Tacit programming: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
category: remove irrelevant one
 
No edit summary
Line 1: Line 1:
Nice to satisfy you, my title is Araceli Oquendo but I don't like when people use my complete name. One of his favorite hobbies is taking part in crochet but he hasn't produced a dime with it. Her spouse and her chose to reside in Alabama. Bookkeeping is what I do for a living.<br><br>Also visit my web blog ... auto warranty - [http://Www.Thelamda.com/index.php?mod=users&action=view&id=3598 Suggested Site] -
The '''HRU''' security model (Harrison, Ruzzo, [[Jeffrey Ullman|Ullman]] model) is an [[operating system]] level [[computer security model]] which deals with the [[data integrity|integrity]] of [[access control|access rights]] in the system. It is an extension of the [[Graham-Denning model]], based around the idea of a [[finite set]] of [[algorithm|procedures]] being available to edit the access rights of a subject <math>s</math> on an object <math>o</math>. It is named after its three authors, Michael A. Harrison, Walter L. Ruzzo and Jeffrey D. Ullman.<ref name=HRU-paper/>
 
Along with presenting the model, Harrison, Ruzzo and Ullman also discussed the possibilities and limitations of proving the safety of systems using an [[algorithm]].<ref name=HRU-paper/>
 
== Description of the model ==
The HRU model defines a ''protection system'' consisting of a set of generic rights ''R'' and a set of commands ''C''. An instantaneous description of the system is called a ''configuration'' and is defined as a [[tuple]] <math>(S,O,P)</math> of current subjects <math>S</math>, current objects <math>O</math> and an access matrix <math>P</math>. Since the subjects are required to be part of the objects, the access matrix contains one row for each subject and one column for each subject and object. An entry for subject <math>s</math> and object <math>o</math> is a subset of the generic rights <math>R</math>.
 
The commands are composed of primitive operations and can additionally have a list of pre-conditions that require certain rights to be present for a pair <math>(s,o)</math> of subjects and objects.
 
The primitive requests can modify the access matrix by adding or removing access rights for a pair of subjects and objects and by adding or removing subjects or objects. Creation of a subject or object requires the subject or object not to exist in the current configuration, while deletion of a subject or object requires it to have existed prior to deletion. In a complex command, a sequence of operations is executed only as a whole. A failing operation in a sequence makes the whole sequence fail, a form of [[database transaction]].
 
== Discussion of safety ==
Harrison, Ruzzo and Ullman<ref name=HRU-paper/> discussed whether there is an algorithm that takes an arbitrary initial configuration and answers the following question: is there an arbitrary sequence of commands that adds a generic right into a cell of the access matrix where it has not been in the initial configuration?
 
They showed that there is no such algorithm, thus the problem is [[undecidable problem|undecidable]] in the general case. They also showed a limitation of the model to commands with only one primitive operation to render the problem decidable.
 
== See also ==
* [[EROS (microkernel)|EROS - Extremely Reliable Operating System]]
 
== References ==
{{reflist|refs=
<ref name=HRU-paper>{{cite journal | first1 = Michael A. | last1 = Harrison | first2 = Walter L. | last2 = Ruzzo | first3 = Jeffrey D. | last3 = Ullman | id = {{citeseerx|10.1.1.106.7226}} | title = Protection in Operating Systems | journal = Communications of the ACM | volume = 19 | issue = 8 | pages = 461–471 | month = August | year = 1976 }}</ref>
}}
 
[[Category:Capability systems]]
[[Category:Computer security models]]

Revision as of 14:52, 21 October 2013

The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. It is an extension of the Graham-Denning model, based around the idea of a finite set of procedures being available to edit the access rights of a subject s on an object o. It is named after its three authors, Michael A. Harrison, Walter L. Ruzzo and Jeffrey D. Ullman.[1]

Along with presenting the model, Harrison, Ruzzo and Ullman also discussed the possibilities and limitations of proving the safety of systems using an algorithm.[1]

Description of the model

The HRU model defines a protection system consisting of a set of generic rights R and a set of commands C. An instantaneous description of the system is called a configuration and is defined as a tuple (S,O,P) of current subjects S, current objects O and an access matrix P. Since the subjects are required to be part of the objects, the access matrix contains one row for each subject and one column for each subject and object. An entry for subject s and object o is a subset of the generic rights R.

The commands are composed of primitive operations and can additionally have a list of pre-conditions that require certain rights to be present for a pair (s,o) of subjects and objects.

The primitive requests can modify the access matrix by adding or removing access rights for a pair of subjects and objects and by adding or removing subjects or objects. Creation of a subject or object requires the subject or object not to exist in the current configuration, while deletion of a subject or object requires it to have existed prior to deletion. In a complex command, a sequence of operations is executed only as a whole. A failing operation in a sequence makes the whole sequence fail, a form of database transaction.

Discussion of safety

Harrison, Ruzzo and Ullman[1] discussed whether there is an algorithm that takes an arbitrary initial configuration and answers the following question: is there an arbitrary sequence of commands that adds a generic right into a cell of the access matrix where it has not been in the initial configuration?

They showed that there is no such algorithm, thus the problem is undecidable in the general case. They also showed a limitation of the model to commands with only one primitive operation to render the problem decidable.

See also

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

  1. 1.0 1.1 1.2 Cite error: Invalid <ref> tag; no text was provided for refs named HRU-paper