Take-grant protection model

Last updated
Take-grant protection model rules

Note that the take and grant rules here use
t
a
k
e
(
o
,
p
,
r
)
{\displaystyle take(o,p,r)}
and
g
r
a
n
t
(
o
,
p
,
r
)
{\displaystyle grant(o,p,r)}
. For take, S1 is only able to create an edge with the right "r" due to the fact that it has the right "t" on O1, a special right that allows access to taking a right that, in this case, O1 has which S1 doesn't. For grant, S1 already has access to the right "r" via its connection with O2, but through the special right "g", it is able to connect, in this case, O1 to O2. Take-grant protection model.svg
Take-grant protection model rules

Note that the take and grant rules here use and . For take, S1 is only able to create an edge with the right "r" due to the fact that it has the right "t" on O1, a special right that allows access to taking a right that, in this case, O1 has which S1 doesn't. For grant, S1 already has access to the right "r" via its connection with O2, but through the special right "g", it is able to connect, in this case, O1 to O2.

The take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. It shows that even though the question of safety is in general undecidable, for specific systems it is decidable in linear time.

The model represents a system as directed graph, where vertices are either subjects or objects. The edges between them are labeled, and the label indicates the rights that the source of the edge has over the destination. Two rights occur in every instance of the model: take and grant. They play a special role in the graph rewriting rules describing admissible changes of the graph.

There are a total of four such rules:

There are also and , which can be used to take and grant where the above rules would not allow it.

Preconditions for :

Preconditions for :

Using the rules of the take-grant protection model, one can reproduce in which states a system can change, with respect to the distribution of rights. Therefore, one can show if rights can leak with respect to a given safety model.

References