The expressive power of multi-parent creation in monotonic access control models

Formal demonstration of equivalence or nonequivalence of different security models helps identify the fundamental constructs and principles in such models. The authors demonstrate the nonequivalence of two monotonic access control models that differ only in the creation operation for new subjects and/or objects; in particular, they show that single-parent creation is less expressive than multi-parent creation in monotonic models. The paper also demonstrates that in nonmonotonic models, multi-parent creation can be reduced to single-parent creation, thereby neutralizing the difference in expressive power. The nonequivalence proof is carried out on an abstract access control model, following which the results are interpreted in standard formulations. In particular, they apply the results to demonstrate nonequivalence of the schematic protection model (SPM) and the extended schematic protection model (ESPM). They also show how the results apply to the typed access matrix model (TAM).<<ETX>>

[1]  Abe Lockman,et al.  Unidirectional Transport of Rights and Take–Grant Control , 1982, IEEE Transactions on Software Engineering.

[2]  Ravi S. Sandhu,et al.  Safety analysis for the extended schematic protection model , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[4]  Ravi S. Sandhu,et al.  Extending the creation operation in the Schematic Protection Model , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[5]  Ravi S. Sandhu,et al.  The Extended Schematic Protection Model , 1992, J. Comput. Secur..

[6]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[7]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[8]  Lawrence Snyder,et al.  The transfer of information and authority in a protection system , 1979, SOSP '79.

[9]  Lawrence Snyder,et al.  Formal Models of Capability-Based Protection Systems , 1981, IEEE Transactions on Computers.

[10]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[11]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[12]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[13]  Ravi S. Sandhu Expressive Power of the Schematic Protection Model , 1992, J. Comput. Secur..

[14]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Ravi S. Sandhu,et al.  The schematic protection model: its definition and analysis for acyclic attenuating schemes , 1988, JACM.