Information Technology Reference
In-Depth Information
Problem:
SAFETY(
C
HRU
),
Input:
aright
r
, a HRU protection system
Π
∈C
HRU
, and a protection state
∆
=(
S, O, A
),
Output:
determine if
Π
is unsafe for
r
with respect to
∆
.
The above is a planning problem. Abstractly, we have an initial protection state
and certain HRU commands that can be performed in a given protection state
if it satisfies certain conditions. Performing a HRU command with respect to a
protection state brings about a new protection state. The goal is to bring about
a protection state leaking the right
r
and the task is to find a sequence of HRU
commands that achieves this end.
Theorem 1.
1. SAFETY
(
C
HRU
(
∞
,
1))
is decidable,
+
2. SAFETY
(
C
HRU
(1
,
∞
))
is decidable,
+
HRU
(2
,
3. SAFETY
(
C
∞
))
is undecidable.
Proof.
See [7,8].
4
Timed Protection Systems
Within the context of HRU protection systems, the mechanism granting and
revoking access of subjects to objects is based on the execution of commands.
This mechanism tends to restrict our thinking about access control to just the
ordering between protection states in a transition
∆ −→
Π
∆
rather than to the
duration that elapse between protection states in the transition
∆ −→
Π
∆
.At
a more sophisticated level, it is not enough that the computer system is in such
or such protection state. For some positive real number
d
, we must additionally
ensure either that the computer system has remained in such or such protection
state since at least duration
d
or that the computer system has remained in
such or such protection state since at most duration
d
. For instance, we might
wish to force the protection system either to wait at least
d
units of time before
granting access or to wait at most
d
units of time before revoking access. We are
primarily concerned with the temporal aspect of state derivability. The central
point of this paper is to demonstrate that adding temporal requirements to
protection systems can be achieved. For this purpose, we have developed a new
HRU model incorporating temporal constraints saying that “subject
s
has right
r
on object
o
since at least duration
d
”, leaving aside for another paper temporal
constraints saying that “subject
s
has right
r
on object
o
since at most duration
d
”. Hence, within the context of timed protection systems, primitive operations
can be invoked indirectly via timed commands of the form:
-
“
if
C
1
and
...
and
C
i
then begin
π
1
;
...
;
π
j
end
”,
where
C
1
,
...
,
C
i
are now elementary conditions like:
-
“
r
is in
A
(
σ, ω
)
since at least duration
d
”where
d
is a positive real number.
