© Ravi Sandhu www.list.gmu.edu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]
Mar 26, 2015
© Ravi Sandhuwww.list.gmu.edu
HRU and TAM
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2004 Ravi Sandhuwww.list.gmu.edu
The Access Matrix Model, Lampson 1971
3
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U r w
V
F
r w
G
r
4
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U r w
V
F
r w own
G
r
5
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U r w
V
F
r w own
G
r
r
6
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Commands and Operations
• command α(X1, X2 , . . ., Xk)if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi)
thenop1; op2; … opn
end• enter r into (Xs, Xo)
delete r from (Xs, Xo)create subject Xscreate object Xodestroy subject Xsdestroy object Xo
7
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Examples
8
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Examples
9
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Examples
10
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Examples
11
© 2004 Ravi Sandhuwww.list.gmu.edu
The Safety Problem
Given• initial state• protection scheme (HRU commands)
Can r appear in a cell that exists in the initial state and does not contain r in the initial state?
More specific question might be:can r appear in a specific cell [s,o]
12
© 2004 Ravi Sandhuwww.list.gmu.edu
The Safety Problem
Initial state: r’ in (o,o) and nowhere else
13
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety is Undecidable in HRU
14
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM adds types to HRU
15
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM adds types to HRU
16
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM commands
17
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM primitive operations
18
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM operations: enter and delete
19
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM operations: create and destroy
20
© 2004 Ravi Sandhuwww.list.gmu.edu
TAM operations: create and destroy
21
© 2004 Ravi Sandhuwww.list.gmu.edu
The Safety Problem
• TAM has much stronger safety properties than HRU