Information Technology Reference
In-Depth Information
Table 6.
HRU protection system
Π
begin create object
ω
;enter
r
0
into
A
(
σ, ω
)
;enter
r
1
into
A
(
σ, ω
)
;enter
r
2
into
A
(
σ, ω
)
end
if
r
0
is in
A
(
σ, ω
)
then enter
r
3
into
A
(
σ
,ω
)
if
r
0
is in
A
(
σ, ω
)
then enter
r
4
into
A
(
σ
,ω
)
if
r
3
is in
A
(
σ, ω
)
and
r
4
is in
A
(
σ
,ω
)
then enter
r
5
into
A
(
σ
,ω
)
replaced by an individual through the use of
θ
.If
∆
=(
S, O, A
) is a protection
state then we shall say that
θ
makes
C
true at
∆
,insymbols
∆
|
=
θ
C
,iffthe
following condition is satisfied:
-
C
is “
r
is in
A
(
σ, ω
)”,
θ
(
σ
)isin
S
,
θ
(
ω
)isin
O
,and
r
is in
A
(
θ
(
σ
)
,θ
(
ω
)).
It follows from the definition that if substitution
θ
is
{
σ/s
2
,ω/o
2
}
and elementary
condition
C
is “
r
0
is in
A
(
σ, ω
)” then
∆
|
=
θ
C
,where
∆
is the protection state
defined by table 2. As well, if substitution
θ
is
σ/s
0
,σ
/s
1
,ω/o
2
}
and elementary
conditions
C
and
C
are “
r
3
is in
A
(
σ, ω
)” and “
r
4
is in
A
(
σ
,ω
)” then
∆
|
{
=
θ
C
and
∆
|
=
θ
C
,where
∆
is the protection state defined by table 4. Let
Π
be
a HRU protection system. If
∆
=(
S, O, A
)and
∆
=(
S
,O
,A
) are protection
states then we shall say that
∆
is derivable from
∆
in one step using
Π
,in
−→
Π
∆
, iff there exists a substitution
θ
and a HRU command
symbols
∆
α
Π
with elementary conditions
C
1
,
...
,
C
i
and primitive operations
π
1
,
...
,
π
j
such that:
-
∆
∈
|
=
θ
C
1
,
...
,
∆
|
=
θ
C
i
,
-
∆
−→
π
1
◦
...
◦−→
π
j
∆
.
−→
Π
∆
−→
Π
∆
−→
Π
∆
−→
Π
∆
(4)
where
∆
,
∆
,
∆
,
∆
,and
∆
(4)
are the protection states defined by tables 1,
2, 3, 4, and 5 and
Π
is the HRU protection system defined by table 6. Let
Π
be a HRU protection system and
∆
be a protection state.
Π
is said to be
unsafe for
r
with respect to
∆
iff there exists a sequence
∆
0
=(
S
0
,O
0
,A
0
),
...
,
∆
n
=(
S
n
,O
n
,A
n
),
∆
n
+1
=(
S
n
+1
,O
n
+1
,A
n
+1
) of protection states such that:
-
∆
0
−→
Π
◦
It is obvious from the definition that
∆
◦−→
Π
∆
n
−→
Π
∆
n
+1
,
-
the following conditions are satisfied for some individual
s
ot type subject
and for some individual
o
of type object:
•
...
if
s
is in
S
n
and
o
is in
O
n
then
r
is not in
A
n
(
s, o
),
s
is in
S
n
+1
,
o
is in
O
n
+1
,and
r
is in
A
n
+1
(
s, o
),
-
∆
0
=
∆
.
We also say that the sequence
∆
0
=(
S
0
,O
0
,A
0
),
...
,
∆
n
=(
S
n
,O
n
,A
n
),
∆
n
+1
=(
S
n
+1
,O
n
+1
,A
n
+1
)leaks
r
with respect to
Π
and
∆
. For example,
with respect to
∆
, the HRU protection system
Π
defined in table 6 is unsafe for
r
0
,
r
1
,
r
2
,
r
3
,
r
4
,and
r
5
,where
∆
is the protection state defined by table 1. Let
C
HRU
be a class of HRU protection systems. The most basic problem on HRU
protection systems in
•
C
HRU
is the following decision problem:
