© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2004 Ravi Sandhu 2 The Access Matrix Model, Lampson 1971

© 2004 Ravi Sandhu 3 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 Ur w V F G r

© 2004 Ravi Sandhu 4 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 Ur w V F r w own G r

© 2004 Ravi Sandhu 5 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 Ur w V F r w own G r r

© 2004 Ravi Sandhu 6 HRU Commands and Operations command α(X1, X2,..., Xk) if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi) then op1; op2; … opn end enter r into (Xs, Xo) delete r from (Xs, Xo) create subject Xs create object Xo destroy subject Xs destroy object Xo

© 2004 Ravi Sandhu 7 HRU Examples

© 2004 Ravi Sandhu 8 HRU Examples

© 2004 Ravi Sandhu 9 HRU Examples

© 2004 Ravi Sandhu 10 HRU Examples

© 2004 Ravi Sandhu 11 The Safety Problem Given initial state protection scheme (HRU commands) Can r appear in a cell that exists in the initial state and does not contain r in the initial state? More specific question might be: can r appear in a specific cell [s,o]

© 2004 Ravi Sandhu 12 The Safety Problem Initial state: r in (o,o) and nowhere else

© 2004 Ravi Sandhu 13 Safety is Undecidable in HRU

© 2004 Ravi Sandhu 14 TAM adds types to HRU

© 2004 Ravi Sandhu 15 TAM adds types to HRU

© 2004 Ravi Sandhu 16 TAM commands

© 2004 Ravi Sandhu 17 TAM primitive operations

© 2004 Ravi Sandhu 18 TAM operations: enter and delete

© 2004 Ravi Sandhu 19 TAM operations: create and destroy

© 2004 Ravi Sandhu 20 TAM operations: create and destroy

© 2004 Ravi Sandhu 21 The Safety Problem TAM has much stronger safety properties than HRU

