on the expressive power of the unary transformation model by ravi sandhu srinivas ganta center for...

On the Expressive Power of the UnaryTransformation Model

by

Ravi SandhuSrinivas Ganta

Center for Secure Information SystemsGeorge Mason University

Outline

• Introduction / Motivation

• Transformation Model

• Example

• Expressive Power

• Conclusion

NMT

• Can enforce lots of diverse policies

• Has simple implementation

• Cannot adequately express the document release example

(Sandhu & Suri, Oakland 92)

Document Release Example

• A scientist prepares a document and can release it only after getting approval from a patent-officer.

Transformation Model (TRM)

• Protection state in TRM is viewed in terms of the familiar access matrix

• Protection state of the system is given by the tuple (OBJ, SUB, t, AM)

• The specification for changing the protection state is given by an authorization scheme

ACCESS MATRIX

subjects

objects

u : s

f : o

r wown

Authorization Scheme

• A set of access rights R.

• Disjoint sets of subject and object types, TS and TO, respectively.

• A collection of three classes of state changing commands: Transformation commands, Create commands and Destroy commands

Transformation Commands

Command name (S1:s1,....Sn:sn, O:o) if predicate then sequence of primitive operations enter/delete r into [S, O] end

Command transfer-ownership (S1:s, S2:s, O:o) if own [S1,O]

thenenter own in [S2,O]deleterown from [S1,O]

end

Example:

Create Commands

Command create (S1:s1, O:o) create object O enter own in [S1, O] end

Destroy Commands

Command destroy (S1:s1, O:o) destroy object O end

if own [S1,O] then

• A set of rights R

• A set of disjoint subject and object types TS and TO respectively

• A set of state-changing transformation, creation and destroy commands

• The initial state

TRM SUMMARY

Document Release Example

• A document cannot be released by a scientist without first obtaining approval from a patent-officer.

• Types = { sci, po, doc}

• Rights = {read, write, own, review, pat-ok, pat-reject, release}

• Command create-doc (S:sci, O:doc) create object O enter own in [S,O] enter read in [S,O] enter write in [S,O] end

Create Command

Document Release Example

S: sci

P: po

O :doc

ownreadwrite

• command rqst-review (S:sci, P:po, O:doc) if own [S,O] then enter review in [P,O] delete write from [S,O] end

write [S,O]

Request Review

Get-Approval/Rejection

• command get-approval (S:sci, P:po, O:doc) if own [S,O] then enter pat-ok in [S,O] delete review from [P,O] end

review [P,O]

• command get-rejection (S:sci, P:po, O:doc) if own [S,O] then enter pat-reject in [S,O] delete review from [P,O] end

review [P,O]

Release / Revise Document

• command release-doc (S:sci, O:doc) if pat-ok [S,O] then enter release in [S,O] delete pat-ok from [S,O] end

• command revise-doc (S:sci, O:doc) if pat-reject [S,O] then enter write in [S,O] delete pat-reject from [S,O] end

Expressive Power

TRM BTRM

• The document release example has commands which test for atmost two cells of the matrx.

• Binary Transformation Model

•

(Sandhu & Ganta, Oakland 94)

Expressive Power

• UTRM TRM

• UTRM BTRM

?

?

UTRM BTRM

• requires every subject in the simulation to be of a different type.

• Esorics 94

UTRM BTRM

• if every subject cannot be of a different type

Conclusion

• UTRM BTRM impractical simulation in general

• UTRM < BTRM for all practical purposes