On the Expressive Power of the Unary Transformation Model by Ravi Sandhu Srinivas Ganta Center for Secure Information Systems George Mason University

Outline Introduction / Motivation Transformation Model Example Expressive Power Conclusion

NMT Can enforce lots of diverse policies Has simple implementation Cannot adequately express the document release example (Sandhu & Suri, Oakland 92)

Document Release Example A scientist prepares a document and can release it only after getting approval from a patent-officer.

Transformation Model (TRM) Protection state in TRM is viewed in terms of the familiar access matrix Protection state of the system is given by the tuple (OBJ, SUB, t, AM) The specification for changing the protection state is given by an authorization scheme

ACCESS MATRIX subjectssubjects objects u : s f : o r w own

Authorization Scheme A set of access rights R. Disjoint sets of subject and object types, TS and TO, respectively. A collection of three classes of state changing commands: Transformation commands, Create commands and Destroy commands

Transformation Commands Command name (S1:s1,....Sn:sn, O:o) if predicate then sequence of primitive operations enter/delete r into [S, O] end Command transfer-ownership (S1:s, S2:s, O:o) if own [S1,O] then enter own in [S2,O] deleterown from [S1,O] end Example:

Create Commands Command create (S1:s1, O:o) create object O enter own in [S1, O] end

Destroy Commands Command destroy (S1:s1, O:o) destroy object O end if own [S1,O] then

A set of rights R A set of disjoint subject and object types TS and TO respectively A set of state-changing transformation, creation and destroy commands The initial state TRM SUMMARY

Document Release Example A document cannot be released by a scientist without first obtaining approval from a patent-officer. Types = { sci, po, doc} Rights = {read, write, own, review, pat-ok, pat-reject, release}

Command create-doc (S:sci, O:doc) create object O enter own in [S,O] enter read in [S,O] enter write in [S,O] end Create Command

Document Release Example S: sci P: po O :doc own read write

command rqst-review (S:sci, P:po, O:doc) if own [S,O] then enter review in [P,O] delete write from [S,O] end write [S,O] Request Review

Get-Approval/Rejection command get-approval (S:sci, P:po, O:doc) if own [S,O] then enter pat-ok in [S,O] delete review from [P,O] end review [P,O] command get-rejection (S:sci, P:po, O:doc) if own [S,O] then enter pat-reject in [S,O] delete review from [P,O] end review [P,O]

Release / Revise Document command release-doc (S:sci, O:doc) if pat-ok [S,O] then enter release in [S,O] delete pat-ok from [S,O] end command revise-doc (S:sci, O:doc) if pat-reject [S,O] then enter write in [S,O] delete pat-reject from [S,O] end

Expressive Power TRM BTRM The document release example has commands which test for atmost two cells of the matrx. Binary Transformation Model (Sandhu & Ganta, Oakland 94)

Expressive Power UTRM TRM UTRM BTRM ? ?

requires every subject in the simulation to be of a different type. Esorics 94

UTRM BTRM if every subject cannot be of a different type

Conclusion UTRM BTRM impractical simulation in general UTRM < BTRM for all practical purposes