1. Other Access Control Models

2. The Take-Grant Protection Model
Can the safety be guaranteed with a specific system?
Yes with a specific collection of commands
Called the take-grant protection model
A graph model where
Subjects represented by
Objects represented by
Either represented by
Labeled edges represent the rights of a source vertex over the destination vertex taken from a set R with two special rights:
t for Take (t)
g for Grant (g)
Use graph-rewrite rules to derive permissions from R l  2

3. ├ ├ De jure rules - i l  l   l l i. X creates (a to new vertex) Y  l
new Y X X
ii. X removes a from Y
b– a b ├   l l
If (b-a) is then empty, the edge is removed 3

4. De jure rules - ii ├ ├  l  l       l l
iii. X takes (a to Z) from Y   l  l ├
t  g X b
t  g b Z 
a  b  Y
iv. Z grants (a to Y) to X     
g  g ├ b Y g b X l
a  b l Z

5. Protection State ├*  l  l l l x creates (t, g to new) v
Protection state = graph
State transition = rewriting the graph
Example: x y  l  l  a ├* t    t
t,g g l l z v
x creates (t, g to new) v
z takes (g to v) from x
z grants (a to y) to v
x takes (a to y) from v
V is removed

6. Sharing of Rights
Definition: the predicate Can-share(a,x,y,G0) is true for a set of rights a and two vertices x, y, iff there is a sequence of graphs G1,…,Gn so that G0├* Gn using one of the four de jure rules, and there is an a-labeled edge from x to y.
Definition: a tg-path is a sequence v0,…,vn of distinct vertices where every vi is connected to vi+1 in either direction with a t or g label.
Definition: Vertices are tg-connected if there is a tg-path between them a  l Y X Gn
can-share(a,x,y,G0)

7. Lemma: sharing
Statement: Any two subjects with a length 1 t-g path can share some rights.
Proof: Take and Grant rules cover two cases. Following lemmas cover the other two.
Lemma 3-1: X X  Y   l l Y ├* t  t  l l Z Z

8. Proof of Claim 3-1 ├ ├   l l l l l l
Step 1: X creates (tg to new vertex) V X   l l ├ t  X t  Y tg Y l l Z Z v
Step 2: Z takes (g to v) from X X ├ l t  tg Y l v g Z

9. Proof of Claim 3-1 ├ ├ l  l  l l Step 3: Z grants ( to y) to V X Ztg Y l g  v
Step 4: X takes ( to v) from V X   ├ l Z  t tg Y l g  v

10. Lemma 3-2 ├*   l l l l Y X Z Observation  l l ├* X g  g  l l Z
Observation
Take and grant rules are symmetric if the vertices
On the TG path between X and Y are subjects

11. More definitions and properties -1
Definition: an island is a maximal tg-connected subject-only sub-graph
Lemma: right processed by any vertex in an island can be shared with any other vertex
Transferring rights between islands: a subject in one island must be able to take it from a subject in another island
Notation: {t̅>, <t̅, g̅>,<̅g} are four basic symbols used to construct a path. A path is constructed using basic symbols * and concatenation as a word
<̅g
t̅> l
g ̅>
t̅>
t̅< l l l l l

12. More definitions and properties-2
Definition: a bridge is a tg-path between two subject endpoints associated with the path’s word.
Observation: rights can be transferred from one end point to another in a bridge
Theorem: subject-can-share(a,x,y,G0) is true iff x and y are subjects with an edge from x to y
There is a subject seG0 with s-to-y edge labeled a.
There are island I1,…,In such that xe I1 se In and with a bridge Ij,…,Ij+1.
Observation: because objects cannot act, a right will begin or end with an object

13. More Definitions and Properties - 3
Observation: only subjects can act– so transfer begins with an right possessed by an object and ends with that right given to another object!
Definition: A vertex x initially spans to y if x is a subject and there is a tg-path from x to y with a word in {t>*g>}U{v}
Means X grants a right it possesses to Y t t t t V l l l l l l W X g l Y

14. More Definitions and Properties - 4
Definition: A vertex x terminally spans to y if x is a subject and there is a tg-path between x and y with a word in {t>*}U{a}
Means X may take any right that Y possesses t t t t Y l l l l l X a l
X ends up having a on W W

15. More Definitions and Properties - 5
Theorem: can-share(a,x,y,G0) is true iff there is an edge from x to y in Go labeled a or if the following hold simultaneously:
There is a vertex seG0 with s-to-y edge labeled a
There is a subject vertex x’ so that x=x’ or x’ initially spans to x
There is a subject vertex s’ so that s’=s or s’ terminally spans to s
There are islands I1,…In such that x’ eI1, s’ eIn and there is a bridge from Ij to Ij+1.
See next slide..

16. Explanation Either there is an a edge from X to Y or l
S has a label from Y
2. S’ can take a from S
X’ and S’ are connected through a sequence of islands
X’ can grant a to X Y l S Y a X X’ S’

17. Safety in the take-grant model
Theorem: there is an algorithm of complexity O(|V|+|E|) to test the validity of can-share(a,x,y,G0)
By choosing the correct kind of rules we can answer questions like Can my computer access my files? 17

18. The One-Subject Case
Theorem: Let G0 be a graph with one subject and no edges, and R a set of rights. G0├*G iff G is a finite directed acyclic graph containing subjects and objects only with
edges labeled with non-empty subsets of R
At least one subject with no incoming edges
Proof: () Suppose G satisfy 1 and 2. Let subjects(G)={x1, ..xn}, and X1 with no incoming edge.
Construct G’ as follows:

19. Proof l l l l l l l 1. a ⋃{g} 3. Remove a ⋃{g})- b Xi V V 2. a Xj If b
Let V=X1
For 2<i<n Perform V creates (a⋃{g} to) new Xi where a is the union of all labels to Xi in G
For all pairs Xi, Xj in G where Xi has a rights over Xj, perform V grants (a to Xj) to Xi.
Perform V removes ((a ⋃{g})- b to) Xj where b ={r: r labels XiXj in G}
The resulting graph is G’
1. a ⋃{g}
3. Remove
a ⋃{g})- b l Xi l l V V
2. a Xj l
If b l l
If a l Xi Xj Xi

20. Proof Continued
Let V be the initial subject and G0├*G. Then by inspection of the rules
G is finite
Loop-free
Directed
Consists of subjects and objects only
All edges have non-empty labels
Furthermore,
No rules to delete V, V e G
No rules allow incoming edges to V

21. Theft in the T-G Model To share, the owner has to cooperate
Notion of sharing fails to capture an owner’s unwillingness to share
Stealing happens when
The owner does not grant some rights over an object to other subjects, but some subjects can get the right indirectly!

22. Stealing in the T-G Model
Definition: X, YeG and a eR can-steal(a,X,Y,G0) is true when
∄ an a labeled edge from X to Y in G0,
 sequence of graphs G1, …, Gn so that
a. There is an a labeled edge from X to Y in Gn
b. There is a sequence of rules r1, ,,,, rn where applying ri results in Gi-1├Gi
c. For all V,WeGi-1, if there is an a edge from V to Y, then ri is not of the form V grants (a to Y) to W
Thus: It stops owners from transferring a rights to others (but could transfer other rights)

23. An Example of Stealing l l l Can-steal(a,S,W,G0)
U grants (t to V) to S
Owner of a to W grants (t to V) to S
S takes (t to U) from V
S takes (a to W) from U
The owner U of stolen rights a grants other rights to another subject (t rights to V are granted to S)
This is the reason for MAC V t l g t S l l W U a

24. Characterizing can-steal
Theorem: can-steal(a,X,Y,G0) is true iff
∄ an a labeled edge from X to Y in G0,
 subject vertex X’= X or X’ initially spanning to X
 vertex SeG with an a label Y in G0 that satisfy can-share(t,X’,S,G0)
Observation: to steal, there must be a tg-path through which the thief can share! l
thief X S  a
can-share X’
initially spans

25. Proof l X:object X’:subject X”:subject S: subject 3. g to X
If X is a subject: then need to obtain t rights to S and use the take rule to obtain a, satisfying can-steal(a,X,Y,G)
If X is an object:
by the theorem on can-share,  subject vertex X’, that initially tg-spans to X with can-share(t,x’,s,G0) true.
Assume tg-span length= 1, and X’ has t rights over S in G0.
If X’ does not have an a edge label tp Y, X’ takes a rights to Y and grants them to X, satisfying the definition.
If not, then X’ will create a surrogate X” and provides t rights over S to it.
a. X’ creates (g to new subject) X’’
b. X’ grants (t to S) to X’’
c. X’ grants (g to X) to X’’
Now X’’ has t rights over S and g rights over X. So apply
1. X’’ takes (a to Y) from S
2. X’’ grants (a to Y) to X. l
X:object
X’:subject
X”:subject
1. g
S: subject
2. s to S
3. g to X

26. Proof
Assume can-steal(a,x,y,G0). Then condition 1 holds from the definition of can-steal
 condition 2 of the can-share theorem imply condition 2 of this theorem
 condition 3 of the can-share theorem imply that S satisfy condition 3 of this theorem
Need to prove can-share(t,x,s,Go)
Consider r minimal-length sequence of rule applications transforming G0 to Gn where Gi-1├ri Gi so that ∃ an edge labeled a from some vertex P to Y in Gi but not Gi-1.
Then Gi is the first graph where an edge a is added to Y

27. Proof continued -- 2     l l
So ri is neither a remove or create rule.
By condition 3 of can-steal, all vertices with a rights to Y in Gi are in G0.
ri is not a grant rule. Hence it is of the form: a a t t a   ├   l l p p y S Y S
Hence can-share(t,p,s,G0) holds.
By condition (c) of the can-share theorem, ∃ a subject S’
either S’ terminally spans to S or S’=S
By condition (d) of the can-share theorem, ∃islands I1,…In
satisfying x’∈I1 and S’ ∈In.

28. Proof continued -- 3 If S is an object (hence S≠S’): two cases
S’ and P in the same island:
Take P as S’
If not: Derivation not of minimal length (why?)
Choose S’ in same island for shorter proof
Conditions of can-share theorem met.
 can-share(t,x,s,G0)

29. Proof continued -- 4 If S is an subject (i.e. S=S’): then p∈In,
must show p∈G0 for the can-share theorem to hold
If p∉G0: ∃subject Q in some island with can-share(t,Q,S,G0)
Because S is the owner of a rights over Y in G0 must derive witness for this sharing where S does not grant (a to Q)
If S≠Q: replace “S grants (a to Y) to Q” with
P takes (a to Y) from S
P takes (g to Y) from S
P grants (a to Y) to Q
So ∃witness to can-share(t,Q,S,G0)
without S granting (a to Y)

30. Conspiracy in the TG-Model
Many actors required to steal in the TG-model
Any subject Y can
take rights from any X that Y terminally spans
give rights to any X that Y initially spans
Definition: “access set with focus Y”, A(Y) =
{all nodes X that Y terminally spans} U
{all nodes X that Y initially spans}
Entities from whom one can get and entities to whom one can give, is one’s access set with focus!
Initially spans
Terminally spans Y’  l l X Y a
Transfers Rights 

31. The Deletion Set Definition: “deletion set” d(Y,Y’) = all z satisfying
z∈A(Y)∩A(Y’)
Y initially spans to Z, Y’ terminally spans to Z
Y terminally spans to Z, Y’ initially spans to Z
Z = Y
Z = y’
Represents nodes that can transfer permissions
Initially spans
Terminally spans Y  l l Y’ Z a
Transfers Rights 

32. An Example Deletion Setg g t g l l l l a r x b c d q l t g g g t z e l l l y f h i j
A(x) ={x,a,}, A(e)={e,d,i,j}, A(b)={b,a,}, A(y)={y}
A(c) ={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}
Z is not on A(e) because the path e-z does not terminally, or initial span e.
d(x,b) = {a}, d(c,d) = {d}, d(y,f) = {y},
d(b,c) = {b}, d(d,e) = {d}, d(c,e) = {d}

33. Creating conspiracy Graphs
Procedure: “conspiracy graph” H of G0 created to satisfy the following conditions
For each subject s∈G0, ∃h(x) ∈ H with the same label
If d(Y,Y’)≠Ǿ in G0, ∃ line between h(Y) & h(Y’) in H
Conspiracy graphs represents paths of transfer
Unidirectional because rights can be transferred in either direction

34. An Example Conspiracy Grapht g g t g l l l l a r x b c d q l t g g g t z e l l l y f h i j
A(x)={x,a,}, A(e)={e,d,I,j}, A(b)={b,a,}, A(y)={y}
A(c)={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}
Z is not on A(e) because path e-z is not terminal, initial spans
d(x,b)={a}, d(c,d)={d}, d(y,f)={y}, d(b,c)={b}, d(d,e)={d}, d(c,e)={d}
h(d) l l l l
h(x)
h(b)
h(c)
h(e) l l l l
h(h)
h(y)
h(f)

35. Two Theorems on Conspirators
Theorem 1: can-share(a,X,Y,G0) iff there is a path from h(p)∈I(X) to some h(q)∈T(Y) where
I(X) = {h(X)} U {X’: h(X’) initially spans to X}
T(X) = {h(X)} U {X’: h(X’) terminally spans to X}
Theorem 2: L= number of vertices on the shortest path between h(p) and h(q). Then L conspirators are necessary to produce a witness to can-share(a,X,Y,G0)

36. Back to the Example l l l l l l l l h(d) h(x) h(b) h(c) h(e) h(h) h(y)
h(f)
The shortest path between h(e) and h(x) has 4 vertices
<h(x),h(b),h(c) and h(e)>
4 conspirators are necessary and sufficient to witness can-share(r,x,y,Go)
How does it work?
e grants (r to Y) to d
c takes (r to Y) from d
c grants (r to Y) to b
b grants (r to Y) to a
X takes (r to Y) from a