A type system for Discretionary Access Control

Discretionary Access Control (DAC) systems provide powerful resource management mechanisms based on the selective distribution of capabilities to selected classes of principals. We study a type-based theory of DAC models for a process calculus that extends Cardelli, Ghelli and Gordon’s pi-calculus with groups (Cardelli et al., 2005). In our theory, groups play the rôle of principals, the unit of abstraction for our access control policies, and types allow the specification of fine-grained access control policies to govern the transmission of names, to bound the (iterated) re-transmission of capabilities, to predicate their use on the inability to pass them to third parties. The type system relies on subtyping to achieve a selective distribution of capabilities, based on the groups that control the communication channels. We show that the typing and subtyping relationships of the calculus are decidable. We also prove a type safety result, showing that in well-typed processes (i) all names flow according to the access control policy specified by their types, and (ii) are received at the intended sites with the intended capabilities. We illustrate the expressive power and the flexibility of the typing system on several examples.