The DAC Controversy, from SRSP 2005, Invited Statements

Statement by Ninghui Li and Mahesh V. Tripunitara:

Our paper titled, On Safety in Discretionary Access Control (LT05) in the 2005 IEEE Symposium on Security and Privacy, has two main contributions. The first dispels an apparently prevailing myth that safety is undecidable in DAC. In their paper in 2004 IEEE Symposium on Security and Privacy, Solworth and Sloan use this myth to motivate a new access control scheme (the Solworth-Sloan scheme) and claim that the scheme captures a broad class of DAC schemes. Our second contribution is a demonstration that their claim is erroneous.

We dispel the myth that safety is undecidable in DAC by arguing that DAC should not be equated to the well-known access matrix scheme due to Harrison, Ruzzo and Ullman (for which safety is known to be undecidable). One can have access control systems based on the HRU scheme with no DAC features. Furthermore, it is unclear how certain features in DAC schemes can be achieved in the HRU scheme. Note that Harrison et al. did not equate DAC with their scheme. We also demonstrate that safety is efficiently decidable for the Graham-Denning scheme, which subsumes the DAC schemes to which the Solworth-Sloan paper refers.

On the question of whether the Solworth-Sloan scheme captures all known DAC schemes, we first provide a precise and detailed description of the Solworth-Sloan scheme, based on their informal description. We then consider Strict DAC with Change of Ownership (SDCO), one of the DAC schemes that Solworth and Sloan claim can be implemented in their scheme. We use the hints in the Solworth-Sloan paper to provide a complete construction, and observe several deficiencies in the construction. Solworth and Sloan claim that our construction is not what they intended; however, the approach they say they intended has more serious deficiencies.

Space limit precludes us from including technical details in this statement. For technical details please see our web page at http://www.cs.purdue.edu/homes/ninghui/dac_safety/

Statement by Jon Solworth and Robert Sloan:

In 1976 Harrison, Ruzzo and Ullman (HRU) presented a model that could implement many protection systems, including many DAC systems, and showed that the safety problem for their model was undecidable. In Oakland 2004, we presented a model that can implement all the kinds of DACs in Osborn, Sandhu and Munawer's 2000 paper ("OSM00"). We proved that it has a decidable safety problem and claimed that it was the first system that both had a proof that its safety property was decidable and could implement all those OSM00 DACs.

By our result, it is obvious that HRU must be able to express at least some access control scheme not in the OSM00 DACs.

In Section 5.2, LT05 (discussed above) claims that our work has "deficiencies from the standpoints of correctness" and that it "does not capture the state invariant in [its encoding of DAC with change of ownership] that in every state, there is exactly one owner for every object that exists." That claim is erroneous.

In our scheme, "Ordinary object labels are of the form <U,N> where U is a user and N ... [is a] tag. An ordinary object label[ed], <U,N> is 'owned' by the user U" (Section 3). Thus an object's ownership is determined by its label.

Change of ownership is allowed by a rule denoted
rl(<*u, *>, <*v, *>) = {*u}
(a slight variant is shown in our Figure 6 and described in the text of Section 5). This rule enables user U to perform a change of ownership, giving away an object it owns to V. This implements OSM00's change of ownership.

Section 5.2 of LT05 builds a model that claims to implement our scheme. However, this LT05 model is inconsistent with our change of ownership rule described above. It encodes object ownership by mapping a label to a group of owner(s), and changing the owner through the group mechanism; indeed this does not ensure that "there is one owner for every object". Our scheme does.