Abstract
In a protection mechanism based on authorization, the ability of a subject (i.e., a user or a process) to operate on the system is determined by privileges inits domain. A mechanism for transport of privileges must accommodate a variety of policies, while permitting analysis of the privileges, which a given subject might obtain. The send-receive transport mechanism was designed by Minsky with these objectives in mind. In this mechanism, a transport operation is explicitly authorized at both the source and destination, and the authorization is selective with respect to which privileges can be transported. Here we study a restricted version of this mechanism. Under our restrictions a protected system is designed in two stages. Firstly, a protection scheme is defined by specifying the values of certain parameters, which determine the static component of every subject's domain. Secondly, J defines the initial state specifying the dynamic component of every subject's domain. This state then evolves as permitted by the protection scheme. We formulate the flow-analysis problem, which is concerned with determining a bound on the authorization for transport of privileges, given a protection scheme and an initial state. We develop techniques for deriving and improving the desired bound. The major complication in doing so is the create operation, which permits the protection state to evolve in an unbounded manner. We investigate conditions which enable us to ignore the create operation. We also investigate conditions under which the initial authorization for transport of privileges remains invariant in every derived state. We study additional analysis issues in the context of sub-classes of our design framework. The questions raised in such detailed analysis depend on the structure of these sub-classes.