Information Technology Reference
In-Depth Information
Safety Problems in Access Control with
Temporal Constraints
Philippe Balbiani and Fahima Cheikh
Universite Paul Sabatier,
Institut de recherche en informatique de Toulouse,
31062 Toulouse Cedex 09, France
Philippe.Balbiani@irit.fr
Abstract. Most of access control mechanisms use the matrix model to
represent protection states of computer systems. We present a variant
of the access control matrix model obtained by incorporating temporal
constraints saying that “subject s has right r on object o since at least
duration d ”. In connection with this enriched model, we also discuss the
decidable and undecidable cases of one of the major themes of computer
security, namely the classical safety problem for access control matrices.
1
Introduction
The need for protection arises in any computer system where several users share
multifarious data and resources. The protection state of a computer system is
the set of all values of memory locations of the computer system that deal with
protection. Protection models provide a foundation for the representation of pro-
tection states of computer systems. They are usually defined in terms of subjects,
objects, and rights between subjects and objects. In the matrix model introduced
by Lampson [9], rows represent subjects and columns represent objects. Each el-
ement of the matrix is a set of rights. On most computer systems, “subject s has
right r on object o ” if and only if r belongs to the element ( s, o )ofthematrix.
The access control model formalized by Harrison, Ruzzo, and Ullman [8] was
the first model to propose a language for administrating protection in terms of
propagation of rights. Within the HRU model, a protection system consists of a
set of commands. As commands are executed, the protection state of the com-
puter system, i.e. its access control matrix, changes. Protection models based on
the HRU language must consider the well-known safety problem: given a right
r , a protection system Π , and a protection state , is there a protection state
containing r and reachable from in a finite number of Π -steps? The safety
problem is undecidable for generic protection systems but it becomes decidable
if protection systems are restricted in some way. Can the borderline between
decidable and undecidable cases of the safety problem be drawn sharply and on
the basis of which criteria? This matter is analysed in [7,8]. See also [2] in this
connection.
Additional topics related to the HRU model include results concerning a
number of interesting variants obtained by extending HRU in various ways. Re-
Search WWH ::




Custom Search