Hierarchical Take-Grant Protection systems

Matt Bishop
1981 Proceedings of the eighth symposium on Operating systems principles - SOSP '81  
The application of the Take-Grant Protection Model to hierarchical protection systems is explored. The proposed model extends the results of Wu [7] and applies the results of Bishop and Snyder [2] to obtain necessary and sufficient conditions for a hierarchical protection graph to be secure. ]n addition, restrictions on the take and grant rules are developed that ensure the security of all graphs generated by these restricted rules. The financial support of National Science Foundation grants
more » ... -80-15484 and blCS-81-03139 are gratefully acknowledged, Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. © 1981ACMO-89791-062-1-12/81-O109 $00.75 can easily do so. (An example of this will be discussed in Section 2.) Previous models have also discussed at great length the transfer o[ rights: under what circumstances can it occur assunling the subjects are honest, what rights can a subject steal from a higher-level one, and the like. But little has been said about the transfer of information. The two types of transfers are distinct, and the transfer of information, in addition to the transfer of authority, will be discussed here. Let a finite, directed graph (called a protect~n graph) represent a hierarchical protection system. A protection graph has two distinct kinds of vertices, called subjects and objects, Subjects are the active vertices, and (for example) can represent users; they can pass information and authority by invoking rules which will be given in sections 2 and 8. Objects, on the other hand, are completely passive; they can (for example) represent files, and do nothing. In graphs, the subjects are represented by @ and objects by 0. Vertices which may be either subjects or objects are represented by @. The edges of a protection graph arc labelled with subsets of a finite set R of rights. Suppose that ~r,w,t,gl oR, where r, w, t, and g represent read, write, take, a,ld grant rights, respectively. When written as labels on a graph, the set braces are normally omitted. Briefly, in the model of hierarchical protection systems developed here, we are concerned with preventing transfers of information to subjects with a lower security level than the information has, as well as preventing the lower-level subject from obtaining authority to read the
doi:10.1145/800216.806598 dblp:conf/sosp/Bishop81 fatcat:ujfak6ekpbgv3il3kf42d5fq7a