In a system based on authorization, the power that a subject has to operate on the system is a function of the privileges which he possesses. In this paper we introduce a mechanism for the transport of such privileges. The control provided over the transport of privileges by this mechanism has two notable properties. The control is local, in the sense that every movement of privileges into the domain of a given subject, and out of it, must be authorized by privileges already in this domain. The control is selective, in the sense that it permits the creation of transport-channels which allow for the movement of only certain types of privileges. We show that the proposed, ao called, Send-Receive transport mechaniam supports local analysis which allows one to evaluate the potential power of a given subject, independently of the rest of the system. This property s considered essential for effective modularlzation.
[1]
Lawrence Snyder,et al.
Formal Models of Capability-Based Protection Systems
,
1981,
IEEE Transactions on Computers.
[2]
Naftaly H. Minsky.
Synergistic Authorization in Database Systems
,
1981,
VLDB.
[3]
Jeffrey D. Ullman,et al.
Protection in operating systems
,
1976,
CACM.
[4]
Peter J. Denning,et al.
Protection: principles and practice
,
1972,
AFIPS '72 (Spring).
[5]
Jerome H. Saltzer,et al.
The protection of information in computer systems
,
1975,
Proc. IEEE.
[6]
Bradford W. Wade,et al.
An authorization mechanism for a relational database system
,
1976,
TODS.