SUMMARY OF REVISIONS

SUMMARY OF REVISIONS
The referee reports on the original manuscript are generally positive regarding the technical content but suggest major changes in the presentation. The manuscript has been substantially revised in response. Sections 1 and 2 are essentially unchanged. The construction of section 3 demonstrating redundancy of demand is now performed in two steps as follows. 1. For demand of object tickets the construction is very easy. 2. For demand of subject tickets the construction is more complicated. The constructions are illustrated in gure 1 and intuitively motivated before presenting their formal details. In section 4 these constructions are extended to simulate ampli cation, which is now also called conditional demand. The extension is done in two steps corresponding to the above as follows. 1. For ampli cation of object tickets the extension is straightforward. 2. For ampli cation of subject tickets the extension works only for what we call non-peer ampli cation. i
1 INTRODUCTION
For protection purposes computer systems are viewed as consisting of subjects and objects. Active entities such as users or processes are subjects while passive entities such as text les are objects. Protection is enforced by ensuring that subjects can execute only those operations authorized by privileges in their domains. The schematic protection model SPM 8 de nes three operations by which a subject acquires new privileges: copy, create and demand. We show demand is redundant in that it can be simulated by copy and create. This is surprising because demand was intended to, and indeed appears to, confer a di erent kind of ability than copy or create. Redundancy of demand is an important step in understanding the minimal features needed in a protection model. The three SPM operations of copy, create and demand were thought to capture fundamentally di erent ways for acquiring privileges. Copy enables a subject to obtain a privilege from some other subject. For instance the owner of a le can copy read or write privileges for that le to another user. Create introduces new privileges as the side e ect of creating new subjects or objects in the system. For example when a user creates a le he is given the owner privilege for that le. Finally demand allows a subject to obtain certain privileges, literally by demanding them. For example every faculty member of a department can be authorized to demand the read privilege for every departmental document. It might appear demand can be eliminated by giving the demandable privileges to every subject. For instance we can explicitly give every faculty member the read privilege for each departmental document. But then whenever a new departmental document gets created, the privilege to read it must somehow be explicitly distributed to every faculty member. Automatic distribution of privileges is an unrealistic task for an operating system to manage correctly, particularly in a large distributed environment. Small and frequent incremental events such as creation of a new departmental document should not require such a sweeping impact. It moreover requires explicit representation of large numbers of privileges many of which may never be used. In practise the above problem can be, and often is, solved by performing the distribution in two steps as follows. 1. De ne a departmental library as a subject which contains read privileges for all departmental documents. 1
The Demand Operation in the Schematic Protection Model
Ravinderpal Singh Sandhu Department of Computer and Information Science The Ohio State University Columbus, Ohio 43210 614-292-0394 September, 1989
These extensions are illustrated in gure 2 which is visually very closely related to gure 1. The objective is to make the ideas more intuitive. The rest of section 4 considers peer ampli cation. The reason why the construction of gure 2b fails for peer ampli cation is discussed in detail. It is then shown that peer ampli cation reduces to non-peer ampli cation provided the SPM copy ag is redundant. This unexpected connection between peer ampli cation and copy ag redundancy highlights the signi cance of the latter issue. These changes address referee 1's recommendation of providing a intuitive description in addition to the formal one. Intuitive and formal descriptions are presented in an interleaved incremental fashion. Referee 2's speci c points for clari cation have been addressed as follows. 1. The simulation of objects by subjects in the modi ed system of section 3 is now di erent in that such pseudo-subjects" are passive and not required to perform any action in the simulation. 2. The issue of safety analysis is raised only for ampli cation in section 5 where it is pointed out ampli cation is achieved without introducing cycles in can-create. 3. The part on peer ampli cation has been completely redone. My sincere thanks to both referees for their comments.
ii
Abstract. We show the demand operation in the schematic protection model is
redundant in that it can be simulated by copy and create operations. We also consider to what extent ampli cation or conditional demand can be simulated by snformation systems, operating systems, protection models, security