Affiliations: [a] Motorola Labs, Schaumburg, IL 60196, USA. E-mail: [email protected] | [b] Department of Computer Science and CERIAS, Purdue University, West Lafayette, IN 47907, USA. E-mail: [email protected]
Correspondence:
[*]
Corresponding author. Address: Motorola, 1301 E Algonquin Road, IL02–2712, Schaumburg, IL 60196, USA. Tel.: +1 847 576 7883.
Note: [1] A preliminary version of this paper appears in the proceedings of the 2004 ACM Conference on
Computer and Communications Security (CCS) [23].
Abstract: We present a theory for comparing the expressive power of access control models. The theory is based on simulations that preserve security properties. We perceive access control systems as state-transition systems and present two kinds of simulations, reductions and state-matching reductions. In applying the theory, we highlight four new results and discuss these results in the context of other results that can be inferred or are known. One result indicates that the access matrix scheme due to Harrison, Ruzzo and Ullman is limited in its expressive power when compared with a trust-management scheme, thereby formally establishing a conjecture from the literature. A second result is that a particular RBAC (Role-Based Access Control) scheme, ARBAC97, may be limited in its expressive power, thereby countering claims in the literature that RBAC is more expressive than DAC (Discretionary Access Control). A third result demonstrates that the ability to check for the absence of rights (in addition to the presence of rights) can cause a scheme to be more expressive. A fourth result is that a trust-management scheme is at least as expressive as RBAC with a particular administrative scheme (the URA97 component of ARBAC97).
