Theft and Conspiracy in the Take-Grant Protection Model

Models of protection in computer systems usually possess two components: a finite, labeled, directed two color graph representing the protection state of an operating system and a finite set of graph transformation rules with which the protection state may be changed. Harrison et al. demonstrated [ 1 ] that the safety problem for a very general protection model is undecidable; i.e., no algorithm could decide, given a protection graph and a set of transformation rules, whether an edge with a particular label is ever added to the graph. The Take-Grant Model [2-4] has been developed in response to this negative result in order to study such questions for a particular set of transition rules. Linear-time algorithms to test safety-like problems have been found [2,3] for the Take-Grant transition rules. Although the model is simple enough to permit linear-time decision procedures, it is rich enough to implement many sharing relationships [4]. Here we concentrate on the formal development supporting the motivational and interpretive treatments given in [4,5]. First, we characterize the class of graphs that can be created with the Take-Grant rules. Next, the can . steal predicate, first introduced in a limited form (41, is developed in full generality making it applicable to the common situation of “stealing tiles.” Another main topic is that of quantifying the amount of “cooperation” required to share or steal rights. By the amount of “cooperation” we mean the number of users (i.e., subject vertices in the model) required to initiate rules in order for a particular edge to be added to a graph. This concept has been called “conspiracy” in [2]. Exact conspiracy measurements for arbitrary protection graphs are derived and an algorithm for discovering minimum conspiracy is presented.