Outline for April 5, 2013

Reading: § 3.1–3.2
Due: Homework #1, due April 12, 2013

1. What is the safety question?
   1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
   2. Question: in a given arbitrary protection system, is safety decidable?
2. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
3. General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.
   1. Approach: represent Turing machine tape as access control matrix, transitions as commands
   2. Reduce halting problem to it
4. Related results
   1. The set of unsafe systems is recursively enumerable (exercise)
   2. For protection systems without the create primitives, the question of safety is complete in P-SPACE.
   3. Monotonicity: no delete or destroy primitive operations
   4. The safety question for biconditional monotonic protection systems is undecidable.
   5. The safety question for monoconditional monotonic protection systems is decidable.
   6. The safety question for monoconditional protection systems without the destroy primitive operation is decidable.
5. Take-Grant Protection Model
   1. Counterpoint to HRU result
   2. Symmetry of take and grant rights
   3. Islands (maximal subject-only tg-connected subgraphs)
   4. Bridges (as a combination of terminal and initial spans)
6. Sharing
   1. Definition: can•share(α, x, y, G₀) true iff there exists a sequence of protection graphs G₀, …, G_n such that G₀ |−^* G_n using only take, grant, create, remove rules and in G_n, there is an edge from x to y labeled α