Analysis of Acyclic Attenuating Systems for the SSR Protection Model

The distribution of privileges in domains of subjects defines the protection state of a system. Operations which change this state are themselves authorized by privileges in the current state. This poses an analysis problem of characterizing states which are derivable from a given initial state. Analysis is particularly difficult if creation of new subjects is permitted. Also the need for tractable analysis conflicts with the need for generality in specifying policies. The Schematic Send-Receive (SSR) model resolves this conflict by classifying subjects and objects into protection types. The domain of each subject consists of a static type-determined part specified by an authorization scheme and a dynamic part consisting of tickets (capabilities). We analyze a restricted class of systems in SSR. Specifically, the scheme authorizes crest ion via a binary relation on types. Our major constraint is that this relation be acyclic excepting loops which authorize a subject to create subjects of its own type. Our constraints admit a large class of useful systems.