Conspiracy and Information Flow in the Take-Grant Protection Model

Conspiacy and Infomation Flow in the Take-Gant Potection Model Matt Bishop Depatment of Compute Science Univesity of Califonia at Davis Davis, CA 95616-8562 ABSTRACT The Take Gant Potection Model is a theoetic model of access contol that captues the notion of infomation flow thoughout the modelled system. This pape analyzes the poblem of shaing infomation in the context of paths along which infomation can flow, and pesents the numbe of actos necessay and sufficient to shae infomation, in this model. The esults ae applied to infomation flow in a netwok to educe the size of the set of actos who could have paticipated in the theft. 1. Intoduction The natue of access contol and infomation flow ae citical to undestanding the secuity of any system. The Take-Gant Potection Model is a fomal model of access contol which combines the tansfe of ights and the tansfe of infomation to pesent a cohesive pictue of tansfes thoughout a system. It diffes fom othe models such as the access contol matix model by specifying both the sequences of pimitive opeations making up the body of the commands and the set of tests upon which the execution of those sequences is conditioned. This model epesents systems as gaphs to be alteed by specific opeations. Developed to test the limits of the esults in [7], the focus of most studies of the Take-Gant Potection Model has been on chaacteizing conditions necessay and sufficient fo the tansfe of ights and infomation, and on the complexity of testing fo those conditions in a epesentation of a system. Fo this eason it is in some sense of moe pactical use than othe fomal systems, in that the secuity question is decidable and the study of the complexity of conditions allowing compomise is emphasized. Ealy wok on the Take-Gant Potection Model [9][10] dealt with the tansfe of ights assuming all active agents in the system would coopeate. Snyde extended these chaacteizations to include conditions unde which ights could be stolen [14]; Bishop and Snyde intoduced the notion of infomation flow and fomulated necessay and sufficient conditions fo infomation Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 1 of 33

shaing [4], and Bishop extended these chaacteizations to include conditions unde which infomation could be stolen [2]. This pape extends those esults in the diection suggested by [14] to pesent a notion of conspiatos in the context of infomation flow. We establish pecise bounds on the numbe of actos equied fo infomation to be tansfeed fom one vetex to anothe, and contast these esults with simila esults fo the tansfe of ights. Applications of the Take-Gant Potection Model to vaious systems have been exploed [3][8][13][16]. This pape also ties to place its theoetical esults into an applied context by exploing how these esults can be used to analyze the actos moving infomation aound a netwok. Futhe applications ae of couse possible, but using the new esults to analyze cuent models of disclosue and integity (fo example, those descibed in [1][5][6][11][12][15]) is itself a sepaate pape; it is beyond the scope of the issues addessed hee. We quickly eview the basic definitions and elevant esults of the Take-Gant Potection Model [2]. Following that, we pesent bounds on the numbe of actos needed fo infomation to be shaed (o stolen). We then biefly compae ou esults to simila ones fo theft of ights. To demonstate the usefulness of the concepts, we examine an application of this model to the Intenet. Finally, we suggest aeas fo futue eseach. 2. Basic Definitions and Results The Take-Gant Potection Model epesents a system by a finite, diected potection gaph. in which labelled edges epesent ights and vetices epesent entities. Entities ae eithe subjects (epesented by ) o objects (epesented by ). Vetices which may be eithe subjects o objects ae epesented by. Changes to the potection state of the system ae epesented by changes to the gaph. The ules govening the tansfe of ights ae called de jue ules and ae as follows: take: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let x be a subject. Let thee be an edge fom x to y labelled γ with t γ, an edge fom y to z labelled β, and α β. Then the take ule defines a new gaph G 1 by adding an edge to the potection gaph fom x to z labelled α. Gaphically, t β x y z α t β x y z Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 2 of 33

The ule is witten x takes (α to z) fom y. gant: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let x be a subject. Let thee be an edge fom x to y labelled γ with g γ, an edge fom x to z labelled β, and α β. Then the gant ule defines a new gaph G 1 by adding an edge to the potection gaph fom y to z labelled α. Gaphically, α g β y x z g β y x z The ule is witten x gants (α to z) to y. ceate: Let x be any subject in a potection gaph G 0 and let α R. Ceate defines a new gaph G 1 by adding a new vetex y to the gaph and an edge fom x to y labelled α. Gaphically, α x x y The ule is witten x ceates (α to new vetex) y. emove: Let x and y be any distinct vetices in a potection gaph G 1 such that x is a subject. Let thee be an explicit edge fom x to y labelled β, and let α R. Then emove defines a new gaph G 1 by deleting the α labels fom β. If β becomes empty as a esult, the edge itself is deleted. Gaphically, β x y The ule is witten x emoves (α to) y. β α x y Definition. A tg-path is a nonempty sequence v 0,, v n of distinct vetices such that fo all i, 0 i< n, v i is connected to v i+1 by an edge (in eithe diection) with a label containing t o g. Definition. Vetices ae tg-connected if thee is a tg-path between them. Definition. An island is a maximal tg-connected subject-only subgaph. With each tg-path, associate one o moe wods ove the alphabet in the obvious way. If the { t, t, g, g } path has length 0, then the associated wod is the null wod ν. The notation t* means zeo o moe occuences of the chaacte t, so fo example t*g epesents the sequence g, tg, ttg,. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 3 of 33

Definition. A vetex v 0 initially spans to v n if v 0 is a subject and thee is a tg-path between v 0 and v n with associated wod in { t *g } { ν }. Definition. A vetex v 0 teminally spans to v n if v 0 is a subject and thee is a tg-path between v 0 and v n with associated wod in { t *}. Definition. A bidge is a tg-path with endpoints v 0 and v n both subjects and the path s associated wod in B = { t *, t *, t *g t *, t *g t *}. Definition. The pedicate can shae(α, x, y, G 0 ) is tue fo a set of ights α and two vetices x and y if and only if thee exist potection gaphs G 1,, G n such that G 0 *G n using only de jue ules, and in G n thee is an edge fom x to y labelled α. Theoem 1. [10] The pedicate can shae(α, x, y, G 0 ) is tue if and only if thee is an edge fom x to y in G 0 labelled α, o if the following hold simultaneously: (1.1) thee is a vetex s G 0 with an s-to-y edge labelled α; (1.2) thee exists a subject vetex x such that x = x o x initially spans to x; (1.3) thee exists a subject vetex s such that s = s o s teminally spans to s; and (1.4) thee exist islands I 1,, I n such that x is in I 1, s is in I n, and thee is a bidge fom I j to I j+1 (1 j < n). Definition. The pedicate can steal(α, x, y, G 0 ) is tue if and only if thee is no edge labelled α fom x to y in G 0, thee exist potection gaphs G 1,, G n such that G 0 *G n using only de jue ules, in G n thee is an edge fom x to y labelled α, and if thee is an edge labelled α fom s to q in G 0, then no ule in a witness has the fom s gants (α to q) to z fo any z G j (1 j < n). Theoem 2. [14] The pedicate can steal(α, x, y, G 0 ) is tue if and only if the following hold simultaneously: (2.1) thee is no edge labelled α fom x to y in G 0 ; (2.2) thee exists a subject vetex x such that x = x o x initially spans to x; (2.3) thee is a vetex s with an edge fom s to y labelled α in G 0 ; (2.4) can shae(t, x, s, G 0 ) is tue. The de facto ules epesent paths along which infomation may flow. We cannot use explicit edges fo this pupose because no change in authoity occus. Hence, we use a dashed line, labelled by, to epesent the path of a potential de facto tansfe (called an implicit edge). Implicit Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 4 of 33

edges cannot be manipulated by de jue ules, since the de jue ules only affect authoities ecoded in the potection system, and implicit edges do not epesent such authoity. The following set of de facto ules was intoduced in [4] to model tansfes of infomation: post: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let x and z be subjects. Let thee be an edge fom x to y labelled α with α and an edge fom z to y labelled β, whee w β. Then the post ule defines a new gaph G 1 with an implicit edge fom x to z labelled. Gaphically, w x y z w x y z The ule is witten z posts to x though y. pass: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let y be a subject. Let thee be an edge fom y to x labelled α with w α and an edge fom y to z labelled β, whee β. Then the pass ule defines a new gaph G 1 with an implicit edge fom x to z labelled. Gaphically, w x y z w x y z The ule is witten y passes fom z to x.. spy: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let x and y be subjects. Let thee be an edge fom x to y labelled α with α and an edge fom y to z labelled β, whee β. Then the spy ule defines a new gaph G 1 with an implicit edge fom x to z labelled. Gaphically, x y z x y z The ule is witten x spies on z using y. find: Let x, y, and z be thee distinct vetices in a potection gaph G 0, and let y and z be subjects. Let thee be an edge fom y to x labelled α with w α and an edge fom z to y labelled β, Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 5 of 33

whee w β. Then the findule defines a new gaph G 1 with an implicit edge fom x to z labelled. Gaphically, x w w y z x w y w z The ule is witten x finds fom z though y. Whethe these ules captue all ways in which infomation may leak is an open question; ultimately, the answe depends on how the system being modelled contols that infomation flow. The above ules appea to captue the most common techniques, and have been used in tthe past, so fo consistency we shall use them hee. Definition. The pedicate can know(x, y, G 0 ) is tue if and only if thee exists a sequence of potection gaphs G 0,, G n such that G n is deived fom G 0 by ule applications, and in G n thee is an edge fom x to y labelled o an edge fom y to x labelled w, and if the edge is explicit, its souce is a subject. Definition. An wtg-path is a nonempty sequence v 0,, v n of distinct vetices such that fo all i, 0 i< n, v i is connected to v i+1 by an edge (in eithe diection) with a label containing t, g, o w. With each wtg-path, associate one o moe wods ove the alphabet { t, t, g, g,,, w, w } in the obvious way. Definition. A vetex v 0 w-initially spans to v n if v 0 is a subject and thee is an wtg-path between v 0 and v n with associated wod in{ t *w } { ν }. Definition. A vetex v 0 w-teminally spans to v n if v 0 is a subject and thee is an wtg-path between v 0 and v n with associated wod in { t * }. Definition. A connection is an wtg-path with v 0 and v n both subjects and the path s associated wod in C= { t *, w t *, t *, w t *}. The next esult [4] chaacteizes the set of gaphs fo which can know is tue: Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 6 of 33

Theoem 3. [4] The pedicate can know(x, y, G 0 ) is tue if and only if thee exists a sequence of subjects u 1,, u n in G 0 (n 1) such that the following conditions hold: (3.1) u 1 = x o u 1 w-initially spans to x; (3.2) u n = y o u n w-teminally spans to y; (3.3) fo all i, 1 i < n, thee is an wtg-path between u i and u i+1 with associated wod in B C. Lemma 4. [2] If two subjects x and y in G 0 ae connected by a bidge, then can know(x, y, G 0 ) and can know(y, x, G 0 ) ae tue. Lemma 5. [2] Let a subject x be connected by a bidge to anothe subject y. If eithe x o y does not act, no sequence of gaph tansfomations can add an implicit o explicit edge fom x to y. Lemma 6. [4] If two subjects x and y in G 0 ae connected by a connection, then can know(x, y, G 0 ) is tue. Definition. The pedicate can snoop(x, y, G 0 ) is tue if and only if can steal(, x, y, G 0 ) is tue o thee exists a sequence of gaphs and ule applications G 0 ρ1 ρn G n fo which all of the following conditions hold: (a) thee is no explicit edge fom x to y labelled in G 0 ; (b) (c) thee is an implicit edge fom x to y labelled in G n ; and neithe y no any vetex diectly connected to y in G 0 is an acto in a gant ule o a de facto ule esulting in an (explicit o implicit) ead edge with y as its taget. Theoem 7. [2] Fo distinct vetices x and y in a potection gaph G 0 with explicit edges only, the pedicate can snoop(x, y, G 0 ) is tue if and only if can steal(, x, y, G 0 ) is tue o all of the following conditions hold: (7.1) thee is no edge fom x to y labelled in G 0 ; (7.2) thee is a subject vetex w 1 such that w 1 = x o w 1 w-initially spans to x in G 0 ; (7.3) thee is a subject vetex w n such that w n y, thee is no edge labelled fom w n to y in G 0, and w n w-teminally spans to y in G 0 ; and (7.4) can know(w 1, w n, G 0 ) is tue. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 7 of 33

3. Conspiacy in a Single-Path Gaph Given that we can detemine whethe knowing (that is, the shaing of infomation) is possible in a Take-Gant gaph, how many vetices must coopeate in the shaing? The answe to this question will give us an answe to a moe inteesting one involving snooping, namely how many actos ae necessay to steal infomation. Befoe we tackle these questions in all thei geneality, let us estict ou attention fo the emainde of this section to a specific type of gaph. Let G be a gaph with vetices x, y, with can know(x, y, G) tue, and containing only those vetices and edges needed to witness this pedicate. Thus, G is composed of the vetices and edges of the path along which infomation is to be popagated o ights tansfeed. Let the set of (subject and object) vetices V = { z i x = z 0, z 1,, z m, y = z m+1 } Clealy each edge z i z i+1, whee { z i, z i+1 } V, is an wtg-path of length 1; as can know(x, y, G) holds, thee ae subject vetices v i, 0 i n m, in this set. Conside the wtg-paths between these subjects; by Theoem 3, the wods associated with these paths ae in B C, if y is not a subject then thee is an w-teminal span fom a subject v n to y, and if x is not a subject, then thee is an w-initial span fom v 0 to x. The following definitions captue the notion of the each of a vetex: Definition. A teminal access set T(y) is defined as the set containing y and all vetices to which y teminally o w-teminally spans. Definition. An initial access set I(y) is defined as the set containing y and all vetices to which y initially o w-initially spans. Hee, T(y) is the maximal set of vetices fom which y can obtain infomation, and I(y) is the maximal set of vetices to which y can pass ights o infomation. Note that these sets ae not necessaily identical, because while a bidge between subjects allows the symmetical tansfe of ights, a connection allows only a one-way tansfe of infomation. This adds significant complexity to the conspiacy poblem. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 8 of 33

Definition. A subject x is an infomation gate if any one of the following conditions holds: (i) (ii) x = v 0, the only wod associated with the edge v 0 v 1 is g o t and thee ae no othe edges incident to x; x = v i, thee ae exactly two edges incident upon x, and the wod associated with the path v i-1 v i v i+1 is in the set{ t t, g g, t w, g w, t, g }; o (iii) x = v n+1, the only wod associated with the edge v n v n+1 is g o edges incident to x. t, and thee ae no othe Fo an infomation gate x, T(x) = I(x) = { x }. The idea is that infomation can be passed into an infomation gate, o out of an infomation gate, without the gate taking any action, but in ode fo infomation to be passed though a gate (that is, both in and out), the infomation gate must be active in a ule application. Note that the infomation gate need not apply the ule; if it does not, it must then be a subject in a de facto ule, because unless the subjects shown in those ules act, infomation cannot flow along the implicit edge. This is a subtlety not evident when dealing with conspiacies in gaphs using only de jue ule sets, and although the infomation gate is analogous to a sink in [14], the diffeence in definition is substantial and eflects the diffeence between infomation and ights tansfe. Definition. An access set cove fo a potection gaph G with foci v 1,, v n is a family of sets I(v 1 ), T(v 1 ),., I(v n ), T(v n ) whee fo 2 i n, thee exists a j n such that{ v i-1, v i } I(v j ) T(v j ). Clealy, this family is a coveing set fo G. If the cove minimizes n ove all possible access set coves, it is said to be a minimal cove. Notice that the set of actos needed to implement can know geneates a cove fo G. In fact, Lemma 8. A minimal set of actos v 1,, v n in a sequence of ule applications poducing a witness to can know(x, y, G) geneates an access set cove fo G. Infomal Poof: If this lemma is false, thee is a set of actos in a witness to can know(x, y, G) which does not poduce an access set cove fo G. Let v k be one vetex not in any element of the access set cove. Then neithe infomation no ights is tansfeed though v k, and hence it can be deleted fom the set of actos, showing that set is not minimal. Poof: Let ρ 1,, ρ m be a set of ules equied fo a minimal set of actos v 1,, v n to poduce a witness to can know(x, y, G). Without loss of geneality we may take ρ 1,, ρ m to be the shotest sequence of ule applications fo that paticula set of actos. Let the access sets I(v 1 ), T(v 1 ),., I(v n ), T(v n ) with foci v 1,, v n be defined on G. Suppose z I(v i ) and z T(v i ) fo all i. By The- Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 9 of 33

oem 3 and the definition of T, no acto can eceive infomation fom v i, and by definition of I, z cannot pass on infomation fom any othe acto; hence z and its incident edges may be deleted without affecting ules ρ 1,, ρ m. But this violates condition (3.3) of Theoem 3, as the gaph is no longe connected, which in tun means that can know(x, y, G) is false. This contadicts the initial assumption that can know(x, y, G) is tue. This poves the claim. We next make fomal ou claim that infomation gates must act fo infomation to be passed along thei incident edges. Lemma 9. If vetex v i is an infomation gate, and in a witness to can know(x, y, G) an explicit o implicit edge is constucted between some vetex v k, k < i, and anothe vetex v l, i < l, then the vetex v i must be an acto. Infomal agument: Assume the witness is the shotest witness tocan know(x, y, G). The vetex v i cannot be involved in a de jue ule, no in a de facto ule, and hence can be deleted fom the witness and the set of actos. This contadicts the assumption that the witness is the shotest one. Poof: We demonstate this fo the case of v i s incident edges being t and ; the poof fo the othe cases is simila. (The Appendix contains some useful witnesses, and poof of inability to supply othe witnesses, fo these poofs.) Fist, by condition (3.3) of Theoem 3, v i must be a subject, fo if not, can know(x, y, G) is false because the paths though that infomation gate ae neithe bidges no connections. So, assume v i is not an acto, and conside the effects of this on a set of ule applications ρ 1,, ρ m equied fo a minimal set of actos to poduce a witness showing that can know(x, y, G) holds. Without loss of geneality we take ρ 1,, ρ m to be the shotest sequence of ule applications fo that paticula set of actos. No ule is of the fom z takes (α to y) fom v i fo any z in G, since v i has no edges going fom it to any othe v j V, and by the natue of the de jue ules can neve be assigned any. As the numbe m of ules applied is minimal, no ules of the fom z takes (t to v i ) fom y o v i-1 gants (t to v i ) to z fo any vetex z in G ae eve executed since the t ight so assigned could not be used. Hence no de jue ule involves v i. Now conside the de facto ules. Clealy, only infomation passing though v i is elevant; hence, infomation will neve be witten into v i and not late ead (because then the ule could be deleted, contadicting the minimality of m), o ead befoe any infomation is witten into it (which makes sense only if v i = v n+1, in which case thee ae two incident edges to v n+1, and so it is not an Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 10 of 33

infomation gate, contadiction). The post, pass, and find ules could not be used as v i has no incident wite edges, and the spy ule could not be used because v i would have to act, contadicting assumption. Hence no de facto ule involves v i. Combining these, if v i is not an acto, it and its incident edges can be deleted fom G; but this contadicts the minimality of m. This poves the lemma. With these two lemmata we ae able to obtain a lowe bound on the numbe of actos needed to shae infomation. Theoem 10. Let 2k be the numbe of access sets in a minimal cove of G, and let l be the numbe of infomation gates. Then k+l actos ae necessay to poduce a witness to can know. Infomal agument: The focus of each (initial and teminal) access set can obtain (o pass on) infomation o ights to those vetices in that access set. The infomation gates must act to pass infomation along. Hence the numbe of actos needed is the sum of the numbe of access set foci and the numbe of infomation gates. Poof: Let ρ 1,, ρ m be a set of ules equied fo a minimal set of actos v 1,, v n to poduce a witness to can know. Without loss of geneality we take ρ 1,, ρ m to be the shotest sequence of ule applications fo that paticula set of actos. Let the access sets I(v 1 ), T(v 1 ),., I(v n ), T(v n ) with foci v 1,, v n be defined on G. By Lemma 8, I(v 1 ), T(v 1 ),., I(v n ), T(v n ) at least cove G. Without loss of geneality, take the vetices v 1,, v l to be the infomation gates. By Lemma 9, evey one of these must be an acto. Then each of I(v 1 ), T(v 1 ),., I(v l ), T(v l ) is a singleton set, and its focus is a membe of its adjacent access sets. Thus the othe access sets I(v l+1 ), T(v l+1 ),., I(v l+k ), T(v l+k ) (whee k + l = n) constitute an access set cove fo G, and thei foci must also be actos. This poves the theoem. To deive an uppe bound we shall find two moe esults useful: Lemma 11. Let I(v 1 ), T(v 1 ),., I(v n ), T(v n ) be a minimal set access cove fo G 0 odeed by inceasing indices of v (that is, along the path fom x to y). If can know(v i+1, y, G) is tue, then fo some index m thee exists a gaph G m such that can know(v i, y, G) is tue and all ules in the deivation sequence G 0 * G m ae initiated by v i, v i+1, and pehaps z = T(v i ) I(v i+1 ). Poof: Recall that we ae assuming thoughout this section that can know(x, y, G) is tue. Conside the spans to z fom v i and v i+1. By the seies of witnesses pesented in the Appendix, in all cases the vetices acting in the ule applications witnessing can know(x, y, G) ae v i, v i+1, and occasionally z. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 11 of 33

Coollay 12. Fo adjacent access sets, infomation can be tansfeed fom v i to v i+1 with no othe actos unless thee ae consecutive edges with thei only associated wod in the set { t t, gg, t w, g w, t, g }; in this case additional actions pefomed by z = T(vi ) I(v i+1 ) ae sufficient. Poof: By inspection of the witnesses to the peceding lemma. We can now use these two esults to obtain an uppe bound on the numbe of vetices which must act to shae infomation: Theoem 13. Let v 1,, v k be foci of an access set cove of G and let G have l infomation gates. Then k+l actos suffice to geneate an (implicit o explicit) ead edge fom x to y in G. Infomal agument: Fo v 1 to pass infomation to x, and v k to obtain infomation fom y, both v 1 and v k must act; x and y will need to act also if they ae infomation gates. Each focus will need to act to pass infomation along, as will infomation gates. Summing these numbes gives the desied esult. Poof: Let I(v 1 ), T(v 1 ),., I(v k ), T(v k ) be a minimal set access cove fo G 0 with vetices x I(v 1 ) and y T(v k ). Conside fist y and v k. Thee cases aise: v k = y. Then can know(v k, y, G) is tivially tue. v k teminally spans to y. By condition (3.3) of Theoem 3, this means y is a subject, so apply Lemma 4 to get the desied esult. Note that y is an infomation gate in this case. v k w-teminally spans to y. Apply the take ule epeatedly to get an explicit edge; this gives the desied esult. In all cases whee can know(v k, y, G) is tue, the only actos ae the focus of T(v k ) and, possibly, the vetex y; in addition, y acts only if it is an infomation gate. Applying Coollay 12 inductively, we have that wheneve can know(v i, y, G) is tue fo i = 1,, k, the only actos ae the foci of the elevant access sets and the infomation gates. So, we now conside how infomation is tansfeed fom v 1 to x. Again, thee cases aise: v 1 = x. We ae done. v 1 initially spans to x. By condition (3.3) of Theoem 3, this means x is a subject, so apply Lemma 4 to get the desied esult. Again, x is an infomation gate in this case. v 1 w-initially spans to x. Apply the take ule epeatedly to get an explicit wite edge; then v 1 applies the post ule to obtain the desied esult. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 12 of 33

p s q g t w x y z Figue 1. Sample Take-Gant potection gaph demonstating conspiacy in a single path gaph. Again, notice the only actos ae the foci of the access sets and (whee pesent) the infomation gates. This poves the claim. As one would expect, these bounds ae simila to the ones on the numbe of conspiatos necessay and sufficient to steal ights. The diffeence lies in the definitions of access set and infomation gate; these include at least as many vetices in the can snoop case as in the can steal case. Howeve, given a specific potection gaph, computing the numbes k and l is of complexity compaable to the complexity of computing them in the can steal case, since only a small numbe of new conditions in the definitions of access set and infomation gate must be tested. At this point, let us take stock of what we have done by woking a simple example. Conside the potection gaph G in Figue 1.. Taking u 1 = p, u 2 = x, u 3 = z, and u 4 = s, we see that the pedicate can know(p, q, G) is tue by Theoem 3. (Incidentally, so is can snoop(p, q, G); in the conditions to Theoem 7, take x = x = p, y = z, and y = q.) The gaph is a single path gaph of the vaiety we have been discussing, since infomation flows fom p to q along the (sole) path between them. The following witness to can know(p, q, G) demonstates this: (1) z takes ( to q) fom s. (2) x gants ( to y) to p. (3) p and z use the post ule though y to add an implicit edge fom p to z. (4) p and z use the spy ule to obtain an implicit edge fom p to q though z. In this gaph, the only infomation gate is p (by condition (i) of the definition of infomation gate). The access sets of the fou subjects ae: I(p) = { p } T(p) = { p } I(z) = { y, z} T(z) = { q, s, z} I(x) = { p, x } T(x) = { x, y } I(s) = { s } T(s) = { q, s } It is clea that these fou access sets fom a cove fo G; it is equally clea that the sets I(x), T(x), I(z), and T(z) fom a minimal access set cove fo G. Applying Theoem 10, k = 2 and l = 1, Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 13 of 33

so a minimum of 3 actos ae necessay fo infomation to flow fom p to q; similaly, by Theoem 13, 3 actos ae sufficient. This agees exactly with the witness pesented above, which in fact used a minimal numbe of actos (p, x, and z). 4. Conspiacy in a Geneal Gaph In the pevious section, we esticted ou attention to gaphs in which can know is tue, and the only edges in the gaph wee those along which eithe ights o infomation wee tansfeed. We shall now ease the latte estiction, and conside any valid Take-Gant potection gaph in which the pedicate can know is tue. Ou goal is to deive a bound on the numbe of actos needed to poduce a witness to can know. We shall take the appoach suggested by [14], again with suitable modifications. In ode to do this, we shall develop an analogue to the potection gaph called an acting gaph. Basically, this gaph will consist of vetices coesponding to access sets in the oiginal gaph with edges coesponding to paths along which the focus of each access set can pass infomation by acting alone (that is, no othe subject will have to act in a ule application to help the fist tansmit the infomation). In othe wods, this gaph connects all actos with othe subjects to which they can pass, o fom which they can eceive, infomation. Given a potection gaph G with subject vetices v 1,, v n, we need to geneate an acting gaph G with vetices u 1,, u n. Each u i has associated with it the access sets I(v i ) and T(v i ). Conside now unde what cicumstances infomation can be passed fom a membe of one access set to a membe of anothe. Let y be a vetex in an access set with focus x. Thee ae five easons y may be in that set: y = x; x initially spans to y; x teminally spans to y; x w-initially spans to y; o x w-teminally spans to y. Define the set (x, x ) to be all vetices in I(x) T(x ) except those vetices y which ae infomation gates and the only eason y is in both I(x) and T(x ) is that the wods associated with the paths xy and x y ae those that make y an infomation gate. This means the set includes only those vetices to which the foci can pass infomation (o fom which they can eceive infomation) with the foci being the only actos. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 14 of 33

To complete the constuction of the acting gaph G, we add a diected edge between u i and u j when (v i, v j ). (This coesponds to a bidge o connection existing between v i and v j in G.) We also define two special sets; let I x = { u i v i = x o v i w-initially spans to x } and T y = { u i v i = y o v i w-teminally spans to y} Since we intend to use the acting gaph to deive a bound, we must fist show that it accuately peseves the notion of shaing infomation. Theoem 14. can know(x, y, G) is tue if and only if thee is a path fom some vetex u a I x to some vetex u b T y. Poof: ( ) Let v i be the vetex in G coesponding to the vetex u i in G (fo i = 1,, n). We must conside two cases involving any vetex z in the definition of above. Fist, we estict z to being an object in T(v i ) I(v j ). Note that the subjects in G coespond to vetices in G, and the edges between the vetices in G coespond to wods in B C in G, along which infomation flows fom v i to v j. So, applying Theoem 3, as can know(x, y, G) is tue, some u a I x is connected to some u b T y. Next, assume z is a subject in T(v i ) I(v j ). Let z be associated with u a. As z is a focus (since it is an infomation gate, and theefoe the focus of an access set), it clealy has eason to be in I(z) and T(z); so {z} (v i, z) and {z} (z, v j ). Hence, by constuction of G, thee ae paths between u i and u a, and u a and u j, so thee is still a path between u i and u j (going though u a ). Hence u i and u j ae connected. ( ) Assume thee is a path fom u a to u b with u a = u 1,, u n = u b. By constuction, u i+1 can pass infomation to u i, so by induction u a can eceive infomation fom u b. Also, as u b T y, u b can obtain infomation fom y, and as u a I x, u a can pass infomation to x. This means that can know(x, y, G) is tue. We may now state and pove the desied esult. Theoem 15. Let n be the numbe of vetices on the shotest path fom an element u a I x to an element u b T y in an acting gaph G. Then n actos ae both necessay and sufficient to poduce a witness to can know(x, y, G). Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 15 of 33

Poof: (Necessity) Let u a = u 1,, u n = u b be vetices along a shotest path fom u a to u b, and let v i be the vetex in G coesponding to the vetex u i in G (fo i = 1,, n). If thee exist only wtgpaths in G fom v i to v i+1 (1 i < n), the v i ae foci of an access set cove fo the path. By constuction of G thee ae no infomation gates and if u a is not associated with x, then the subject associated with u a w-initially o initially spans to x. A simila agument holds fo u b and y. By Theoem 10, n actos ae necessay. Now suppose thee is an (induced) path in G that is not in G. Even though edundant ule applications may occu, clealy duplicated vetices along a span affect the claim only if they educe the numbe of equied actos. We show this is not possible by contadiction. Suppose that actos u 1,, u i-1, u i+1,, u n could poduce a witness. Then thee is a vetex z T(v i-1 ) I(v i+1 ). As the u i ae on the shotest path, thee is no path between u i-1 and u i+1, so z is neithe v i-1 no v i+1, and futhe z (v i-1,v i+1 ). Hence if z is an object, thee is no wod in B C between the vetices v i-1 and v i+1, so can know is false by Theoem 3, whence u 1,, u i-1, u i+1,, u n cannot poduce a witness. On the othe hand, if z is a subject, it must be an infomation gate, in which case it must be an acto. In eithe case, the vetices u 1,, u i-1, u i+1,, u n cannot poduce a witness without anothe vetex being added. (Sufficiency) Fist, as x and y ae distinct, and all the v i coesponding to the u i on the shotest path distinct, all spans between these vetices allow the appopiate sequence of ule applications exhibited in the Appendix to be applied, povided the foci of the access sets diffe fom thei common elements. By inspecting the sequences, wheneve a focus and a common element do coincide the ule whose application is pevented eithe povides a ight aleady possessed, a ight used in the subsequent ule application to acquie a ight aleady possessed, o an implicit edge whee one aleady exists. In these cases the ule application is unnecessay. Noting this, we need only induct on the spans coesponding to the edge of the shotest path using Lemma 11 to obtain the esult. In this section and the pevious section, we vey delibeately defined tems to captue the ability of a single node to pass infomation, o to pevent it fom being passed; we then abstacted the instantiation of these tems to an acting gaph. This is a genealization of Snyde s conspiacy gaph, the deivation of which is simila but does not eflect infomation flows [14]. Let us apply these esults to a simple potection gaph. In Figue 2a, thee ae no infomation gates, and the access sets of the subjects ae: Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 16 of 33

w w p a b c d w w s f h i j w w e q Figue 2a. A sample Take-Gant potection gaph to demonstate conspiacy in a geneal gaph. p b c d s f h Figue 2b. The associated acting gaph. Fo simplicity vetices ae named as in the egula gaph. I(p) = { p } T(p) = { p, a } I(e) = { d, e, j } T(e) = { e, q} I(b) = { a, b} T(b) = { b } I(h) = { f, h } T(h) = { h, i} I(c) = { b, c} T(c) = { c, d } I(f) = { f} T(f) = { f, s} I(d) = { d} T(d) = { d } I(s) = { s} T(s) = { s} Fom these, we can constuct (x, y) fo each pai of subjects x and y; the nonempty ones ae: (p, b) = { a } (d, e) = { d } (b, c) = { b } (h, f) = { f } (c, d) = { d } (f, s) = { s } (c, e) = { d } e The esulting acting gaph is shown in Figue 2b. By Theoem 3, can know(p, q, G) is tue (take n = 5, x = u 1 = p, u 2 = b, u 3 = c, u 4 = d, and u 5 = e). Also, in G, e T q and p I p, so some element of I p is connected to some element of T q. This illustates Theoem 14. The following sequence of ule applications is a witness to can know(p, q, G): (1) e and c use the post ule though d to add an implicit ead edge fom c to e; (2) c uses the pass ule to add an implicit ead edge fom b to e; (3) b and p use the post ule though a to add an implicit ead edge fom p to b; (4) p and b use the spy ule to add an implicit ead edge fom p to e; (5) p and e use the spy ule to add an implicit ead edge fom p to q. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 17 of 33

Fou vetices (b, c, e, and p) act in this witness, and indeed the shotest path in G between p and e contains fou vetices. This illustates Theoem 15. Conside now s and q. Accoding to Theoem 14, as they ae not connected in G, can know(s, q, G) should be false. As thee is no wtg-path fom h to e with associated wod in B C, condition (3.3) of Theoem 3 fails, so can know(s, q, G) is indeed false. Finally, let us conside just the top pat of this gaph (fom p to q), which is a single-path gaph of the sot discussed in the pevious section. Thee ae no infomation gates, and the access sets with foci p, b, c, and e povide a complete cove fo the subgaph. Hence by Theoem 10 and Theoem 13, fou actos ae necessay and sufficient to witness can know(p, q, G), and ou witness confims this. 5. Compaison with Results fo Theft of Rights The similaity of the definitions of can steal and can snoop lead to the question of the elationship of these de jue and de facto esults with the analogous de jue esults in [14]; specifically, how diffeent ae the definitions, theoems and poofs, and how much moe (o less) complex is it to detemine bounds on the numbe of actos needed to steal infomation as opposed to steal ights? The fundamental diffeence in the esults pesented hee is the addition of exta conditions pesenting moe ways in which conspiacy can occu; fo example, the de jue analogue to access set equies only that the focus initially o teminally span to evey vetex in the set wheeas hee, we add those vetices to which the focus also w-initially o w-teminally spans. Most of the definitions in this wok follow diectly fom thei analogues; howeve, the changes add complexity to both the statements of the theoems and to the poofs. Fo example, the key theoem in [14] (Theoem 2 in this pape), which states necessay and sufficient conditions fo ights to be stolen, equies checking fo only thee (simple) conditions; the analogue of that theoem fo infomation tansfe, Theoem 7, equies fou (moe complex) conditions to hold. The key constuct in [14], the conspiacy gaph, connects foci of access sets with edges showing paths along which ights can be tansfeed; the acting gaph augments this to include a path along which infomation can be tansfeed as well. The key diffeence in the conspiacy esults lies in the acting gaph. As ights can be tansfeed in eithe diection along a bidge, a conspiacy gaph has undiected edges, because the vetices at the end of the path can shae ights with one anothe. Howeve, ove a connection, Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 18 of 33

infomation can be tansfeed in one diection only; hence an acting gaph has diected edges to epesent the diection along which the infomation can flow. Note that if the connection between two vetices in a potection gaph is a bidge, the coesponding edge in the acting gaph will be bidiectional, to epesent that infomation can be tansfeed in eithe diection ove a bidge. Conside a Take-Gant potection gaph G in which the pedicates can steal(, x, y, G) and can snoop(x, y, G) ae tue. Let A R (y) be the set of nodes containing y and those nodes to which y initially o teminally spans, and let a tg-sink be a vetex with exactly two incident edges, both incoming and both labelled t o both labelled g. In [14], Snyde shows that a conspiacy gaph can be constucted in a manne simila to the constuction of an acting gaph in section 4. Note that A R (y) I(y) T(y), and that a tg-sink is also an infomation gate. Hence, the conspiacy gaph associated with G will be a (possibly impope) subgaph of the gaph poduced by eplacing edges in the acting gaph of G with undiected edges. So, in no case will stealing infomation equie moe conspiatos than stealing ights; and if the acting gaph contains a shote path between the vetices associated with x and y than does the conspiacy gaph, stealing infomation will equie fewe conspiatos. 6. Applications We can apply ou esults to a ealistic situation by consideing the flow of infomation thoughout a small local aea netwok using the TCP/IP potocol suite. We focus on the use of the File Tansfe Potocol, o ftp. We state the poblem quite simply: a compute (subject) p has a file x containing pivate infomation. A copy of it is found on compute y. Ou question is whethe the file could have been tansfeed using a seies of ftp connections, and if so, how many conspiatos wee necessay and sufficient? Fist, we make seveal simplifying assumptions: 1. All ftp connections and accesses ae anonymous. (This ability is a featue of the standad potocol.) Wee this assumption not made, we would need to tack use identities and authoities; while this is staightfowad, it adds complexity which detacts fom the issue unde study, which is the abstaction of the netwok into a Take-Gant style model. 2. The netwok is not fully connected; again, this models eal local aea netwoks, on which many hosts choose not to povide ftp connections. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 19 of 33

3. Only hosts diectly connected to the netwok ae involved. We will elax this assumption with the intoduction of poxy seves late. 6.1. Basic Abstaction The ftp potocol equies that objects be placed in a cental aea; anonymous accesses using that potocol give the emote use the ability to ead (and hence download) those objects. Futhe, even though access may be ganted, the ganto has the powe to tun off all access at any time. This means all tansfes of infomation ae to be along implicit edges, which dictates the following abstact epesentation: 1. All hosts ae epesented as subject vetices, and all files as object vetices; 2. Pemission fo an entity on host x to etieve files fom host y via anonymous ftp is epesented by an explicit edge labelled (ead) fom x to y. 3. Accessibility of a file f on host x to anonymous ftp is epesented by an explicit ead edge fom x to f. This means that the ability to tansfe file f fom host x to y will be epesented by an implicit edge fom y to f. As in othe de facto situations, this does not mean that the tansfe must take place o has taken lace; it meely indicates a path along which the tansfe could, o could have, taken place. Hence ou inteest. 6.2. Basic Examples Conside fist a situation in which thee ae fou sites offeing anonymous ftp fo eading only (no witing): p, q, s, and v. The file f contains popietay data and esides on p. The hosts p, q, and s ae fully connected, but v can only access s. In the couse of a police investigation into industial espionage, a copy of file f is found on host v. The question is, which hosts could have conspied to put it thee? The abstaction of this situation is in Figue 3a. We wish to know the sets of conspiatos who may have copied f. So, we apply the technique of the ealie section. The access sets fo the subjects involved ae: I(p) = { p } T(p) = { p, q, s } I(s) = { s } T(s) = { p, q, s } I(q) = { q } T(q) = { p, q, s } I(v) = { v } T(v) = { s, v } Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 20 of 33

f p q s v Figue 3a. The gaphical epesentation of the netwok configuation. Hee, f is the illegitimate copy of the file f. p q f v s Figue 3b. The coesponding acting gaph. Fo simplicity, vetices ae named as in the egula gaph. Fom this, we constuct the sets (a, b) fo each pai of vetices a and b: (p, q) = { p } (p, s) = { p } (p, v) = (q, p) = { q} (q, s) = { q} (q, v) = (s, p) = { s} (s, q) = { s} (s, v) = (v, p) = (v, q) = (v, s) = The acting gaph is shown in Figue 3b. We note that I f = { p } and T f = { v }. By Theoem 15, the minimum numbe of actos necessay and sufficient to move the infomation fom p to v is 3. Noting also that the acting gaph captues the paths along which the infomation is tansfeed, this means that p, s, and v ae the conspiatos fo the witness to this tansfe. 6.3. Geneal Example We now pesent a moe sophisticated example, in which many connections ae one-way, and examine how many conspiatos ae needed to move infomation. Conside the situation in Figue 4a. Note that hee ights fo anonymous ftp ae constained; some uploading (w ights) as well as downloading ( ights) is allowed, and not all the vetices ae diectly connected. As befoe, x is the file the contents of which is secet, but duing an investigation, two copies x and x have been found on competitos hosts. The poblem is to find a lowe bound on the numbe of hosts involved in the tansfe. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 21 of 33

p q s x w w x y v z w x Figue 4a. The gaphical epesentation of the netwok configuation. Hee, x and x ae the illegitimate copies of the file x. p q s y v z Figue 4b. The coesponding acting gaph. Fo simplicity, vetices ae named as in the egula gaph. As befoe, we build ou access sets: I(p) = { p } T(p) = { x } I(z) = {z, y} T(z) = { z, v, x } I(q) = { q, y } T(q) = { p, q, v, y } I(v) = { v} T(v) = { p, v } I(s) = { s} T(s) = { q, s, x } I(y) = { s, y } T(y) = { s, y } Fom this, we constuct the sets (a, b) fo each pai of vetices a and b. The non-empty sets ae: (p, q) = { p } (p, v) = { p } (q, s) = { q } (q, y) = { y } (s, y) = { s } (z, q) = { y } (z, y) = { y } (v, q) = { v } (v, z) = { v } (y, q) = { y } (y, s) = { s} The acting gaph is shown in Figue 3b. Conside the infomation flow fom x to x. In this case, I x = { p } and T x = { z }. The path between p and z has thee vetices (p, v, and z) in Figue 3b. So, by Theoem 15, the minimum numbe of actos necessay and sufficient to move the infomation fom x to x is 3 (with p, v, and u being the thee actos) Next, let us look at the infomation flow fom x to x. Hee, I x = { p } and T x = { s }. As befoe, the path between p and s has thee vetices (p, q, and s) in Figue 3b. So the minimum num- Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 22 of 33

be of actos necessay and sufficient to move infomation fom x to x is also 3 (with p, q, and s being the actos). Note that this does not mean that the paticula actos must have been involved in the tansfe of infomation; it simply means that they could have been. Specifically, infomation may have been tansfeed along any diected path in the acting gaph. In this paticula example, the two enumeated paths wee the shotest, but longe paths may have been used. Infomation can flow fom x to x along the path pvqys; if this had occued, 5 actos would be involved. 6.4. Poxies A poxy is a system though which all equests fo ftp access is filteed; such pogams ae most often found on fiewalls. They act as though the files wee stoed on the fiewall, passing commands on to the eal ftp seve. The emote host neve sees the host behind the poxy. An example configuation is in Figue 5a. Hee, vetex c is the poxy, and it has authoity to access any file set up fo etieval in the local aea netwok (hee, composed of hosts epesented by vetices d and e). As this authoity depends only on the existence of the taget file, and not on d o e passing the infomation to the poxy, the ights of c ove d and e ae epesented by take edges. (An altenate situation is whee d o e would need to co-opeate with c to make the file available to hosts outside the local aea netwok. In this case, the edges between c and d and c and e would be ead edges. We use the take fom to illustate a situation involving de jue and de facto ules.) As befoe, we build ou access sets: I(a) = { a } T(a) = { a, c } I(d) = { d } T(d) = { d, f } I(b) = { b } T(b) = { b } I(e) = { e } T(e) = { e, g } I(c) = { c, b } T(c) = { c } Fom this, we constuct the sets (a, b) fo each pai of vetices a and b. The non-empty sets ae: (c, a) = { c } (c, b) = { b } The acting gaph is shown in Figue 3b. The elationships between the objects and subjects is summaized by T f = { d, c }, T g = { e, c }, I h = { a }, and I h = { c }. Now conside two cases. If h is a copy of f, we note that c is in both T f and I h. Hence thee is a single vetex on the path between an element of T f and an element of I h, and thee ae no infomation gates. So by Theoem Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 23 of 33

w h d a t f c w t w h b e g Figue 5a. An ftp poxy seve guading access to files on a local netwok. Hee, d and e ae on the local aea netwok guaded by poxy c, and a and b ae on othe netwoks connected to the local aea netwok. Note that b has witing enabled fo anonymous ftp (the wite edge fom c to h ). a d c b e Figue 5b. The coesponding acting gaph. Fo simplicity, vetices ae named as in the egula gaph. 15, the minimum numbe of actos necessay is 1, and the following witness to can know(h, f, G) substantiates this esult: (1) c takes ( to f) fom d; (2) c uses the pass ule to add an implicit ead edge fom h to f. Similaly, if h is a copy of f, the shotest path between an element in T f and an element in I h contains 2 vetices (a and c). So we need at least two actos to witness can know(h, f, G). A witness to this is: (1) c takes ( to f) fom d; (2) a and c use the spy ule to add an implicit ead edge fom a to f (2) a uses the pass ule to add an implicit ead edge fom h to f. Clealy, a and c must act. Note that this is clea by inspection of the gaph. Since thee is only an incoming wite edge to h, only the find o post ule can add an outgoing implicit ead edge. As the wite edge comes fom a, and as a has no incident take o gant edges, a must act in a find o post ule. As a has no incident take o gant edges, no explicit edges can be added to a by anothe vetex. Futhe, as a has no ead edges to f, by inspection of the de jue and de facto ules, at least one othe vetex must be an acto to povide an implicit ead edge fom a to f. Hence at least two vetices must be involved. By Theoem 15, 2 vetices ae also sufficient. Appeaed in Jounal of Compute Secuity 4 (4) pp. 331-359 (1996). Page 24 of 33