Sandhu, R. S., 'The Schematic Protection Model: Its definition and Analysis for Acyclic Attenuating Schemes', JACM, April 1988.  Home/Search   Document Not in Database   Summary   ACM   TOC   Related Articles   Check

....access matrix that maintains the protection state of the system, and . a set of rules for changing the protection state of the system. A number of access control models have been proposed that differ from each other in the state changing rules. These models include HRU model [HAR76] SPM model [SAN88], take grant model [SNY81] ESPM model [AMM92] grammatical protection models [SNY81] CPD model [BAA90] Typed Access Matrix model [SAN92] and Transform model [SAN89] An important goal of modeling a system using an access control model is to answer the safety question: is a particular state ....

.... Access control models were first described by Lampson in [LAM74] Later, a number of models were proposed that differ in expressive power and decidability of safety; these include the HRU model [HAR76] take grant model [SNY81] Grammatical protection models [SNY81] Schematic Protection model [SAN88], Extended Schematic Protection model [AMM92] and Typed Access Matrix model [SAN92] Although a number of interesting results about the question of safety exist with respect to these models, none of them have been used in practice to analyze the safety of the protection mechanisms of large scale ....

[Article contains additional citation context not shown here]

Sandhu, R. S., 'The Schematic Protection Model: Its definition and Analysis for Acyclic Attenuating Schemes', JACM, April 1988.

....by Lipton and Snyder [11, 17] a simple protection system with linear time decidable accessibility properties. Other work includes the BellLaPadula multi level model [1] grammatical protection systems [5, 10] and more recently, the schematic protection model and the typed access matrix model [14, 15]. Early work on protection systems took place in the context of operating systems, the access matrix model can be thought of in terms of access control lists, and the take grant model and others in terms of capabilities) and current operating systems have robust and efficient protection ....

R. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. J. ACM, 35(2):404--432, April 1988.

....with representation and evaluation issues of static authorization requirements, which are to be satisfied in each individual state. In other words, we do not model the dynamics of authorization. In this sense, the model we use and the issues we investigate are very different from those studied in [16, 17, 25, 34, 35, 36]. For example, we do not study the problem of access rights propagation, commonly known as safety analysis [5, 6, 17] Similarly, the creation and deletion of subjects and objects are not modeled within our framework. We stress, however, that this does not mean that our framework cannot be ....

R.S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404--432, April 1988.

....aspects of fault tolerance. Extensions to provide hard real time properties remain an objective of future work. Most current and proposed formal security policy definitions deal with only one of the security policy classes. For example, see [18, 34, 25] for secrecy, 7, 5, 2] for integrity, and [19, 33, 1] for legitimate access. There has been work in integrating secrecy and integrity [24] and secrecy under special (possibly faulty) behaviour [4] We are not aware of a formal definition of availability. CSL is an attempt to provide a way of expressing at least some aspects of all of these ....

R.S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404--432, 1988.

....model, introduced by Jones, Lipton, and Snyder [JLS76] and extended by Snyder [Sny81] and others [BS79, Bis84] has a linear time algorithm for safety, yet falls outside the known decidable cases of HRU. Closer to the HRU model is the Schematic Protection Model (SPM) developed by Sandhu [San88] SPM, which contains security types, has a decidable subset that is more expressive than the take grant model. An extension by Ammann and Sandhu [AS90] yields a model that is formally equivalent to monotonic HRU, but maintains positive safety results. More recently, Sandhu has had success with ....

R. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404--432, 1988.

....a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult. In response to this situation we proposed the schematic protection model (SPM) to balance the inherently conflicting goals of generality versus tractable safety analysis [14]. SPM classifies subjects and objects into protection types. The dynamic component of a protection state consists of tickets (capabilities) The key idea is that the rules comprising the authorization scheme are specified in terms of protection types. In particular creation is authorized by a ....

....The key idea is that the rules comprising the authorization scheme are specified in terms of protection types. In particular creation is authorized by a can create binary relation on types. It has been previously shown that analysis is decidable provided the can create relation is acyclic [14]. In this paper we show that with arbitrary cycles in can create safety becomes undecidable. This gives us a natural demarcation between decidable and undecidable safety in SPM. Undecidability results are disappointing since they reflect inherent limitations. But in this case our disappointment is ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....products. Others are well established in the database literature. There are also some newer mechanisms which have been proposed more recently, e.g. transaction controls for separation of duties [21] the temporal model for audit data [12] and propagation constraints for dynamic authorization [20, 22]. Finally there are places where existing mechanisms and proposals need to be extended in novel ways. Overall the required mechanisms are quite practical and well within the reach of today s technology. 3.1 Well formed Transactions The concept of a well formed transaction corresponds very well ....

....to envison (and design) systems that statically express a particular protection intent. But the need to change access authorizations dynamically : introduces much complexity into protection systems. This fact continues to be true in spite of substantial theoretical advances in the interim [20]. Existing products provide few facilities in this respect and their mechanisms tend to have an ad hoc flavor. 3.8 Reality Checks This principle inherently requires activity outside of the DBMS. The DBMS does have obligation to provide an internally consistent view of that portion of the ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....to formulation of the HRU model by Harrison, Ruzzo, and Ullman [6] This was followed by the development of the Take Grant Model. A good summary of these early efforts (in the first decade) can be found in [13] More recent efforts have resulted in the Schematic Protection Model (SPM) by Sandhu [8], the Extended Schematic Protection Model (ESPM) by Amman and Sandhu [1] and the Typed Access Matrix Model (TAM) also by Sandhu [12] In reviewing the above development in access control models, we note that the overriding concern was the fine grained protection of individual objects and subjects ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....The original access matrix model of Lampson [9] took the position that access should be based on presence of access rights and not on their absence. This viewpoint was reiterated as a basic principle of protection by Saltzer and Schroeder [12] Subsequently models such as take grant [10] SPM [14], ESPM [1, 2, 3] and TAM [16] have followed this approach. As such, these models are incapable of ex pressing the dynamic separation of duties embodied in TCEs. Although the Orange Book [6] calls for the ability to specify discretionary denial of access, TCEs require non discretionary denial of ....

....the command (b 0 ) that a given actual parameter to a TAM command be represented by at most one formal parameter. In other words we assume here that S1, S2 and S3 must be distinct supervisors. This assumption differs from the usual convention followed in access control models (see, for example, [3, 7, 14, 16]) An objection that might be raised to the preceding implementation is that it requires simultaneous agreement from three supervisors to approve a voucher. It can be argued that asynchronous agreement better models organizational requirements. Fortunately, asynchronous agreement can be achieved ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....of the object and subject. These properties are determined at creation and do not change thereafter. Label based controls of the Bell and LaPadula model [2] with strong tranquillity (i.e. labels are static) are a well known example. The type based controls of the schematic protection model [26, 28] are a more general example. 3. Controls based on dynamic properties of the object and subject. That is the properties on which the controls are based are themselves changeable, presumably in some controlled manner requiring proper authorization. Controls based on the history of an object and the ....

....enforcing the access control triple of Clark and Wilson [5, 7] They also provide enforcement of, even dynamic, separation of duties by means of transaction control expressions [29] or some similar mechanism. There is also evidence that policies based on types are easier to analyze for safety [26] as compared with policies specified without a built in notion of types [14, 15] How does non disclosure fit into this picture There are several approaches one might take. If labels are regarded as a special case of types the enforcement kernel can handle label based controls. This has been ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....review the definition of ATAM [2] 2. 1 The Typed Access Matrix (TAM) Model The principal innovation of TAM is to introduce strong typing of subjects and objects, into the access matrix model of Harrison, Ruzzo and Ullman [3] This innovation is adapted from Sandhu s Schematic Protection Model [5], and its extension by Ammann and Sandhu [1] As one would expect from its name, TAM represents the distribution of rights in the system by an access matrix. The matrix has a row and a column for each subject, and a column for each object. Subjects are also considered to be objects. The [X; Y ] ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2), 1988, pages 404432.

....to be of a particular type which thereafter does not change. z In this paper we define the typed access matrix (TAM) model by introducing the notion of strong typing into HRU. We prove that monotonic TAM (MTAM) has strong safety properties similar to those of Sandhu s Schematic Protection Model [21, 22], and its recent extension by Ammann and Sandhu to Extended SPM (ESPM) 2, 3, 4] Second we show how safety can be made tractable, y We assume that the authorization scheme is enforced by a high assurance reference monitor. If the reference monitor can be bypassed there is, of course, no basis ....

....can and cannot do [7, 8, 26] The take grant model was deliberately designed to be of limited expressive power, so that it would not exhibit the undecidable safety of HRU. There is therefore a substantial gap in expressive power between take grant and HRU. Sandhu s Schematic Protection Model (SPM) [21] was developed to fill the gap in expressive power between take grant and HRU, while sustaining efficient safety analysis. The key notion introduced in SPM is that of security types. The intuition is that all instances of a security type are treated uniformly by the authorization scheme. ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....which have multiple autonomous points of security control. 2 THE SCHEMATIC PROTECTION MODEL GMU researchers have been active for several years in the study of decentralized security controls and their composition into a coherent system wide policy. Sandhu s Schematic Protection Model (SPM) [8] is a formal access control model developed for this purpose. The initial focus of this research was on the safety analysis of SPM. Safety analysis is the key to understanding whether the composition of multiple autonomous security policies gives us an acceptable global system wide policy. A ....

....whether the composition of multiple autonomous security policies gives us an acceptable global system wide policy. A notable property of SPM is that it has efficient safety analysis under very general assumptions (specifically the can create relation on subject types has to be acyclic [8]) The expressive of this model has been amply demonstrated [9] Ammann and Sandhu [1, 2] have also recently shown that SPM extended with multi parent creation (ESPM) has the complete expressive power of the monotonic access matrix model, while retaining the efficient safety analysis of SPM. ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of the ACM, Volume 35, Number 2, April 1988, pages 404-432.

....problem as dealt with in the Orange Book [5] is that it has a lot more dynamism in that new roles get created, existing roles are reorganized, new users and transactions get created, etc. Dealing with such dynamics is known to be difficult [9] Recent results provide the basis for a good solution [16]. We also need to consider availability issues. These can arise in subtle ways. For example, suppose all the clerks go on strike. Does it become impossible to issue checks Or do we allow supervisors to act as clerks in an emergency mode of operation These issues need to be formalized in a ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....the commands which cause changes in the protection state. For each command we have to specify the authorization required to execute that command, as well as the effect of the command on the protection state. We generally call such a specification as an authorization scheme (or simply scheme) [12]. A scheme in the NMT model is defined by specifying the following components. 1. A set of access rights R. 2. Disjoint sets of subject and object types, TS and TO respectively. 3. A collection of NMT commands. Each command specifies the authorization for its execution and the changes in the ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....public keys are used as mechanisms for revocation. 1 Introduction In distributed systems, it has become vital to have some sort of access control to be able to safely share information and other resources on the network. Over a period of time many access control models have appeared in literature [3, 4, 7, 10], but unfortunately very few have been implemented in actual systems. These models provided a basis for specifying security policies in a multi user environment. Security models do not by themselves guarantee security. Systems specified in these models require safety analysis (of access rights) to ....

....of the well known access matrix model. Upon analysis of this model it was discovered that the model suffered from a lack of a useful special case for which safety was decidable. In addition the assumptions from which undecidability follows are extremely weak. The Schematic Protection Model (SPM) [10] and various other models were developed in response to these weak safety properties inherent in the HRU model. It has been shown that SPM has very strong expressive power [13] and at the same time allows for efficient safety analysis under very general conditions [10, 12] SPM subsumes many other ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....military systems has been formally incorporated in evaluation criteria [8] c fl Ravi S. Sandhu and Gurpreet S. Suri, Thus Transform incorporates practically useful expressive power while allowing for safety analysis. Transform is actually a special case of the Schematic Protection Model (SPM) [16]. Like Transform, SPM also exhibits strong safety properties. This is in contrast to the weak safety properties of the access matrix model commonly known as HRU [10] Both HRU and SPM have undecidable safety in general [10, 18] In HRU safety becomes undecidable under very weak assumptions, ....

.... Both HRU and SPM have undecidable safety in general [10, 18] In HRU safety becomes undecidable under very weak assumptions, notably the bi conditional monotonic case of [11] On the other hand safety in SPM remains decidable under very strong assumptions, notably the acyclic attenuating case of [16]. In particular Transform falls outside the known decidable cases for HRU but well within the known decidable cases for SPM [17] Our implementationproposal for Transform is strongly influenced by the identity based capability architecture proposed by Gong [9] The concept of embedding the ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

.... only one term) but is undecidable even for bi conditional monotonic commands [15] i.e. commands whose condition part has exactly two terms) Most practical systems require multi conditional commands (i.e. commands whose condition part has two or more terms) The schematic protection model (SPM) [34] was developed in response to this situation. SPM provides considerably more structure than HRU. It classifies subjects and objects into protection types. The dynamic component of a protection state in SPM consists of tickets (capabilities) The key idea is that the authorization scheme is ....

....The key idea is that the authorization scheme is specified in terms of protection types. In particular, subject creation is authorized by a can create binary relation on types. Safety is decidable provided this relation is acyclic, and in certain cases even if it has cycles of length one [34]. On the other hand with arbitrary cycles in can create, safety is undecidable [38] Fortunately, it appears that SPM schemes of practical interest satisfy the decidability constraints, as demonstrated by the constructions of this paper and the examples of [32, 33, 34, 36] Our objective in this ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....been a longstanding barrier to progress in the area of access control systems, which are flexible and can be customized to enforce a specific organization s policies. The negative results of [HRU76, HR78] showed that safety is undecidable under surprisingly weak assumptions. Since then progress [AS92, San88, Sny81] has been made on the safety problem for cases which are monotonic, or can be treated as such for safety analysis purposes. Results for non monotonic cases have been negative [Bud83, LS78] underscoring the computational difficulty of this problem. The positive results of this paper stand in ....

....analysis. Commands for destroying objects are similarly ignored. It is clear that NMT treats each column of the access matrix independently of any other column. Thus, in analyzing the behavior of NMT it suffices to focus on one column at a time. This is in contrast to more general models, such as [AS92, HRU76, San88, San92], in which the state of one column can affect the behavior of commands on another column. NMT has been kept deliberately simple in this way, and yet it accommodates many practically useful access control policies as shown in [San89, SS92] y The comment in the previous footnote applies here ....

R.S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404--432, April 1988.

....work possible. Hence, in these models propagation of access rights is authorized entirely by existing rights for the object in question. More generally, propagation could also be authorized by existing rights for the source and destination subjects, for example, in models such as HRU [5] SPM [11], TAM [13] The concept of transformation of rights allows us to express a large variety of practical security policies encompassing various kinds of consistency, confidentiality and integrity controls. In this paper, we demonstrate the expressiveness of Transformation Models, by expressing some ....

Sandhu, R.S. "The Schematic Protection Model: its definition and analysis for acyclic attenuating schemes." JACM. 35,2,(April 1988). 404-432.

....and subject. These static properties are determined at creation and do not change thereafter. Label based controls of the Bell and LaPadula model [1] with strong tranquillity (i.e. labels are static) are a well known example. Various kinds of type based controls provide more general examples [3, 19, 21, 23, 24]. 3. Controls based on dynamic properties of the object and subject. That is the properties on which the controls are based are themselves changeable, presumably in some controlled manner requiring proper authorization. Controls based on the history of an object and the role of a subject, such as ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988).

....safety properties. Recently Sandhu [9] has shown how to overcome the negative safety results of HRU by introducing strong typing into the access matrix model. The resulting model is called the Typed Access Matrix (TAM) TAM combines the positive safety results for the Schematic Protection Model [6] with the natural expressive power of HRU. The safety problem is closely related to the so called fundamental flaw of discretionary access control (DAC) DAC is vulnerable to Trojan Horses, in part because Trojan Horse laden programs can surreptitiously modify the protection state without explicit ....

....access matrix (TAM) model. In a nutshell, TAM is obtained by incorporating strong typing into the model of Harrison, Ruzzo and Ullman [5] The principal innovation of TAM is to introduce strong typing of subjects and objects. This innovation is adapted from Sandhu s Schematic Protection Model [6]. As one would expect from its name, TAM represents the distribution of rights in the system by an access matrix. The matrix has a row and a column for each subject and a column for each object. Subjects are also considered to be objects. The [X; Y ] cell contains rights which subject X possesses ....

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2), 1988, pages 404-432.

....of subjects and objects. Active entities such as users or processes are subjects while passive entities such as text files are objects. Protection is enforced by ensuring that subjects can execute only those operations authorized by privileges in their domains. The schematic protection model (SPM) [8] defines three operations by which a subject acquires new privileges: copy, create and demand. We show demand is redundant in that it can be simulated by copy and create. This is surprising because demand was intended to, and indeed appears to, confer a different kind of ability than copy or ....

....U z2dom(V) V z2dom(U) V z2dom(V) and true. For instance the following are legitimate link predicates. link g (U,V) j V g2dom(U) Grant link [3] link t (U,V) j U t2dom(V) Take link [3] link sr (U,V) j V s2dom(U) U r2dom(V) Send receive link [5] link b (U,V) j U b2dom(U) Broadcast link [8]) link u (U,V) j true (Universal link [7] The third and final condition required for a copy operation is defined by the filter functions f i : TS ThetaTS 2 T ThetaR , one per predicate link i . The value of f i (u,v) specifies the types of tickets that may be copied from subjects of type u to ....

[Article contains additional citation context not shown here]

Sandhu, R.S. "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes." Journal of ACM 35(2):404-432 (1988). link u O / R U O Original System: U demands O/P Modified System: U copies O/P over link (O,U)

No context found.

SANDHU, R.S. The schematic protection model: its definition and analysis for acyclic attenuating schemes. JACM 35, 2 (April 1988). 404-432.

No context found.

Sandhu, R.S. (1988). The Schematic Protection Model: Its Definitions and Analysis for Acyclic Attenuating Schemes. Journal of ACM 8(2):404-432.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC