The schematic protection model: its definition and analysis for acyclic attenuating schemes

The protection state of a system is defined by the privileges possessed by subjects at a given moment. Operations that change this state are themselves authorized by the current state. This poses a design problem in constructing the initial state so that all derivable states conform to a particular policy. It also raises an analysis problem of characterizing the protection states derivable from a given initial state. A protection model provides a framework for both design and analysis. Design generality and tractable analysis are inherently conflicting goals. Analysis is particularly difficult if creation of subjects is permitted. The schematic protection model resolves this conflict by classifying subjects and objects into protection types. The privileges possessed by a subject consist of a type-determined part specified by a static protection scheme and a dynamic part consisting of tickets (capabilities). It is shown that analysis is tractable for this model provided certain restrictions are imposed on subject creation. A scheme authorizes creation of subjects via a binary relation on subject types. Our principal constraint is that this relation be acyclic, excepting loops that authorize a subject to create subjects of its own type. Our assumptions admit a variety of useful systems.

[1]  Abe Lockman,et al.  Unidirectional Transport of Rights and Take–Grant Control , 1982, IEEE Transactions on Software Engineering.

[2]  Ravinderpal Singh Sandhu Analysis of Acyclic Attenuating Systems for the SSR Protection Model , 1985, 1985 IEEE Symposium on Security and Privacy.

[3]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Ravinderpal Singh Sandhu,et al.  SSR MODEL FOR SPECIFICATION OF AUTHORIZATION POLICIES: A CASE STUDY IN PROJECT CONTROL. , 1984 .

[6]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[7]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[8]  Journal of the Association for Computing Machinery , 1961, Nature.

[9]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[10]  Ravinderpal Singh Sandhu,et al.  Design and Analysis of Protection Schemes Based on the Send-Receive Transport Mechanism , 1983 .

[11]  Naftaly H. Minsky Selective and locally controlled transport of privileges , 1984, TOPL.

[12]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[13]  Lawrence Snyder,et al.  Formal Models of Capability-Based Protection Systems , 1981, IEEE Transactions on Computers.

[14]  Ravi S. Sandhu,et al.  Some Owner Based Schemes With Dynamic Groups In The Schematic Protection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[15]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[16]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.