Undecidability Of Safety For The Schematic Protection Model With Cyclic Creates

In the schematic protection model subjects and objects are classified into protection types. Creation is authorized by a can-create binary relation on types. It is shown that with arbitrary cycles in can-create safety is undecidable. Whereas it has been previously shown safety is decidable for acyclic can-create. It is also shown that safety remains undecidable even if all creates are attenuating in that tickets (capabilities) given to a subject on its creation are attenuated copies of tickets available to its parent. This contrasts with decidable safety for attenuating cycles of length one. It appears safety is decidable for the practically useful cases while undecidability results from undue laxity in authorizing creation. iii 1 INTRODUCTION The need for access controls or protection arises in any computer system in which multiple users share information and physical resources. These systems are viewed as consisting of subjects and objects. Active entities such as users are subjec..