Tutorial 2 : Take Grant & TAM models

J. Leneutre

The objective of this tutorial is to have a better understanding of the Take-Grant and TAM models.

Exercise 1:
Consider an initial Take-Grant graph G0 with only one subject and no object. Is it possible to derive from
G0 a graph containing a cycle?

Exercise 2:
For the following predicates tell whether it is true or not in the graph G0 below:
a. can•share(α,v,w,G0)
b. can•steal(g,x,s,G0)
c. can•share(t,s,v,G0)
d. can•steal(t,s,v,G0)
e. can•share(α,s,w,G0)
f. can•steal(α,s,w,G0)
Picture from a L. Snyder presentation

Exercise 3:
We recall that predicate can•steal(α,x,y,G0) is true, if there is no edge from x to y labeled α in G0, and
there exists a sequence of graphs G1, …, Gn such that :
 There is an edge from x to y labeled α in Gn.
 For all 0≤i<n, Gi → Gi+1.
 For all 1≤i<n, for all vertices v and w in Gi-1, if there is an edge from v to y in G0 labeled α, then
the rule associated with Gi-1 → Gi, is not of the form "v grants (α to y) to w".

The goal of this exercise is to prove the following theorem that gives necessary & sufficient conditions
for the can•steal predicate to hold true:

Theorem 1: The predicate can•steal(α,x,y,G0) is true if and only if the following conditions hold
simultaneously:
(i) There is no edge from x to y labeled α in G0.
(ii) There exists a subject vertex x' such that x'=x or x' initially spans to x.
(iii) There exists a vertex s with an edge labeled α to y in G0 for which can•share(t,x,s,G0)
holds.

We will assume the following theorem proved during the course:

Theorem 2: The predicate can•share(α, x,y,G0) is true iff there is an edge from x to y in G0 labeled α, or if
the following hold simultaneously:

1
 (i) There exists a vertex v ∊ G0 with an edge to y labeled α;
(ii) There is a subject vertex s ∊ G0 such that s=x or s initially spans to x;

(iv) There exist islands I1, …, In such that s ∊ I1, s’ ∊ In, and for 1≤j<n there is a bridge from Ii to Ii+1.
(iii) There is a subject vertex s’ such that s’=v or s’ terminally spans to v;

a- Suppose that the three conditions of the theorem 1 hold

1. Suppose that x is a subject, show that can•steal(α,x,y,G0) is true.

2. Suppose x is an object, show that if the three conditions of theorem 1 hold, there exists a
vertex s with an edge labeled α to y in G0, and a subject x’ such that can•share(t,x’,s,G0) is
true.

3. Suppose that x is an object and previous x’ does not have an edge α labeled to y in G0,
show than can•steal(α,x,y,G0) is true.

4. Suppose that x is an object and previous x’ has an edge α labeled to y in G0, show that
can•steal(α,x,y,G0) is true.

5. Deduce that can•steal(α,x,y,G0) is true, if the three conditions of the theorem hold.

b- Suppose that can•steal(α,x,y,G0) is true.

1. Show that conditions (i) and (ii) of theorem~1 holds.

2. Show that the subject s of condition (iii) of theorem exists.

3. Let G1, …, Gn be a minimal length derivation sequence and Gi the first graph in the
sequence such that there in an edge labeled to y from some vertex p added to Gi by a rule
ri. Show that ri is a take rule.

4. Since can•share(α,x,y,G0) holds, following second condition of theorem 2, there is a

subject vertex x’∊ G0 such that x’=x or x’ initially spans to x, and following third
condition of theorem 2, there is a subject vertex s’ in G0 such that s’=s or s’ terminally

…, In such that x’∊ I1, s’∊ In, and for 1≤j<n there is a bridge from Ii to Ii+1. Show that if s
spans to s. Furthermore, according to fourth condition of theorem~2, there exist islands I1,

is an object, then can•share(t,x,s,G0) holds (suppose that p and s’ are in the same Island) .

c- Show that if s is a subject, then can•share(t,x,s,G0) holds.

Exercise 4:
The ORCON (originator controlled policy) requires that the creator (i.e. originator) of a document retains
control over granting access to the information in the document. For example, let Alice be the creator of
an ORCON document D. Suppose Alice authorizes Bob to read D. The ORCON policy requires that Bob
cannot propagate the information in D to Tom; either directly by granting Tom read access to D, or
indirectly by granting Tom read access to a copy of D. The goal of this exercise is to model the ORCON
policy in TAM model.

Let consider the following set of rights R={own, read, write, cread, parent}, where cread means
“confined read”. Let consider the set of types T={s, cs, co}, with TS={s, cs}, where s means “subject”, cs
means “confined subject” and co means “confined object”.

2
a- Write the following TAM commands in such a manner that it satisfies the ORCON Policy (i.e; S1
gives S2 read access to O but S2 will never be able to copy the content of O into another object):
 create-orcon-object(S1:s,O:co) that creates an object O of type co and gives the rights own,
read and write to S1.
 grant-cread(S1:s,S2:s,O:co) where S1 grants S2 with the cread right.
 use-cread(S2:s,O:co,S3:s), where S2 creates a subject S3 that is able to read O (S2 has the right
parent over S3).

b- Write commands for a revocation policy where:

 The owner of a confined object can revoke the cread right.
 The owner of a confined object can destroy this object.
 The owner of a confined object can revoke a read access to this object.
 The parent of a confined subject can destroy it.

c- For purpose of safety analysis can we ignore the commands of question b?

d- Do the commands of question a correspond to an acyclic TAM system?

3
 Tutorial 2 : Take Grant & TAM models - Answers
J. Leneutre

Exercise 1:
Consider an initial Take-Grant graph G0 with only one subject and no object. Is it possible to derive from
G0 a graph containing a cycle?

Answer:
Yes, let s be the subject and consider the following rules:
s creates (g to new vertex) s1
s creates (g to new vertex) s2
s grants (g to s2) to s1
s grants (g to s1) to s2
The obtained graph features a cycle between s1 and s2.

Exercise 2:
For the following predicates tell whether it is true or not in the graph G0 below:
g. can•share(α,v,w,G0)
h. can•steal(g,x,s,G0)
i. can•share(t,s,v,G0)
j. can•steal(t,s,v,G0)
k. can•share(α,s,w,G0)
l. can•steal(α,s,w,G0)
Picture from a L. Snyder presentation

Answer:
a. True
v takes (t to u) from x
v takes (α to w) from u
b. True
x takes (g to s) from u
c. True
u grants (t to v) to s
d. True
x takes (g to s) from u
x grants (t to u) to s
s takes (t to v) from u

4
 e. u grants (α to w) to s
f. u grants (t to v) to s
s takes (t to x) from v
s takes (t to u) from x
s takes (α to w) from u

Exercise 3:
We recall that predicate can•steal(α,x,y,G0) is true, if there is no edge from x to y labeled α in G0, and
there exists a sequence of graphs G1, …, Gn such that :
 There is an edge from x to y labeled α in Gn.
 For all 0≤i<n, Gi → Gi+1.
 For all 1≤i<n, for all vertices v and w in Gi-1, if there is an edge from v to y in G0 labeled α, then
the rule associated with Gi-1 → Gi, is not of the form "v grants (α to y) to w".

The goal of this exercise is to prove the following theorem that gives necessary & sufficient conditions
for the can•steal predicate to hold true:

Theorem 1: The predicate can•steal(α,x,y,G0) is true if and only if the following conditions hold
simultaneously:
(iv) There is no edge from x to y labeled α in G0.
(v) There exists a subject vertex x' such that x'=x or x' initially spans to x.
(vi) There exists a vertex s with an edge labeled α to y in G0 for which can•share(t,x,s,G0) holds.

We will assume the following theorem proved during the course:

Theorem 2: The predicate can•share(α, x,y,G0) is true iff there is an edge from x to y in G0 labeled α, or if

(v) There exists a vertex v ∊ G0 with an edge to y labeled α;

the following hold simultaneously:

(vi) There is a subject vertex s ∊ G0 such that s=x or s initially spans to x;

There exist islands I1, …, In such that s ∊ I1, s’ ∊ In, and for 1≤j<n there is a bridge from Ii
(vii) There is a subject vertex s’ such that s’=v or s’ terminally spans to v;
(viii)
to Ii+1.

d- Suppose that the three conditions of the theorem 1 hold

1. Suppose that x is a subject, show that can•steal(α,x,y,G0) is true.

Answer:
According to condition (iii) of theorem~1, there exists a vertex s with an edge labeled α to y in G 0 and for
which can•share(t,x,s,G0). Thus x can obtain t rights to s, and as a subject x can use the take rule to obtain
α rights to y. By definition, this satisfies can•steal(α, x, y, G0).

2. Suppose x is an object, show that if the three conditions of theorem 1 hold, there exists a
vertex s with an edge labeled α to y in G0, and a subject x’ such that can•share(t,x’,s,G0) is
true.

Answer:

5
that can•share(t,x,s,G0) is true. According to condition (i) of theorem 2, there exists a subject vertex v∊
According to condition (iii) of theorem 1, there exists a vertex s with an edge labeled α to y in G0 such

G0 with an edge to s labelled with t. Furthermore according to theorem 2, there exists a subject vertex x’
such that x’ initially spans to x (or x’=x) and can•share(t,x’,v,G0) holds. Thus using the take rule we have
can•share(t,x’,s,G0).

3. Suppose that x is an object and previous x’ does not have an edge α labeled to y in G0,
show than can•steal(α,x,y,G0) is true.

Answer:
According to previous question, can•share(t,x’,s,G0) is true, and from condition (iii) of theorem~1, there
is an edge from s to y labeled α to in G0, thus using the rule take, can•share(α,x’,y,G0) is true. Then since
x' initially spans to x, x' can grant α to x and can•steal(α,x,y,G0) is true (it is possible because x’ does not
have an edge α labeled to y in G0).

4. Suppose that x is an object and previous x’ has an edge α labeled to y in G0, show that
can•steal(α,x,y,G0) is true.

Answer:
The subject x’ can no more directly grant α to x, according to the definition of predicate
can•steal(α,x,y,G0). Subject x’ creates a "surrogate" subject s’ to which it can give take rights to s:
 x’ creates (g to new subject) s’.
 x’ grants (t to s) to s’.
 x’ grants (g to x) to s’.
 s’ takes (α to y) from s.
 x’ grants (α to y) to x.

5. Deduce that can•steal(α,x,y,G0) is true, if the three conditions of the theorem hold.
Answer:
Directly follows from the previous question

e- Suppose that can•steal(α,x,y,G0) is true.

1. Show that conditions (i) and (ii) of theorem~1 holds.

2. Show that the subject s of condition (iii) of theorem exists.

3. Let G1, …, Gn be a minimal length derivation sequence and Gi the first graph in the
sequence such that there in an edge labeled to y from some vertex p added to Gi by a rule
ri. Show that ri is a take rule.

4. Since can•share(α,x,y,G0) holds, following second condition of theorem 2, there is a

subject vertex x’∊ G0 such that x’=x or x’ initially spans to x, and following third
condition of theorem 2, there is a subject vertex s’ in G0 such that s’=s or s’ terminally

…, In such that x’∊ I1, s’∊ In, and for 1≤j<n there is a bridge from Ii to Ii+1. Show that if s
spans to s. Furthermore, according to fourth condition of theorem~2, there exist islands I1,

is an object, then can•share(t,x,s,G0) holds (suppose that p and s’ are in the same Island) .

f- Show that if s is a subject, then can•share(t,x,s,G0) holds.

Answers to the questions are given in section 5 of paper attached to moodle:

6
 Lawrence Snyder, Theft and conspiracy in the take-grant protection model, Journal of Computer and
System Sciences, Volume 23, Issue 3, 1981.

Exercise 4:
The ORCON (originator controlled policy) requires that the creator (i.e. originator) of a document retains
control over granting access to the information in the document. For example, let Alice be the creator of
an ORCON document D. Suppose Alice authorizes Bob to read D. The ORCON policy requires that Bob
cannot propagate the information in D to Tom; either directly by granting Tom read access to D, or
indirectly by granting Tom read access to a copy of D. The goal of this exercise is to model the ORCON
policy in TAM model.

Let consider the following set of rights R={own, read, write, cread, parent}, where cread means
“confined read”. Let consider the set of types T={s, cs, co}, with TS={s, cs}, where s means “subject”, cs
means “confined subject” and co means “confined object”.
e- Write the following TAM commands in such a manner that it satisfies the ORCON Policy (i.e; S1
gives S2 read access to O but S2 will never be able to copy the content of O to another object):
 create-orcon-object(S1:s,O:co) that creates an object O of type co and gives the rights own,
read and write to S1.
 grant-cread(S1:s,S2:s,O:co) where S1 grants S2 with the cread right.
 use-cread(S2:s,O:co,S3:s), where S2 creates a subject S3 that is able to read O (S2 has the right
parent over S3).

command create-orcon-object(S1:s,O:co)
create_object(O:co);
enter (own,S1,O);
enter (read,S1,O);
enter (write,S1,O)
end

command grant-cread(S1:s,S2:s,O:co)
if own in M[S1,O] then
enter(cread,S2,O)
end

command use-cread(S2:s,O:co,S3:s)
if cread in M[S2,O] then
create_subject(S3:cs);
enter (read,S3,O);
enter (parent,S2,S3)
end

Suppose that the initial access matrix M0 is:

S1 S2
S1
S2

The execution of the three previous command leads to the following matrix:

7
 S1 S2 O S3
S1 own,read,writ
e
S2 cread parent
S3 read

f- Write commands for a revocation policy where:

 The owner of a confined object can revoke the cread right.
 The owner of a confined object can destroy this object.
 The owner of a confined object can revoke a read access to this object.
 The parent of a confined subject can destroy it.

command revoke-cread(S1:s,S2:s,O:co)
if own in M[S1,O] then
delete(cread,S2,O)
end

command destroy-orcon-object(S1:s,O:co)
if own in M[S1,O] then
destroy_object(O)
end

command revoke-read(S1:s,S3:s,O:co)
if own in M[S1,O] and read in M[S3,O] then
destroy_object(S3)
end

command finish-orcon-read(S2:s,S3:s)
if parent in M[S2,S3] then
destroy_subbject(S3)
end

g- For purpose of safety analysis can we ignore the commands of question b?

These commands, corresponding to non monotonic operations, can be ignored for purpose of
safety analysis, because the effect of each of these commands is reversible (for instance command
revoke-cread can be immediately undone by command grant-cread).

h- Do the commands of question a correspond to an acyclic TAM system?

Each command is acyclic:
 in the command create-orcon-object, s is a parent type and co a child type.
 in the command grant-cread, there are no create_subject or create_object operations.
 in the command use-cread, s and co are parent types and cs a child type.