A distributed capability-based architecture for the transform model

The Transform model is based on the concept of transformation of access rights. It unifies a number of diverse acccsscontrol mechanisms such as amplification, copy flags, separation of duties and synergistic authorization. In this paper we describe a distributed architecture for implementing Transform. Our architecture is based on capabilities with identities of subjects buried in them. This ensures unforgeability of capabilities and enables enforcement of non-discretionary controls on propagation of capabilities from one subject to another. The design provides for immediate, selective, partial and complete revocation on a temporary as well as a permanent basis. We also show that Transform has an efficient algorithm for safety analysis of the propagation of access rights (i.e., the determination of whether or not a given subject can ever acquire access to a given object).