Introduction

The access-matrix model of Harrison, Ruzzo, and Ullman (HRU) that we discussed in Chapter 5 is characterized by a rich expressive capability. HRU can be applied virtually to any access policies in existence. This generality, however, has led to the undecidability of the safety question in HRU due to the unbounded states of the protection system. Even when limiting the expressiveness of HRU to only mono-conditional and monotonic transformations of protection states, safety becomes decidable albeit nontractable. The take-grant model introduced in the previous chapter is unique in that it defines an information-flow model that is completely based on two control rights, take and grant. It has a limited expressive power but a solvable safety. Furthermore, safety in the take-grant model is efficiently computable with linear time complexity. One can think of the HRU and the take-grant models as being at opposing extremes of complexity in modeling protection systems.

The schematic-protection model (SPM) introduced by Sandhu [SAND88a, SAND90, SAND91] is intended by its inventor to fill the gap between the richness in expressive power of the HRU model and its intractability with respect to the safety question as compared with the limited applicability of the take-grant model but efficient decidability of safety. The key concept introduced in SPM is that of typed security entities. Each entity, subject or object, is statically associated with an invariable security type. All instances of a given security type are viewed and treated uniformly by the authorization scheme. This chapter introduces the novel concepts...