Expressive Power of the Schematic Protection Model *

In this paper we show that the Schematic Protection Model (SPM) subsumes several well-known protection models as particular instances. We show this for a diverse collection of models including the Bell-LaPadula multilevel security model, take-grant models, and grammatical protection systems. Remarkably SPM subsumes these models within its known efficiently decidable cases for safety analysis (i.e., the determination or whether or not a given privilege can possibly be acquired by a particular subject). Therefore SPM subsumes these models not only in terms of its expressive power but also in terms of safety analysis. This is in sharp contrast to the Harrison-Ruzzo-Ullman (HRU) access-matrix model. HRU does subsume all the models discussed in this paper in terms of expressive power. However, all known constructions of these models in HRU require multi-conditional commands (i.e., commands whose conditions have two or more terms), whereas safety is undecidable in HRU even for bi-conditional commands (i.e., commands whose conditions have exactly two terms).