© 2004 Ravi Sandhu The Extended Schematic Protection Model (ESPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2004 Ravi Sandhu 2 Recap HRU has undecidable safety under very weak assumptions Bi-conditional monotonic Take-Grant and variations Efficiently decidable safety Unexpected aggregate policy Schematic protection model (SPM) Useful demarcation of efficiently decidable safety –Decidable for acyclic attenuating schemes polynomial in size of initial state exponential in number of types (for dense cc relation) open question: acyclic non-attenuating –Undecidable for cyclic schemes Copy flag and demand operation turn out to be redundant SPM can simulate Bell LaPadula multilevel security

© 2004 Ravi Sandhu 3 SPM creation

© 2004 Ravi Sandhu 4 ESPM joint creation

© 2004 Ravi Sandhu 5 Monotonic HRU command

© 2004 Ravi Sandhu 6 ESPM simulation 1.Parameter list generation Marshall parameter set of size Ji 2.Validating the conditional 3.Simulating the HRU command body Simulating creates –Unconditional create with alive right, so X/alive  dom(X) is required for X to participate in any command Simulating enters –straightforward

© 2004 Ravi Sandhu 7 ESPM types p: proxy entity type P x /r  dom(P y ) for P x, P y of type p in ESPM system iff r  [P y,P x ] in HRU system {a j | j=1…J max }: agent types Represent ESPM proxy entity in j th parameter of HRU command {v i | i=1…I}: validator types Represent a collection of J i entities in instance of HRU command i Created by joint creation with agent types as parents {t k i | k=1…K i, i=1…I}: term types Simulate truth value of each term in each HRU command {c m i | m=1…M i, i=1…I}: create types Simulate creates for each HRU command {e n i | n=1…N i, i=1…I}: enter types Simulate enters for each HRU command

© 2004 Ravi Sandhu 8 ESPM creation

© 2004 Ravi Sandhu 9 ESPM attenuating loops If type(u i ) = type(v) Except that one such parent can have attenuating rule cr pj (u 1, u 2, …, u N, v) = p j /R 2 j  c/R 1 j cr c (u 1, u 2, …, u N, v) = p j /R 3 j  c/R 4 j so R 1 j  R 2 j and R 3 j  R 2 j and R 4 j  R 1 j

© 2004 Ravi Sandhu 10 ESPM unfolded state

© 2004 Ravi Sandhu 11 ESPM unfolded state

© 2004 Ravi Sandhu 12 ESPM safety analysis exponential in types (like SPM) exponential in size of initial state (unlike SPM)

© 2004 Ravi Sandhu 13 ESPM safety analysis

© 2004 Ravi Sandhu 14 Expressive power of SPM and ESPM both are monotonic ESPM is equivalent to monotonic HRU HRU can simulate ESPM ESPM can simulate HRU ESPM with double-parent creation is equivalent to ESPM ESPM is at least as expressive as SPM ESPM can simulate SPM trivially it turns out that SPM is less expressive than ESPM (and thereby less expressive than monotonic) HRU

© 2004 Ravi Sandhu 15 Monotonic access graph model nodes are strongly typed type of a node cannot change edges are strongly typed type of an edge cannot change graph operations initial state operations node operations –multi-parent –creates new edges from each parent to child edge operations –cannot create new nodes –must be monotonic (edges cannot be removed)

© 2004 Ravi Sandhu 16 Simulation: scheme B simulates scheme A

© 2004 Ravi Sandhu 17 Scheme A has double-parent creation

© 2004 Ravi Sandhu 18 Double-parent creation in scheme A

© 2004 Ravi Sandhu 19 Double-parent creation in scheme A

© 2004 Ravi Sandhu 20 Failed simulation in scheme B with single-parent creation and identical initial state

© 2004 Ravi Sandhu 21 Failed simulation in scheme B with single-parent creation and arbitrary initial state

© 2004 Ravi Sandhu 22 Failed simulation in scheme B with single-parent creation and arbitrary initial state

© 2004 Ravi Sandhu 23 Failed simulation in scheme B with single-parent creation and arbitrary initial state

© 2004 Ravi Sandhu 24 Multi-parent creation does not add power in non- monotonic systems

© 2004 Ravi Sandhu 25 Multi-parent creation Adds power to monotonic models Perhaps should be viewed as a non-monotonic binding operation