This document summarizes research on theft and conspiracy in the take-grant protection model. It defines key concepts like take-grant definable graphs, the can-share and can-steal predicates, and introduces the idea of conspiracy graphs. The main results shown are that determining if a right can be shared requires finding a path in the conspiracy graph, and that the minimum number of conspirators needed is equal to the size of the shortest such path. The document concludes by noting open questions around algorithmically solving for the optimal number of conspirators.

1. Theft and Conspiracy in the Take-Grant Protection
Model
Lawrence Snyder
Department of Computer Sciences
Purdue University
West Lafayette. IN 47907
Presented by: Raj Kumar Ranabhat
M.E in Computer Engineering(I/I)
Kathmandu University
2/14/2017 1

2. Take-Grant Protection Model
• A specific (not generic) system
• Set of rules for state transitions
• Safety decidable, and in time linear with the size of the system
• Goal: find conditions under which rights can be transferred from one
entity to another in the system
2/14/2017 2

3. System
objects (passive entities like files, . . . )
2/14/2017 3
o
subjects (active entities like users, processes . . . )
• don’t care (either a subject or an object)⊗
set of rights
apply a sequence of rewriting rules (witness) to G to get G’
R = {t , g , . . .}
apply rewriting rule x (witness) to G to get G′G ⊢x G′
G ⊢* G′

4. Take-Grant Protection Model
Let x,y and z be distinct vertices in a protection graph G
such that x is a subject. Let there be an edge from x to y
labeled ϒ such that "t" ϵ ϒ, an edge from y to z labeled β
and α ⊆ β. Then the take rule defines a new graph G' by
adding an edge to the protection graph from x to z labeled
α. Graphically,
2/14/2017 4
Take:
The rule can be read: "x takes (α to z) from y."

5. Let x,y and z be distinct vertices in a protection graph G
such that x is a subject. Let there be an edge from x to y
labeled ϒ such that "g"ϵ ϒ, an edge from x to z labeled β,
and α ⊆ β. The grant rule defines a new graph G' by adding
an edge from y to z labeled α. Graphically,
2/14/2017 5
Grant:
The rule can be read: "x grants (α to z) to y."

6. Let x be any subject vertex in a protection graph G and let α
be a non empty subset of R. Create defines a new graph G‘
by adding a new vertex n to the graph and an edge from x to
n labeled α. Graphically,
2/14/2017 6
Create:
The rule can be read: "x creates (α to) new {subject/object}n."

7. Let x and y be any distinct vertices in a protection graph G
such that x is a subject. Let there be an edge from x to y
labeled β, and let a be any subset of rights. Then remove
defines a new graph G' by deleting the α labels from β. If β
becomes empty as a result, the edge itself is deleted.
Graphically
2/14/2017 7
Remove:
The rule can be read: "x removes (α to) y."

8. Take-Grant Definable Graphs
2/14/2017 8

9. Take-Grant Definable Graphs
2/14/2017 9
x creates (tg to) new v

10. Take-Grant Definable Graphs
2/14/2017 10
x creates (tg to) new v
x grants (g to v) to y

11. Take-Grant Definable Graphs
2/14/2017 11
x creates (tg to) new v
x grants (g to v) to y
y grants (β to z) to v

12. Take-Grant Definable Graphs
2/14/2017 12
x creates (tg to) new v
x grants (g to v) to y
y grants (β to z) to v
x takes (β to z) from v

13. Let 𝐺0 be a protection graph containing exactly one
subject vertex and no edges. Then 𝐺0 ⊢* 𝐺 if and only
if
2/14/2017 13
Theorem:
• 𝐺 is a finite, directed, loop-free, two color graph
• the edges are labeled from non empty subsets of R
• At least one subject in 𝐺 has no incoming edges.

14. Let v be the initial subject, and 𝐺0 ⊢*𝐺.
2/14/2017 14
⇐:
• 𝐺 is obviously finite
• 𝐺 is a directed graph
• 𝐺 is loop-free
• two colored with the indicated labelling
• After reviewing the rule definition, it gives:
• Limits of rules:
• since vertices cannot be destroyed, v persists in any
graph derived from 𝐺0
• edges cannot be directed to a vertex that has no in-
coming edges so none can be assigned to v

15. let G satisfy the requirements and be the final graph in the theorem
2/14/2017 15
⇐:
• Let G have vertices x1,x2 . . . , xn
• Identify v with some subject x1 with no incoming edges
Construct G′ as follows:
• Perform “v creates (α ∪ {g } to) new subject xi”
• For all (xi, xj) where xi has a right over xj, do“x1 grants (α
to xj) to xi”
• Let β be the rights xi has over xj in G ; then do“v removes
((α ∪ {g }) − β) to xi)”
Now G′ is the desired G

16. Predicates and earlier results
• tg-path: Vertices p and q of G are tg-connected if there is a path
p=xo,….xn=q and the label alpha on the edge between xi and xi+1
contains t or g
• island : An island of G is a maximal, tg-connected subject-only
subgraph of G.
• A path xo,x1,…xn is an initial span if it has an associated word in {𝑡∗ 𝑔 }
• it is a terminal span if n>0 and it has associated word in {𝑡∗}
• it is a bridge if
2/14/2017 16
1. n>1 and xo and xn are subjects
2. an associated word is in {𝑡∗, 𝑡∗, 𝑡∗ 𝑔 𝑡∗, 𝑡∗ 𝑔 𝑡∗ }
3. the xi are objects (0<i<n)

17. 2/14/2017 17
• islands: {p, u}, {w}, {y, s′}
• bridges: u, v, w; w, x, y
• initial span: p (associated word ν )
• terminal span: s′s (associated word 𝑡 )

18. can·share (α, p, q, 𝐺0 ) holds if, and only if, there is a sequence
of protection graphs 𝐺0 , . . ., 𝐺 𝑛 such that 𝐺0 ⊢* 𝐺 and in
𝐺 𝑛 there is an edge from p to q labeled α
2/14/2017 18
can·share Predicate :

19. Theft
2/14/2017 19
for two distinct vertices p and q in a protection
graph 𝐺0 , and right α, define
can·steal Predicate :
can·steal (α, p, q, 𝐺0 ) <=> ~ 𝑝
α
𝐺0
𝑞 and there exist protection
graph 𝐺1,…,𝐺 𝑛 such that
𝐺0⊢ 𝜌1
𝐺1 ⊢ 𝜌2
… ⊢ 𝜌 𝑛
𝐺 𝑛 ,
𝑝
α
𝐺 𝑛
𝑞, and
If 𝑠
α
𝐺0
𝑞 then no 𝜌𝑗 has the form
“s grants (α to q) to 𝑥𝑖” for any 𝑥𝑖 ϵ 𝐺𝑗−1, 1 ≤ 𝑗 < 𝑛.

20. Example of Stealing
2/14/2017 20
can·steal (α, s, w, 𝐺0 )

21. Example of Stealing
2/14/2017 21
can·steal (α, s, w, 𝐺0 )
• u grants (t to v) to s

22. Example of Stealing
2/14/2017 22
can·steal (α, s, w, 𝐺0 )
• u grants (t to v) to s
• s takes (t to x) from v

23. Example of Stealing
2/14/2017 23
• u grants (t to v) to s
• s takes (t to x) from v
• s takes (t to u) from x
can·steal (α, s, w, 𝐺0 )

24. Example of Stealing
2/14/2017 24
• u grants (t to v) to s
• s takes (t to x) from v
• s takes (t to u) from x
• s takes (α to w) from u
can·steal (α, s, w, 𝐺0 )

25. can·steal (α, p, q, 𝐺0 ) holds if, and only if, the
following hold simultaneously:
2/14/2017 25
can·steal Theorem :
• there is no edge from x-to-y labeled α in 𝐺0
• there is a subject x′= x or x′ initially spans to x
• there is a vertex s with an edge to y labeled α in
𝐺0
• can·share (α, p, q, 𝐺0 ) holds

26. Assume all four conditions hold
2/14/2017 26
⇒:
• If x a subject:
• x gets t rights to s (last condition); then takes α to y from
s(third condition)
• If x an object:
• can·share (t, x′, s, 𝐺0 ) holds
• If x′ has no α edge to y in 𝐺0 x′ takes (α to y) from s and
grants it to x
• If x′ has an edge to y in 𝐺0 , x′ creates surrogate x′′, gives it
(t to s) and (g to x′′); then x′′ takes (α to y) and grants it to
x

27. Assume can·steal (α, x, y, 𝐺0 ) holds
2/14/2017 27
⇐:
• First two conditions are immediate from definition of
can·share, can·steal
• Third condition is immediate from theorem of conditions for
can·share
• Fourth condition: let ρ be a minimal length sequence of rule
applications deriving 𝐺 𝑛 from 𝐺0
• Let i be the smallest index such that 𝐺𝑖−1 ⊢ 𝜌𝑖 𝐺𝑖 that adds
α from some p to y in 𝐺𝑖
• What rule is ρ𝑖 ?

28. 2/14/2017 28
• Not remove or create rule
• y exists already
• Not grant rule
• 𝐺𝑖 is the first graph in which an edge labeled α to y is added ,
so by definition of can·share, it cannot be a grant
• Therefore ρ𝑖 must be a take rule, so can·share (t, p, s, 𝐺0 )
holds
• By earlier theorem, there is a subject s′ such that s′= s or s′
terminally spans to s
• Also, sequence of islands 𝑙1,…,𝑙 𝑛 with x′∈ 𝑙1, s′∈ 𝑙 𝑛
• Now consider what s is ?

29. 2/14/2017 29
• If s object, s′≠ s
• If s′, p in same island, take p = s′; the can·share (t, x, s, 𝐺0 )
holds
• If they are not, the sequence is minimal, contradicting
assumption
• So choose s′ in same island as p

30. 2/14/2017 30
If s subject, p ∈ 𝑙 𝑛
• If p ∉ 𝐺0, there is a subject q such that can·share (t, q, s,
𝐺0) holds
• s ∈ 𝐺 𝑜and none of the rules add new lables to
incoming edges on existing vertices
• As s owns α rights to y in 𝐺0 , two cases arise:
• If s = q, replace “s grants (α to y) to q” with the
sequence:
p takes (α to y) from s
p takes (g to q) from s
p grants (α to y) to q
• If s = q, you only need the first

31. Conspiracy
2/14/2017 31
If s subject, p ∈ 𝑙 𝑛

32. Conspiracy in general graphs
2/14/2017 32
Given a protection graph G with subject vertices 𝑋1 ,….,𝑋 𝑛 , we
will define a new graph, the conspiracy graph, H, determined by
G. H has vertices 𝑌1 ,…., 𝑌𝑛 and each 𝑌𝑖 has associated with it
the access−set A(𝑋𝑖 ). There is an undirected edge between
𝑌𝑖 and 𝑌𝑗 provided δ(𝑋𝑖 , 𝑋𝑗) ≠ Ø where δ is called the deletion
operation
δ(x,x') =all elements in A(x) n A(x') except those z for which
either (a) the only reason for z ∈ A(x) is that x initially spans
to z and the only reason for z ∈ A(x') is that x‘ initially spans
to z or (b) the only reason z ∈ A(x) is x terminally spans to z
and the only reason z ∈ A(x') is x‘ terminally spans to z.
The graph thus constructed is the conspiracy graph for G.

33. 2/14/2017 33

34. 2/14/2017 34
• Lemma 7.1: Can·share(a,p,q,G) is true if and only if some
𝑌𝑢 ∈ 𝑌𝑝 is connected so some 𝑌𝑣 ∈ 𝑌𝑠
• Theorem 7.2: To produce a witness to can.share(α,p,q,G)
|s.p.| conspirators are sufficient.
• Theorem 7.3: To produce a witness to can.share(α,p,q,G)
|s.p.| conspirators are necessary.

35. Concluding Remarks
2/14/2017 35
• how sharing is accomplished in the Take-Grant Model
• there is the question of algorithmic complexity of
determining the minimum number of conspirators required
for a right to be shared
• determine for a given graph what set of conspirators.
must have participated in the sharing of a right after the fact