© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2004 Ravi Sandhu 2 The Access Matrix Model, Lampson 1971 In SPM objects only have columns SPM subjects can be active or passive Subjects and objects are collectively called entities entities objects

© 2004 Ravi Sandhu 3 SPM Protection Scheme 1.A finite set of entity types T partitioned into subject types TS and object types TO. 2.A finite set of right symbols R partitioned into inert rights RI and control rights RC. Ticket types are thereby T X R 3.A finite collection of local link predicates {link i | i = 1... N}. 4.A filter function f i : TS X TS 2 T X R corresponding to each link i. 5.The demand function d: TS 2 T X R. 6.The can-create relation cc TS X T. Equivalently, cc: TS 2 T. 7.A local create-rule for each pair in cc.

© 2004 Ravi Sandhu 4 SPM links, filter functions and copy flag AB link i t(A)t(B) fifi Y/x dom(A) cannot be copied Y/xc dom(A) Y/xc or Y/x can be copied provided - some link i exists - f i authorizes flow of Y/xc or Y/x respectively principle of discretionary propagation or principle of attenuation you can propagate what you have but no more copy flag turns out to be unnecessary and circumventable

© 2004 Ravi Sandhu 5 Examples of link predicates 1.link(X, Y) Y/g dom(X) X/t dom(Y) 2.link(X, Y) X/t dom(Y) 3.link(X, Y) Y/g dom(X) 4.link(X, Y) Y/s dom(X) X/g dom(Y) 5.link(X, Y) X/b dom(X), 6.link(X, Y) Y/p dom(Y), 7.link(X, Y) X/b dom(X) Y/p dom(Y) 8.link(X, Y) true

© 2004 Ravi Sandhu 6 Examples of filter functions 1.f(a,b) = T X R 2.f(a,b) = TO X RI 3.f(a,b) = 4.f(a,b) = T X {r| r R}, i.e. no copy flag

© 2004 Ravi Sandhu 7 SPM demand operation A d(t(A)) certain types of tickets can be obtained simply by demanding them

© 2004 Ravi Sandhu 8 SPM create operation object creation cr(a.parent, b.child) {b.child/x:c | x RI} subject creation cr(a.parent,b.child) = LEFT | RIGHT LEFT {a.parent/x:c, b.child/x:c | x R} RIGHT {a.parent/x:c, b.child/x:c | x R} LEFT goes to parent RIGHT goes to child A A

© 2004 Ravi Sandhu 9 SPM create operation: attenuating loops subject creation of same type as parent cr(a.parent, a.child) = LEFT | RIGHT LEFT {a.parent/x:c, a.child/x:c | x R} RIGHT {a.parent/x:c, a.child/x:c | x R} attenuating loops requires RIGHT LEFT a.child/x:c LEFT a.parent/x:c LEFT A A

© 2004 Ravi Sandhu 10 SPM Scheme I: Basic owner-based policy 1)TS = {user}, TO = {file} 2)RI = {x:c}, RC = 3)link u (X,Y) true 4)f u (user, user) = {file/xc} 5)d(user) = 6)cc(user) = {file} 7)cr(user,file) = {file/xc}

© 2004 Ravi Sandhu 11 SPM Scheme II: Owner-based policy with owner- defined groups (1) TS = {user, group}, TO = {file} (2) RI = {x:c}, RC = {g:c} (3) link u (X, Y) true link g (X, Y) Y/g dom(X) (4) f u (user, user) = {file/xc} f u (user, group) = f u (group, user) = f u (group, group) = f g (user, user) = f g (group, group) = f g (user, group) = {file/xc, user/g} f g (group, user) = {file/x} (5)d(user) = {user/gc} (6) cc(user) = {file, group} cc(group) = (7) cr(user,file) = {file/xc} cr{user,group) = {group/g} |

© 2004 Ravi Sandhu 12 SPM Scheme VI: Basic Take-Grant Model 1.TS = {sub}, TO = {file} 2.RI= {x:c}, RC = {t:c, g:c} 3.link(X, Y) Y/g dom(X) X/t dom(Y) 4.f(sub, sub) = T X R 5.d(sub) = 6.cc(sub) = {file, sub} 7.cr(sub, file) = {file/xc} cr(sub, sub) = {sub.child/tgc} | creation is acyclic with loops but create- rule cr(sub, sub) is not attenuating

© 2004 Ravi Sandhu 13 Creation in Take-Grant subjects in initial state: may or may not have self tgc tickets created subjects without loss of generality will have self tgc tickets (in worst-case) A A A/tgc

© 2004 Ravi Sandhu 14 SPM Scheme VII: Basic Take-Grant Model, acyclic attenuating 1.TS = {isub, csub}, TO = {file} 2.RI= {x:c}, RC = {t:c, g:c} 3.link(X, Y) Y/g dom(X) X/t dom(Y) 4.f(isub, isub) = T X R f(isub, csub) = T X R f(csub, isub) = T X R f(csub, csub) = T X R 5.d(sub) = 6.cc(isub) = {file, csub} cc(csub) = {file, csub} 7.cr(isub, file) = {file/xc} cr(csub, file) = {file/xc} cr(isub, csub) = {csub.child/tgc} | cr(csub, csub) = {csub.child/tgc, csub.parent/tgc} | cr(csub, csub) is attenuating

© 2004 Ravi Sandhu 15 flow function for a given state h flow h : SUB h X SUB h 2 T X R by convention flow h (A,A) = T X R flow h can be computed in O(|T X R|*|SUB h | 3 )

© 2004 Ravi Sandhu 16 flow in take-grant initial state flow 0 (A,B) = T X R flow 0 (B,A) = derived state h flow h (A,B) = T X R flow h (B,A) = T X R A A/t B A A/tgc A/tc A/tgc

© 2004 Ravi Sandhu 17 maximal state a derived state with maximum flow between all subjects in SUB 0 flow * : SUB 0 X SUB 0 2 T X R is flow function in a maximal state because of monotonicity a maximal state is guaranteed to exist typically there will be an infinite number of maximal states

© 2004 Ravi Sandhu 18 no-creates maximal state a derived state without any create operations with maximum flow between all subjects in SUB 0 flow # : SUB 0 X SUB 0 T X R is flow function in a no-creates maximal state no-creates maximal state can be computed in O(N*|T X R|*|SUB 0 | 5 ) where N is number of link predicates

© 2004 Ravi Sandhu 19 maximal state for acyclic attenuating schemes start with initial state perform create operations to get unfolded state compute no-creates maximal state

© 2004 Ravi Sandhu 20 The unfolded state cc(a) = {a,b} cc(b) = {b}

© 2004 Ravi Sandhu 21 Safety is decidable for acyclic attenuating schemes