Pitt IS 2935 - The Schematic Protection Model

Unformatted text preview:

The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes RAVINDERPAL SINGH SANDHU Department of Computer and Information Science, The Ohio State University, Columbus, Ohio Abstract. The protection state of a system is defined by the privileges possessed by subjects at a given moment. Operations that change this state are themselves authorized by the current state. This poses a design problem in constructing the initial state so that all derivable states conform to a particular policy. It also raises an analysis problem of characterizing the protection states derivable from a given initial state. A protection model provides a framework for both design and analysis. Design generality and tractable analysis are inherently conflicting goals. Analysis is particularly difftcult if creation of subjects is permitted. The schematic protection model resolves this conflict by classifying subjects and objects into protection types. The privileges possessed by a subject consist of a type-determined part specified by a static protection scheme and a dynamic part consisting of tickets (capabilities). It is shown that analysis is tractable for this model provided certain restrictions are imposed on subject creation. A scheme authorizes creation of subjects via a binary relation on subject types. Our principal constraint is that this relation be acyclic, excepting loops that authorize a subject to create subjects of its own type. Our assumptions admit a variety of useful systems. Categories and Subject Descriptors: C.0 [Computer Systems Organization]: General-systems specif- cation methodology: C. 1.3 [Processor Architectures]: Other Architecture Styles-capability architec- tures; C.2.0 [Computer-Communication Networks]: General-security and protection; D.2.0 [Software Engineering]: General-protection mechanisms; D.4.6 [Operating Systems]: Security and Protection- access controls; security kernels; H. 1 .O [Models and Principles]: General; H.2.0 [Database Management]: General-security, integrity, and protection; K.6.m [Management of Computing and Information Sys- tems]: Miscellaneous-security General Terms: Design, Management, Security, Theory, Verification Additional Key Words and Phrases: Dynamic authorization, flow analysis problem, maximal states, monotonic protection models, protection types, the safety problem, schematic protection model, tickets 1. Introduction The access control or protection problem arises in any computer system that provides for controlled sharing of information among multiple users. Such systems can be viewed as consisting of subjects and objects. Active entities such as ‘users and processes are subjects, whereas passive entities such as text files are objects. Protection is enforced by ensuring that only those operations for which the invoking subject possesses privileges in its domain actually get executed. Operations may be A preliminary version of this paper, for the special case of the schematic protection model called SSR, “Analysis of acyclic attenuating systems for the SSR protection model,” appears in the Proceedings of the 1985 IEEE Symposium on Security and Privacy (Oakland, Calif., Apr.). IEEE, New York, 1985, pp. 197-206.0 1985 IEEE. Author’s present address: Department of Computer and Information Science, The Ohio State Univer- sity, Columbus, OH 43210-1277. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. 0 1988 ACM 0004-541 l/88/0400-0404 $01.50 Journal of the Association for Computing Machinery, Vol. 35, No. 2, April 1988, pp. 404-432Schematic Protection Model 405 performed on objects (e.g., reading a text file) and on subjects (e.g., blocking a process). We regard subjects and objects as mutually exclusive and use entity to denote either a subject or object. By definition, objects do not possess privileges. Passive entities that possess privileges (e.g., directories) are modeled as subjects. The distribution of privileges in domains of subjects defines the protection state of a system. Henceforth we understand state to mean protection state. Inert privileges authorize operations that do not modify the state (e.g., reading a tile). Control privileges authorize operations that modify the state; for example, user X authorizes user Y to read tile Z. The paradigm is that an initial state is established and thereafter evolves as constrained by control privileges. The challenge is to construct an initial state such that all derivable states conform with the policy that the designer wishes to implement. Now what do we mean by policy in this context? At the simplest level an authorization policy defines a set of safe states where the distribution of privileges is consistent with the underlying objectives; for example, the policy that user X cannot read file Y. At all times the system must be in a safe state. Safety considerations are typically attribute based in that the concern is with classes of entities identified by some common attribute rather than with specific individuals; for example, the policy that only users in department D can access files internal to department D. This policy is said to be selective since users and files in different departments are treated differently. At a more sophisticated level it is not enough that the system be in a safe state. We must additionally ensure that the system arrives at safe states in a proper manner. For instance, consider the policy that users outside department D may access internal files of D provided the head of department D approves. Then any distribution of privileges to access internal files of D is safe by definition. However, the policy requires cooperation of the department head to arrive at safe states in


View Full Document

Pitt IS 2935 - The Schematic Protection Model

Download The Schematic Protection Model
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view The Schematic Protection Model and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view The Schematic Protection Model 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?