Protection models provide a formalism for specifying control over access to information and other resources in a multi-user computer system. Useful protection models must balance expressive power with the complexity of safety analysis i.e. the determination of whether or not a given subject can ever acquire access to a given resource. The authors argue that, in terms of expressive power, a joint creation operation is a natural candidate for inclusion in an access control model, particularly in the context of integrity considerations. They extend the Schematic Protection Model (SPM) to allow for groups of subjects to jointly create other subjects and objects. They discuss the safety properties of ESPM. Despite the increase in expressive power, ESPM retains tractable safety analysis for many cases of practical interest.
展开▼