۱- Introduction

۲- The protection model

۳- The protection system

۴- Examples of applications

۵- Discussion

۶- Concluding remarks

References

Abstract

With reference to a distributed environment consisting of nodes connected in an arbitrary network topology, we propose the organization of a protection system in which a set of subjects, e.g. processes, generates access attempts to memory segments. One or more primary passwords are associated with each node. An access to a given segment can be successfully accomplished only if the subject attempting the access holds an access privilege, certified by possession of a valid protected pointer (p-pointer) referencing that segment. Each p-pointer includes a local password; the p-pointer is valid if the local password descends from a primary password by application of a universally known, parametric one-way generation function. A set of protection primitives makes it possible to manage the primary passwords, to reduce p-pointers to include less access rights, to allocate new segments, to delete existing segments, to read the segment contents and to overwrite these contents. The resulting protection environment is evaluated from a number of viewpoints, which include p-pointer forging and revocation, the network traffic generated by the execution of the protection primitives, the memory requirements for p-pointer storage, security, and the relation of our work to previous work. An indication of the flexibility of the p-pointer concept is given by applying p-pointers to the solution of a variety of protection problems.

Introduction

Let us consider a protection system in which a set of active entities, the subjects S0, S1, . . . , generates access attempts to a set of protected, passive entities, the objects B0, B1, . . . [23,45]. A subject can be a scheduled computation (a process), or, in an eventdriven environment, a processing activity caused by the occurrence of an event, e.g. a hardware interrupt [30]. The system associates a set of access rights with each object; each access right makes it possible to access the object in a specific mode. Thus, a subject is a unit of computation that may possess access rights, and an object is a unit to which specific access rights may be applied [26]. In a classical model, the protection system takes the form of an access matrix AM, featuring a row for each subject and a column for each object [34,37,45]. Element AMi,j of the access matrix specifies the access privilege, i.e. the set of access rights, held by subject Si on object Bj .