Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | ryan-beach |
View: | 217 times |
Download: | 2 times |
On the Expressive Power of the UnaryTransformation Model
by
Ravi SandhuSrinivas Ganta
Center for Secure Information SystemsGeorge Mason University
Outline
• Introduction / Motivation
• Transformation Model
• Example
• Expressive Power
• Conclusion
NMT
• Can enforce lots of diverse policies
• Has simple implementation
• Cannot adequately express the document release example
(Sandhu & Suri, Oakland 92)
Document Release Example
• A scientist prepares a document and can release it only after getting approval from a patent-officer.
Transformation Model (TRM)
• Protection state in TRM is viewed in terms of the familiar access matrix
• Protection state of the system is given by the tuple (OBJ, SUB, t, AM)
• The specification for changing the protection state is given by an authorization scheme
ACCESS MATRIX
subjects
objects
u : s
f : o
r wown
Authorization Scheme
• A set of access rights R.
• Disjoint sets of subject and object types, TS and TO, respectively.
• A collection of three classes of state changing commands: Transformation commands, Create commands and Destroy commands
Transformation Commands
Command name (S1:s1,....Sn:sn, O:o) if predicate then sequence of primitive operations enter/delete r into [S, O] end
Command transfer-ownership (S1:s, S2:s, O:o) if own [S1,O]
thenenter own in [S2,O]deleterown from [S1,O]
end
Example:
Create Commands
Command create (S1:s1, O:o) create object O enter own in [S1, O] end
Destroy Commands
Command destroy (S1:s1, O:o) destroy object O end
if own [S1,O] then
• A set of rights R
• A set of disjoint subject and object types TS and TO respectively
• A set of state-changing transformation, creation and destroy commands
• The initial state
TRM SUMMARY
Document Release Example
• A document cannot be released by a scientist without first obtaining approval from a patent-officer.
• Types = { sci, po, doc}
• Rights = {read, write, own, review, pat-ok, pat-reject, release}
• Command create-doc (S:sci, O:doc) create object O enter own in [S,O] enter read in [S,O] enter write in [S,O] end
Create Command
Document Release Example
S: sci
P: po
O :doc
ownreadwrite
• command rqst-review (S:sci, P:po, O:doc) if own [S,O] then enter review in [P,O] delete write from [S,O] end
write [S,O]
Request Review
Get-Approval/Rejection
• command get-approval (S:sci, P:po, O:doc) if own [S,O] then enter pat-ok in [S,O] delete review from [P,O] end
review [P,O]
• command get-rejection (S:sci, P:po, O:doc) if own [S,O] then enter pat-reject in [S,O] delete review from [P,O] end
review [P,O]
Release / Revise Document
• command release-doc (S:sci, O:doc) if pat-ok [S,O] then enter release in [S,O] delete pat-ok from [S,O] end
• command revise-doc (S:sci, O:doc) if pat-reject [S,O] then enter write in [S,O] delete pat-reject from [S,O] end
Expressive Power
TRM BTRM
• The document release example has commands which test for atmost two cells of the matrx.
• Binary Transformation Model
•
(Sandhu & Ganta, Oakland 94)
Expressive Power
• UTRM TRM
• UTRM BTRM
?
?
UTRM BTRM
• requires every subject in the simulation to be of a different type.
• Esorics 94
UTRM BTRM
• if every subject cannot be of a different type
Conclusion
• UTRM BTRM impractical simulation in general
• UTRM < BTRM for all practical purposes