Paul E. Ammann and Ravi S. Sandhu. Safety Analysis for the Extended Schematic Protection Model. In Proceedings of the IEEE Symposium on Security and Privacy, pages 87--97, Oakland, California, May 1991. IEEE Press.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....formalizing the safety problem and at analyzing the complexity of solving it [7, 8] Unfortunately, a major result was that the safety problem is undecidable in general. Fortunately, work that followed identified several subclasses of the general HRU model in which the safety problem was decidable [6, 11, 1, 13]. Within this section, we take up these results and lift them to policy groups. We start with a brief recap of the precise meaning of the term HRU safety and summarize major results of the follow up work. We then identify conditions under which safety properties of the regular security policies ....

Paul E. Ammann and Ravi S. Sandhu. Safety Analysis for the Extended Schematic Protection Model. In Proceedings of the IEEE Symposium on Security and Privacy, pages 87--97, Oakland, California, May 1991. IEEE Press.

....results into an applied context by exploring how these results can be used to analyze the actors moving information around a network. Further applications are of course possible, but using the new results to analyze current models of disclosure and integrity (for example, those described in [1][5] 6] 11] 12] 15] is itself a separate paper; it is beyond the scope of the issues addressed here. We quickly review the basic definitions and relevant results of the Take Grant Protection Model [2] Following that, we present bounds on the number of actors needed for information to be shared ....

P. Ammann and R. Sandhu, "Safety Analysis for the Extended Schematic Protection Model, " Proc. of the 1991 IEEE Symp. on Security and Privacy (May 1991), 87-97.

....access matrix model of Lampson [9] took the position that access should be based on presence of access rights and not on their absence. This viewpoint was reiterated as a basic principle of protection by Saltzer and Schroeder [12] Subsequently models such as take grant [10] SPM [14] ESPM [1, 2, 3] and TAM [16] have followed this approach. As such, these models are incapable of ex pressing the dynamic separation of duties embodied in TCEs. Although the Orange Book [6] calls for the ability to specify discretionary denial of access, TCEs require non discretionary denial of access based on ....

....(HRU) 7] has very broad expressive power. Unfortunately, HRU also has extremely weak safety properties. Safety is undecidable for most policies of practical interest, even in the monotonic version of HRU [8] The main contribution of access control models such as take grant [10] SPM [14] ESPM [1, 2, 3] and TAM [16] is that they offer tractable safety for schemes of practical interest. It is easy to add expressive power to such models, and in many cases, the need for additional expressive power can be readily argued. For example, in this paper we argue for the need to check for the absence of ....

Ammann, P.E. and Sandhu, R.S. "Safety Analysis for the Extended Schematic Protection Model." Proc. IEEE Symposium on Research in Security and Privacy, 87-97 (1991).

....we define the typed access matrix (TAM) model by introducing the notion of strong typing into HRU. We prove that monotonic TAM (MTAM) has strong safety properties similar to those of Sandhu s Schematic Protection Model [21, 22] and its recent extension by Ammann and Sandhu to Extended SPM (ESPM) [2, 3, 4]. Second we show how safety can be made tractable, y We assume that the authorization scheme is enforced by a high assurance reference monitor. If the reference monitor can be bypassed there is, of course, no basis for security. z Strong typing is analogous (but not identical) to tranquility ....

....This led to the development of Extended SPM (ESPM) by Ammann and Sandhu [2, 4] ESPM generalizes the conventional single parent creation operation of SPM, to allow multiple parents for a child. ESPM is formally equivalent to monotonic HRU [2, 4] while it retains the positive safety results of SPM [3, 4]. Ammann, Lipton and Sandhu have recently shown that in monotonic models multi parent creation is strictly more powerful than single parent creation [5] This completes our historical review. 3 The TAM and MTAM Models In this Section we define the typed access matrix (TAM) model, and its ....

[Article contains additional citation context not shown here]

Ammann, P.E. and Sandhu, R.S. "Safety Analysis for the Extended Schematic Protection Model." Proc. IEEE Symposium on Research in Security and Privacy, 87-97 (1991).

....an acceptable global system wide policy. A notable property of SPM is that it has efficient safety analysis under very general assumptions (specifically the can create relation on subject types has to be acyclic [8] The expressive of this model has been amply demonstrated [9] Ammann and Sandhu [1, 2] have also recently shown that SPM extended with multi parent creation (ESPM) has the complete expressive power of the monotonic access matrix model, while retaining the efficient safety analysis of SPM. Recently we have been looking at distributed implementations of SPM. We first considered a ....

Ammann, P. and Sandhu, R.S. "Safety Analysis for the Extended Schematic Protection Model." Proc. IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1991, to appear.

....create operation of SPM which has a single parent for a child [1] This is the only difference between SPM and ESPM. It has been shown that ESPM is precisely equivalent to HRU s monotonic access matrix model in terms of expressive power and yet it retains SPM s efficient safety properties [2]. In this paper we have focused on providing a distributed capability based implementation of ESPM. Our implementation is strongly influenced by the architecture presented by Sandhu and Suri for implementation of the Transform model [14] Propagation based on links and on the state of the subject, ....

Ammann, P.E. and Sandhu, R.S. "Safety Analysis for the Extended Schematic Protection Model." Proc. IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1991, pages 87-97.

....are monotonic. The interesting question is whether or not SPM has behavioral equivalence to monotonic HRU, in the sense discussed in Section 4. Resolution of this question will provide a significant advance in our understanding of protection models. It has recently been shown by Ammann and Sandhu [1, 2] that extending SPM to have a multi parent joint create operation gives us equivalence to monotonic HRU. It has also been conjectured that SPM is actually less expressive than monotonic HRU (under the terms of behavioral equivalence) The precise relationship of the expressive power of SPM with ....

Ammann, P.E. and Sandhu, R.S. "Safety Analysis for the Extended Schematic Protection Model." Proc. IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1991, pages 87-97.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC