The Oakland Papers

Recently, some controversy has arisen over the result we presented at IEEE Symposium on Security and Privacy 2004 (Oakland). Our paper showed that a family of Discretionary Access Controls (DACs) could be implemented in a model with a decidable safety property.

Section 5.2 of Li and Tripunitara's paper in this year's Oakland conference claimed that our result is wrong since our model cannot represent the invariant that every object has exactly one owner under change of ownership. That claim is erroneous. The technical information that was available to Li and Tripunitara in preparing their paper was, of course, our paper and the response to 6 questions they asked about it. We discussed the error with Li and Tripunitara shortly before the 2005 Oakland conference. To date they have not withdrawn it, so we have put up this page to discuss the issue.

The reader should not infer that we are agreeing or disagreeing with any other part of that paper or any of the statements on Prof. Li's web site.

We mention here only one additional disagreement with the Li-Tripunitara paper, contained in our statement in Cipher, below. Our Oakland 2004 paper does not "assert that, in general, safety is undecidable in DAC" [LT05]. To the contrary, we reach the opposite conclusion (eg. see the title of our paper).

We will respond more fully to the Li-Tripunitara paper in traditional scholarly channels.

We welcome your comments.

What's new

The two papers

Our statement in Cipher

In 1976 Harrison, Ruzzo and Ullman (HRU) presented a model that could implement many protection systems, including many DAC systems, and showed that the safety problem for their model was undecidable. In Oakland 2004, we presented a model that can implement all the kinds of DACs in Osborn, Sandhu and Munawer's 2000 paper ("OSM00"). We proved that it has a decidable safety problem and claimed that it was the first system that both had a proof that its safety property was decidable and could implement all those OSM00 DACs.

By our result, it is obvious that HRU must be able to express at least some access control scheme not in the OSM00 DACs.

In Section 5.2, [LT05] claims that our work has "deficiencies from the standpoints of correctness" and that it "does not capture the state invariant in [its encoding of DAC with change of ownership] that in every state, there is exactly one owner for every object that exists." That claim is erroneous.

In our scheme, "Ordinary object labels are of the form < U,N > where U is a user and N ... [is a] tag. An ordinary object label[ed], < U,N > is 'owned' by the user U" ([SS04], Section 3). Thus an object's ownership is determined by its label.

Change of ownership is allowed by a rule denoted

  1. rl(< *u, *>, <*v, *>) = {*u}
(a slight variant is shown in our Figure 6 and described in the text of Section 5 [SS04]). This rule enables user U to perform a change of ownership, giving away an object it owns to V. This implements OSM00's change of ownership.

Section 5.2 of [LT05] builds a model that claims to implement our scheme. However, this [LT05] model is inconsistent with our change of ownership rule described above. It encodes object ownership by mapping a label to a group of owner(s), and changing the owner through the group mechanism; indeed this does not ensure that "there is one owner for every object". Our scheme does.

Source of error in Li-Tripunitara

There are apparently two separate sources of the error in the Li-Tripunitara paper:

Jon A. Solworth, and
Robert H. Sloan