On safety in discretionary access control

An apparently prevailing myth is that safety is undecidable in discretionary access control (DAC); therefore, one needs to invent new DAC schemes in which safety analysis is decidable. In this paper we dispel this myth. We argue that DAC should not be equated with the Harrison-Ruzzo-Ullman (1976) access matrix scheme, in which safety is undecidable. We present an efficient (running time cubic in its input size) algorithm for deciding safety in the Graham-Denning (1972) DAC scheme, which subsumes the DAC schemes used in the literature on comparing DAC with other access control models. We also counter several claims made in recent work by Solworth and Sloan (2004), in which the authors present a new access control scheme based on labels and relabelling and assert that it can implement the full range of DAC models. We present a precise characterization of their access control scheme and show that it does not adequately capture a relatively simple DAC scheme.