Selective and locally controlled transport of privileges

Abstract

In a system based on authorization, the ability of a subject to operate on the system is a function of the privileges that he possesses. In this paper a mechanism, called Send-Receive, for the transport of such privileges, is introduced and studied. The control provided by this mechanism over the movement of privileges has two notable properties. --The control is selective, in the sense that it permits the creation of transport channels, which allow for the movement of only certain types of privileges and only between certain kinds of subjects. --The control is local, in the sense that every movement of privileges into and out of the domain of a given subject must be authorized by privileges already in his domain. The proposed transport mechanism is shown to allow the imposition of a local upper bound on the power of any given subject. This bound is independent of the rest of the system and can, therefore, be viewed as an intrinsic property of the subject. The ability to impose such bounds is considered essential for effective modularization of computer systems. In addition, the locality of our control has beneficial global effects on the flow of privileges. In particular, it helps remove the undesirable symmetry of transport, exhibited by the conventional Take-Grant mechanism.