arrow ACM Transactions on Computer Systems
arrow Volume 8 , Issue 3 (1990)

access SIGs conferences publication page subscription page

A formal protection model of security in centralized, parallel, and distributed systems
Pages 183-213

Glenn S. Benson, Ian F. Akyildiz and William F. Appelbe

metadata:   abstract index terms reviews  
rule rule rule rule
full text:   pdf 2120 KB

back to top
blue HR


One way to show that a system is not secure is to demonstrate that a malicious or mistake-prone user or program can break security by causing the system to reach a nonsecure state. A fundamental aspect of a security model is a proof that validates that every state reachable from a secure initial state is secure. A sequential security model assumes that every command that acts as a state transition executes sequentially, while a concurrent security model assumes that multiple commands execute concurrently. This paper presents a security model called the Centralized-Parallel-Distributed model (CPD model) that defines security for logically, or physically centralized, parallel, and distributed systems. The purpose of the CPD model is to define concurrency conditions that guarentee that a concurrent system cannot reach a state in which privileges are configured in a nonsecure manner. As an example, the conditions are used to construct a representation of a distributed system.

back to top
blue HR


Categories and Subject Descriptors:
Computer Systems Organization -Computer-Communication Networks - General (C.2.0): Security and protection (e.g., firewalls); Computer Systems Organization -Processor Architectures - Multiple Data Stream Architectures (Multiprocessors) (C.1.2): Parallel processors**; Computer Systems Organization -Computer-Communication Networks - Distributed Systems (C.2.4); Software -Operating Systems - Process Management (D.4.1): Concurrency; Software -Operating Systems - Process Management (D.4.1): Scheduling; Theory of Computation -Logics and Meanings of Programs - Specifying and Verifying and Reasoning about Programs (F.3.1); Software -Operating Systems - Security and Protection (D.4.6): Access controls;

General Terms:
Design, Security, Theory, Verification

access control, concurrency control, distributed system security, operating system security, protection model

back to top
blue HR


From Computing Reviews
Jonathan K. Millen

The centralized-parallel-distributed (CPD) model of security ^differs from the Harrison-Ruzzo-Ullman model in that more than one command may be executed concurrently, interleaving their operations. The only four operations defined in the CPD model enter or delete tokens in an access matrix or test that they are present or absent. Tokens represent either privileges or locks. Operations can block until tokens are entered or deleted by operations in other concurrent commands. Operations are grouped into critical sections by virtue of entering and deleting a lock on a matrix entry.

The main result of the paper is that proving safety for a concurrent system is reducible to proving safety for a sequential system with the same commands, provided that the "proper critical section" and "least privilege" conditions are satisfied. The former condition requires that every pair of interfering operations from distinct commands have a common critical section. This condition alone guarantees serializability, but that is not enough, because it does not guarantee that all intermediate states are secure. The latter condition requires that, in each command, all delete-privilege operations precede all enter-privilege operations. The paper also gives a brief overview of the different kinds of security models and an example of a CPD model for a small distributed system.

blue HR