Take Grant Protection Model

Question 1

What is the Take-Grant Model?

Answer 1

The TG model is a formal approach for determining the security of a given system with a specific set of rules.

Determining the security of a general system is impossible (takes to long). This is why TG is so useful is it can determine the security of a specific system in linear time (relatively quickly). It does this by determining whether a given right can be shared between two subjects securely, If any such share relationship does not satisfy this predicate, the system is deemed usafe.

Question 2

What are the main components of the Take-Grant Protection Model?

Answer 2

The TG model represents a system as a directed graph called the protection graph.

In this graph the nodes are the subjects and objects and the directed edges are the rights.

If there is an edge from the node x to the node y, then x has some right over y. Each edge is labeled with the right in question.

Question 3

What are the rights in the Take-Grant Protection Model?

Answer 3

There are four distinguished rights.

1. Take rule
2. Grant rule
3. Create rule
4. Remove rule

Question 4

What is the take rule and how does it work?

Answer 4

The take rule requires atleast three nodes, say x, y, and z. Say x has the take right over z, and z has a set of rights B over y. The take right allows x to take any right z has.

x–take–>z–B–>y

For instance, if a is a right in B, then z will have the right a over y. Then, x can get the right to y aswell. By claiming the right a over y, x will edit the protection graph by adding another edge.

———–a——->
x–take–>z–B–>y

Question 5

What is the grant rule and how does it work?

Answer 5

The grant rule requires atleast three nodes, say x, y, and z. Say z has the grant right over x, and z has a set of rights B over y. The grant right allows z to give any right it has over y to x.

x<–grant–z–B–>y

For instance, if a is a right in B, then z will have the right a over y. Then, z can give the right to x aswell. By giving the right a over y to x, the protection graph must be edited to include the new right in the ACM. Another edge from x to y is added.
<———–a———-
x<–grant–z–B–>y

Question 6

What is the create rule and how does it work?

Answer 6

The create rule simply edits the protection graph by adding a new node, for example.

x |- (x*creates) x–a–>y /a is just the right created with y

Question 7

What is the remove rule and how does it work?

Answer 7

The remove rule allows us to remove rights from the
protection graph. For instance,

x–B–>y |-(x*removes) x–(B-a)–>y

Here x initially has a set of rights B over y. When removing the right a from B the protection graph is changed

Question 8

How can we detemine whether a given right can be shared between two nodes?

Answer 8

A right can only be shared between two nodes if there exist a path between the two nodes in the protection graph. Such a path is known as a tg-path