Authorization and antichains

Access control has been an important issue in military systems for many years and is becoming increasingly important in commercial systems. There are three important access control paradigms: the Bell-LaPadula model, the protection matrix model and the role-based access control model. Each of these models has its advantages and disadvantages. Partial orders play a significant part in the role-based access control model and are also important in defining the security lattice in the Bell-LaPadula model. The main goal of this thesis is to improve the understanding and specification of access control models through a rigorous mathematical approach. We examine the mathematical foundations of the role-based access control model and conclude that antichains are a fundamental concept in the model. The analytical approach we adopt enables us to identify where improvements in the administration of role-based access control could be made. We then develop a new administrative model for role-based access control based on a novel, mathematical interpretation of encapsulated ranges. We show that this model supports discretionary access control features which have hitherto been difficult to incorporate into rolebased access control frameworks. Separation of duty is an important feature of role-based access control models that has usually been expressed in first-order logic. We present an alternative formalism for separation of duty policies based on antichains in a powerset (Sperner families), and show that it is no less expressive than existing approaches. The simplicity of the formalism enables us to analyze the complexity of implementing separation of duty policies. In the course of this analysis we establish new results about Sperner families. We also define two orderings on the set of antichains in a partially ordered set and prove that in both cases the resulting structure is a distributive lattice. This lattice provides the formal framework for a family of secure access control models which incorporate the advantages of existing paradigms without introducing many of their respective disadvantages. We present two members of this family: a new model for role-based access control, for which we give an operational semantics and prove a security theorem similar to the Basic Security Theorem for the Bell-LaPadula model; and the secure hierarchical protection matrix model which combines the strong security properties of the Bell-LaPadula model with the flexibility of the protection matrix model.