..

[18]  Matt Bishop,et al.  Extending The Take-Grant Protection System , 1996 .

[19]  HardyNorm The Confused Deputy , 1988 .

[20]  Lawrence Snyder,et al.  The transfer of information and authority in a protection system , 1979, SOSP '79.