The Community for Technology Leaders
RSS Icon
Issue No.01 - Jan.-Feb. (2013 vol.10)
pp: 28-39
Mahesh V. Tripunitara , University of Waterloo, Waterloo
Ninghui Li , Purdue University, West Lafayette
The work by Harrison, Ruzzo, and Ullman (the HRU paper) on safety in the context of the access matrix model is widely considered to be foundational work in access control. In this paper, we address two errors we have discovered in the HRU paper. To our knowledge, these errors have not been previously reported in the literature. The first error regards a proof that shows that safety analysis for mono-operational HRU systems is in {\bf NP}. The error stems from a faulty assumption that such systems are monotonic for the purpose of safety analysis. We present a corrected proof in this paper. The second error regards a mapping from one version of the safety problem to another that is presented in the HRU paper. We demonstrate that the mapping is not a reduction, and present a reduction that enables us to infer that the second version of safety introduced in the HRU paper is also undecidable for the HRU scheme. These errors lead us to ask whether the notion of safety as defined in the HRU paper is meaningful. We introduce other notions of safety that we argue have more intuitive appeal, and present the corresponding safety analysis results for the HRU scheme.
Safety, Access control, Context, Computer security, Educational institutions, Computational modeling, computational complexity, Access control, reducibility and completeness
Mahesh V. Tripunitara, Ninghui Li, "The Foundational Work of Harrison-Ruzzo-Ullman Revisited", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 1, pp. 28-39, Jan.-Feb. 2013, doi:10.1109/TDSC.2012.77
[1] P. Ammann and R.S. Sandhu, "Safety Analysis for the Extended Schematic Protection Model," Proc. IEEE Symp. Security and Privacy, pp. 87-97, May 1991.
[2] P. Ammann and R.S. Sandhu, "The Extended Schematic Protection Model," J. Computer Security, vol. 1, nos. 3/4, pp. 335-383, 1992.
[3] P. Ammann and R.S. Sandhu, "One-Representative Safety Analysis in the Non-Monotonic Transform Model," Proc. IEEE Computer Security Seventh Foundations Workshop, pp. 138-149, 1994.
[4] E. Amoroso, Fundamentals of Computer Security Technology. Prentice Hall PTR, 1994.
[5] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.
[6] M. Bishop, Computer Security—Art and Science. Addison-Wesley, 2003.
[7] T. Budd, "Safety in Grammatical Protection Systems," Int'l J. Computer and Information Sciences, vol. 12, no. 6, pp. 413-430, 1983.
[8] S.A. Cook, "The Complexity of Theorem-Proving Procedures," Proc. IEEE Third Symp. Foundations of Computer Science, pp. 151-158, 1971.
[9] D. Denning, Cryptography and Data Security, first ed. Addison-Wesley Longman Publishing Co., Inc., 1982.
[10] D. Gollmann, Computer Security. John Wiley and Sons, 1999.
[11] Google, Inc., "Google Scholar," http:/, May 2005.
[12] G.S. Graham and P.J. Denning, "Protection—Principles and Practice," Proc. AFIPS Spring Joint Computer Conf., vol. 40, pp. 417-429, May 1972.
[13] M.A. Harrison and W.L. Ruzzo, "Monotonic Protection Systems," Foundations of Secure Computation, R.A. DeMillo, D.P. Dobkin, A.K. Jones, and R.J. Lipton, ed., pp. 461-471, Academic Press, Inc., 1978.
[14] M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, "Protection in Operating Systems," Comm. ACM, vol. 19, no. 8, pp. 461-471, Aug. 1976.
[15] J.E. Hopcroft, R. Motwani, and J.D. Ullman, Introduction to Automata Theory, Languages, and Computation, Int'l ed., second ed. Addison-Wesley, 2003.
[16] A.K. Jones, R.J. Lipton, and L. Snyder, "A Linear Time Algorithm for Deciding Security," Proc. IEEE 17th Ann. Symp. Foundations of Computer Science (FOCS), pp. 33-41, Oct. 1976.
[17] R.M. Karp, "Reducibility among Combinatorial Problems," Complexity of Computer Computations, R.E. Miller and J.W. Thatcher, ed., pp. 85-103, Plenum Press, 1972.
[18] R.E. Ladner, N.A. Lynch, and A.L. Selman, "A Comparison Of Polynomial Time Reducibilities," Theoretical Computer Science, vol. 1, pp. 103-123, 1975.
[19] B.W. Lampson, "Protection," ACM Operating Systems Rev., vol. 8, no. 1, pp. 18-24, Jan. 1974.
[20] N. Li, J.C. Mitchell, and W.H. Winsborough, "Beyond Proof-of-Compliance: Security Analysis in Trust Management," J. ACM, vol. 52, pp. 474-514, 2004.
[21] N. Li and M.V. Tripunitara, "Security Analysis in Role-Based Access Control," Proc. Ninth ACM Symp. Access Control Models and Technologies (SACMAT '04), pp. 126-135, June 2004.
[22] N. Li, W.H. Winsborough, and J.C. Mitchell, "Beyond Proof-of-Compliance: Safety and Availability Analysis in Trust Management," Proc. IEEE Symp. Security and Privacy, pp. 123-139, May 2003.
[23] R.J. Lipton and L. Snyder, "A Linear Time Algorithm for Deciding Subject Security," J. ACM, vol. 24, no. 3, pp. 455-464, 1977.
[24] N.H. Minsky, "Selective and Locally Controlled Transport Of Privileges," ACM Trans. Programming Languages and Systems, vol. 6, no. 4, pp. 573-602, Oct. 1984.
[25] R. Motwani, R. Panigrahy, V.A. Saraswat, and S. Ventkatasubramanian, "On the Decidability of Accessibility Problems (Extended Abstract)," Proc. 32nd Ann. ACM Symp. Theory of Computing, pp. 306-315, May 2000.
[26] C.H. Papadimitriou, Computational Complexity, first ed. Addison-Wesley, 1994.
[27] C.P. Pfleeger, Security in Computing, third ed. Prentice Hall PTR, 2003.
[28] R.S. Sandhu, "The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Systems," J. ACM, vol. 35, no. 2, pp. 404-432, 1988.
[29] R.S. Sandhu, "Expressive Power of the Schematic Protection Model," J. Computer Security, vol. 1, no. 1, pp. 59-98, 1992.
[30] R.S. Sandhu, "The Typed Access Matrix Model," Proc. IEEE Symp. Security and Privacy, pp. 122-136, May 1992.
[31] R.S. Sandhu, "Undecidability of the Safety Problem for the Schematic Protection Model with Cyclic Creates," J. Computer and System Sciences, vol. 44, no. 1, pp. 141-159, Feb. 1992.
[32] J.A. Solworth and R.H. Sloan, "A Layered Design of Discretionary Access Controls with Decidable Safety Properties," Proc. IEEE Symp. Research in Security and Privacy, May 2004.
[33] M. Soshi, "Safety Analysis of the Dynamic-Typed Access Matrix Model," Proc. Sixth European Symp. Research in Computer Security (ESORICS '00), pp. 106-121, Oct. 2000.
[34] M. Soshi, M. Maekawa, and E. Okamoto, "The Dynamic-Typed Access Matrix Model and Decidability of the Safety Problem," IEICE Trans. Fundamentals, vol. E87-A, no. 1, pp. 190-203, Jan. 2004.
3 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool