Take-grant Protection Model

The take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. It shows that even though the question of safety is in general undecidable, for specific systems it is decidable in linear time.

The model represents a system as directed graph, where vertices are either subjects or objects. The edges between them are labeled and the label indicates the rights that the source of the edge has over the destination. Two rights occur in every instance of the model: ''take'' and ''grant''. They play a special role in the graph rewriting rules describing admissible changes of the graph.

There are a total of four such rules:
* ''take rule'' allows a subject to take rights of another object (add an edge originating at the subject)
* ''grant rule'' allows a subject to grant own rights to another object (add an edge terminating at the subject)
* ''create rule'' allows a subject to create new objects (add a vertex and an edge from the subject to the new vertex)
* ''remove rule'' allows a subject to remove rights it has over on another object (remove an edge originating at the subject)

Preconditions for $take(o,p,r)$:
* subject ''s'' has the right Take for ''o''.
* object ''o'' has the right ''r'' on ''p''.

Preconditions for $grant(o,p,r)$:
* subject ''s'' has the right Grant for ''o''.
* ''s'' has the right ''r'' on ''p''.

Using the rules of the take-grant protection model, one can reproduce in which states a system can change, with respect to the distribution of rights. Therefore one can show if rights can leak with respect to a given safety model.

References

*
* {{cite book
, last = Bishop , first = Matt
, title = Computer security: art and science
, publisher = Addison-Wesley
, year = 2004

External links

Diagram and sample problem

Analysis

Technical Report PCS-TR90-151 (NASA)

Computer security models