Chapter 3
Foundational Result
Prepared by : Saeid Pashazadeh
Definition1. When a generic right r is added to an element of the
Access control matrix not already containing r , that right is said to
Be leaked .
Our policy defines the authorized set of states A to be the set of states
In which no command c(x1,…,xn) can leak r. This means that no
Generic rights can be added to the matrix .
Let a computer system begin in protection state s0.
Definition 2. If a system can never leak the right r , the system
( including the initial state s0 ) is called safe with respect to the
Right r . If the system can leak the right r (enter an unauthorized
State) . It is called unsafe with respect to the right r .
Example: A computer system allows the network administrator to
Read all network traffics . It disallows all other users from reading
This traffic . The system is designed in such a way that the network
Administrator cannot communicate with other users . Thus , there is
No way for the right r of the network administrator over the network
Device to leak . This system is safe .
But if a user specifies a certain file name in a file deletion system
Call , that user can obtain access to any file on the system . It also
Allows the user to read data from the network . Then this system is
Not secure .
Safety question: Dose there exit an algorithm for determining
Whether a given protection system with initial state s0 is safe with
Respect to a generic right r?
Basic Result
The simplest case is a system in which commands are monoOperational. In such a system , the following theorem holds .
Theorem1 . There exists an algorithm that will determine
Whether a given mono-operational protection system with initial
State s0 is safe with respect to a generic right r .
Theorem 2 . It is undecidable whether a given state of a
given protection system is safe for a given generic right .
Theorem 3 . The set of unsafe system is recursively
Enumerable .
Assume that the create primitive is disallowed .
Theorem 4 . For protection system without the create primitives
, the question of safety is complete in P-SPACE .
Theorem 5 . It is undecidable whether a given configuration
of a given monotonic protection system is safe for a given genetic right.
Theorem 6 . The safety question for biconditional monotonic
Protection system is undecidable .
Theorem 7 . The safety question for monoconditional monotonic
Protection system is decidable .
Theorem 8 . The safety question for monoconditional protection
System with create , enter and delete primitives ( but no destroy
Primitive) is decidable .
The Take –Grant protection model
The Take-Grant protection Model represents a system as a directed
gragh . Vertices are either subjects ( represent by 
objects
) or
(represent by  ). Vertices that may be
either subjects or objects are
Represented by  . Edges are labeled and the label indicates that the
Source vertex has over the destination vertex . Rights are elements of
a predefined set R ; R contains two distinguished rights : t (for take)
and g ( for grant) .
The protection state ( and therefore the graph ) changes
according to four graph rewriting rules :
Take rule:
Let x, y and z be three distinct vertices in a protection graph
G0 , and let x be a subject . Let there be an edge from x to z
labeled 
with
t   , and edge from z to y
labeled  and    . Then the take rule defines a new
graph G1 by adding an edge to the protection graph from x
to y labeled 
. Graphically ,
The rule is written “ x takes ( to y ) from z “
Grant rule:
Let x , y and z be three distinct vertices in a protection graph ,
And let z be a subject . Let there be an edge from z to x
labeled  with g   , an edge from z to y labeled

, and    . Then the grant rule defines a new graph G1
by adding an edge to the protection graph from x to y labeled

. Graphically ,
This rule is written “ z grants ( to y) to x “
Create rule:
Let x be any subject in a protection graph G0 and let  R . Then
Create defines a new graph G1 by adding a new vertex y to the
graph and an edge from x to y labeled  . Graphically ,
The rule is written “ x creates (  to new vertex ) y” .
Remove rule:
Let x and y be any distinct vertices in a protection graph G1
Such that x is a subject . Let there be an explicit edge from x
to y labeled 
a
, and let    . Then remove defines
New graph G1 by deleting the  labels from  . If

Becomes empty as a result , the edge is deleted . Graphically ,
The rule is written “ x remove (  to) y “
Because these rules alter the state of the protection graph ,
They are called dejure ( “ by law” or “ by right” ) rules .
We demonstrate that one configuration of a protection graph
can be derived from another by applying the four rules above in
succession . The symbol  means that the graph following it
Is produced by the action of a graph rewriting rule on the graph
preceding it ; and the symbol  * represents a finite
number of successive rule applications . Such a sequence of
graph rewriting rules is called a witness . A witness is often
demonstrated by listing the graph rewriting rules that make up
the witness ( usually with pictures) .
Sharing of rights
Definition. The predicate can•share(  ,x, y,G0) is true for a set
of
rights  and two vertices x and y if and only if there exist a
sequence of protection graphs G1 ,…, G n such that G0  * G n
using only de jure rules and in G n there is an edge from x to y
Labeled  .
Definition. A tg- path is a nonempty sequence v0 ,…, v n
Of distinct vertices such that for all i ,
0  i< vi , vi is
Connected to vi+1 by an edge (in either direction ) with a
Label containing t or g .
Definition . Vertices are tg-connected if there is a tg-path
between them .
We can now prove that any two subject with a tg-path of
Length 1 can share rights . Four such paths are possible . The
take and grant rules in the preceding section account for two of
them . Lemma 1 and 2 cover the other two cases .
Lemma1:
Lemma2 :
Thus , the take and grant rules are symmetric if the vertices on the
tg-path between x and y are subject . This leads us to the following
Definition .
Definition . An island is a maximal tg-connected subject
-only subgraph .
Because an island is a maximal tg-only subgraph , a
Straightforward inductive proof shows that any right possessed
By any vertex in the island can be shared with any other vertex
In the island .
Theorem 3-11
Let G0 be a protection graph containing exactly one subject vertex ,
and no edges,R be a set of rights.
l
e
t
Then G0  *G if and onlyl if G is a finite directed acyclic
graph
containing subjects and objects only,with edges labeled from
nonempty subsets of R and with at least one subject having no
incoming edges.
Example:
suppose tow process p and q communicate through a shared buffer b
controlled by a trusted entity s.
The configuration in figure 3-2a shows the initial protection state of
the system. because s is a trusted entity, assumption that it has g
rights over p and q is reasonable.to create b, and to allow p and q
communicate through it,s does the following:
a. s creates({r,w}to new object)b.
b. s grants ({r,w}to b) to p.
c. s grants ({r,w} to b) to q.
The notation
This creates configuration in figure 3-2b.
the communication channel is tow –way ; if it is to be one-way ,the
sender would have write rights and the receiver would have read
rights.
this configuration also captures the ability of the trusted entity to
monitor the communication channel or interfere with it ( by altering
or creating messages).
3.3.3 theft in the Take-Grant protection
model
the proof of the conditions necessary and sufficient for can•share
requires that all subjects involved in the witness cooperate.
this is unrealistic.
this leads to a notion of stealing, in which no owner of any right over
an object grant that right to another.
definition 3-10
Let G0 be a protection graph, let x and y be distinct vertices in G0,
and let be a subset of a set of rights R.
the predicate can•steal(,x,y,G0)is true when there is no edge
from x to y labeled in G0 and there exists a sequence of protection
graphs G1,…,Gn which the following hold simultaneously :
A . there is an edge from x to y labeled in G n.
B . there is a sequence of rule applications p1,…,p n such that
using pi.
C . for all vertices v and w in G i -1, 1i<n,if there is an edge from
V to y in G0 labeled then pi is not of the from “v grants(  to y )
To w “
the benefits of the definition 3-10
This definition disallows owners of rights to y from transferring those
rights.
it dose not disallow those owners from transferring other rights.
consider figure 3-3.
the given witness exhibits can•steal(  ,s,w,G0).
In step1 the owner of  rights w grants other rights(specifically, t
rights to v)to a different subject ,s.
Without this step, the theft cannot occur.the definition
Only forbids grants of the rights to be stolen.
(1) u grants (t to v) to s.
(2) s takes (t to u) from v.
(3) s takes ( to w) from u.
Figure 3-3 A witness to theft in which the owner, of the stolen
right, , grants other rights to another subject (t rights to v are
granted to s) .
Theorem 3-12. The predicate can•steal(
 ,x ,y,G0)is true if
and only if the following hold simultaneously:
A: there is no edge from x to y labeled in G0.
B: there exists a subject vertex x´ such that x´ = x or x´ initially
spans to x.
C: there exists a vertex s with an edge labeled to y in G0 and for
which can.share(t,x,y,s,G0) holds.
3.3.4
conspiracy
the notion of theft introduced the issue of cooperation :
which subjects are actors in a transfer of rights, and which are
not ?
What is the minimum number of actors required to witness a
given predicate can•share(  ,x, y,G0) ?
definition 3-11.
The access set A( y ) with focus y is the set of vertices y, all
vertices x to which y initially spans ,and all vertices x´ to which y
terminally spans.
definition 3-12.
the deletion set (y,y´) contains all vertices z in the set
A(y)  A( y´) for which (a) y initially spans to z and y´
terminally spans to z,(b) y´ terminally spans to z and y´
initially spans to z,(c) z=y, and (d) z=y´.
Given the deletion set ,we construct an undirected graph,
called The conspiracy graph and represented by H ,from G0 :
1. for each subject vertex x in G0,there is a corresponding vertex
h(x) in H with the same label.
2. If (y,y´)  in G0, there is a line between h(y) and h(y´) in H.
The conspiracy graph represents the paths along which subjects can
transfer rights. The paths are unidirectional because the rights can be
transmitted in either direction.furthermore, each vertex in H
represents an access set focus in G0.
EXAMPLE: In figure 3-4, the access sets are
A(x) ={x,a}
A(e) ={e,d,i,j}
A(b) ={b,a}
A(y) ={y}
A(c) ={c,b,d}
A(f) ={f,y}
A(d) ={d}
A(h) ={h,f,i}
the vertex z is not in A(e) because the path from e to z is neither a
terminal nor an initial span . For the same reason, the vertex y is
not in A(h). Using these sets gives the following nonempty
deletion sets :
(x,b)
(b,c) ={b}
(c,d) ={d}
(c,e) ={d}
(d,e) ={d}
(y,f) ={y}
(h,f) ={f}
Although A(e)  A(h) ={i}, the vertex i is in A(e) because e
initially spans to I, and I is in A(h) because h initially spans to I.
Hence , (e,h) = Ø and there is no edge between h(e) and h(h)
in G0.
The notation
The Conspiracy graph exhibits the paths along which rights
can be transmitted.
let the set I(p) contain the vertex h(p) and the set of all vertices
h(p´) such that p´ initially spans to p ; let the set T(q) contain the
vertex h(q) and the set of all vertices h(p´) such That q´
terminally spans to q. then :
Theorem 3-13.
CanShare(,x,y,G0) is true if and there is a path from some h(p) 
I(x) to some h(q)  t(y).
3.3.5
summary
the Take-Grant protection model is a counterpoint to the HarrisonRuzzo-Ullman(HRU) result.it demonstrates that , for a specific
system, the safety question is not decidable but decidable in linear
time with respect to the size of the graph.
it also explores ancillary issues such as theft and conspiracy.
3.4 closing the gap
Given that in specific systems we can answer the safety question,
Why can not we answer it about generic systems? What is it about
The Harrison-Ruzzo-Ullman model that makes the safety question
undecidable ?
What characteristics distinguish a model in which the Safety question
is decidable
from a model in which the safety question is not
decidable ?
A series of elegant papers have explored this issue.
3.4.1

schematic protection Model
The key notion of the Schematic Model, also called the
SPM, is the protection type.
 This is a label for an entity that determines how control
rights affect that entity.
Difference of the Take – Grant with schematic
model
If the Take – Grant protection model is viewed as an instance
of a scheme under the SPM, the protection types are subject
and object because the control rights take, grant , create, and
remove affect subject entities differently than they do object
entities.
Moreover , under SPM ,the protection type of an entity is set
when the entity is created , and can not change thereafter.
Introduce of the SPM model

In SPM , a ticket is a description of a single right .
An entity has a set of tickets (called a domain) that describe
what rights it has over another entity. A ticket consists of an
entity name and a right symbol ; for example , the ticket X/r
allows the possessor of the ticket to apply the right r to the
entity X.
 although a ticket may contain only one right , if an entity has
multiple tickets X/r , X/s, and X/ t , we abbreviate them by
writing X/rst.
The rules of the SPM model
rights are partitioned into a set of inert rights (RI) or control
rights (RC).applying an inert right those not alter the protection
state of the system .
hence , the take right is a control right .
SPM ignores the effect of applying inert rights, but not the effect
of applying control right.
the attribute c is a copy flag ; every right r has an associated copy
able right rc.a ticket with the copy flag can be copied to another
domain .
The notation of the SPM
the notation r:c means r or rc , with the understanding
that all occurrences of r:c are read as r or all are read as rc.
the manipulation of rights is controlled by two relationships: a link
predicate and a filter function . intuitively, the link predicate
determines whether the source and target of the transfer are
“connected ” , and the filter function determines whether the
transfer is authorized.
3.4.1.1
link predicate
A link predicate is a relation between two subjects .
It is local in The sense that its evaluation depends only
on the tickets that the Two subjects possess. Formally:
Definition 3-13. Let dom( X ) be the set of tickets that X
Possesses . A link predicate link i (X,Y) is a conjunction
Of the following terms, for any are right z  RC
1.
2.
3.
4.
5.
X/z  dom( X )
X/z  dom( Y )
Y/z  dom( X )
Y/z  dom( Y )
True
The notation
A finite set of link predicates { link i  I = 1, … , n } is called a
scheme.If only one link predicate is defined, we omit the subscript
i.
Example:
the link predicate corresponding to the Take-Grant protection
model rules take and grant is
link (X,Y) =Y/g  dom ( X )  X/t  dom ( Y )
Here, X and Y are connected if X has g rights over Y or Y
Has t rights over X , which corresponds to the model in the
preceding section .
3.4.1.2 filter Function
The filter functions impose conditions on when transfer of tickets can
occur.
Specifically, a filter function is a function f i : TS  TS  2TR that
has as its range the set of copy able tickets. For a copy to occur,
the ticket to be copied must be in the range of the appropriate
filter function.
Combining this requirement with the others, a ticket X/r : c can be
copied from dom( Y ) to dom( Z ) if and only if, for some I, the
following are true:
1. X / rc  dom( Y )
2. Link i ( Y,Z )
3. (X) / r : c  fi ( (Y) ,  (Z))
The notation
One filter function is defined for each link predicate.
As with the link predicates, if there is only one filter
function, we omit the subscripts.
Safety Analysis
 The goal of this model is to identify types if polices that
have tractable safety analyses.
 Our approach will be to derive a maximal state in which any
additional entities or rights do not affect the safety analysis.
We then analyze this state.
First, we introduce a flow function that captures the flow of tickets
around a particular state of the system being modeled .