the typed access matrix model (tam) and augmented tam (atam)

© 2004 Ravi Sandhuwww.list.gmu.edu

The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM)

Ravi SandhuLaboratory for Information Security Technology

George Mason Universitywww.list.gmu.edusandhu@gmu.edu

2

© 2004 Ravi Sandhuwww.list.gmu.edu

Outline

• TAM: Typed Access Matrix Model• TAM adds types to HRU and preserves strong safety

results of SPM/ESPM• SO-TAM: Single Object TAM

• SO-TAM manipulates one column of the access matrix at a time and is equivalent to TAM

• ATAM: Augmented TAM• ATAM adds testing for absence of rights to TAM• ATAM is equivalent to TAM in one sense but more

expressive in another

3

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM adds types to HRU

4

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM adds types to HRU

5

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM commands

6

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM primitive operations

7

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM operations: enter and delete

8

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM operations: create and destroy

9

© 2004 Ravi Sandhuwww.list.gmu.edu

TAM operations: create and destroy

10

© 2004 Ravi Sandhuwww.list.gmu.edu

ORCON in TAM

11

© 2004 Ravi Sandhuwww.list.gmu.edu

ORCON in TAM

12

© 2004 Ravi Sandhuwww.list.gmu.edu

ORCON in TAM

13

© 2004 Ravi Sandhuwww.list.gmu.edu

ORCON in TAM

14

© 2004 Ravi Sandhuwww.list.gmu.edu

MTAM: Monotonic TAM

15

© 2004 Ravi Sandhuwww.list.gmu.edu

MTAM Canonical Schemes

16

© 2004 Ravi Sandhuwww.list.gmu.edu

MTAM Canonical Schemes

17

© 2004 Ravi Sandhuwww.list.gmu.edu

ORCON as a MTAM Canonical Scheme

18

© 2004 Ravi Sandhuwww.list.gmu.edu

Acyclic TAM schemes

19

© 2004 Ravi Sandhuwww.list.gmu.edu

Acyclic TAM unfolded state

20

© 2004 Ravi Sandhuwww.list.gmu.edu

Acyclic MTAM unfolded state

21

© 2004 Ravi Sandhuwww.list.gmu.edu

Acyclic MTAM safety

22

© 2004 Ravi Sandhuwww.list.gmu.edu

Ternary MTAM

23

© 2004 Ravi Sandhuwww.list.gmu.edu

Ternary MTAM

24

© 2004 Ravi Sandhuwww.list.gmu.edu

Binary and Unary MTAM

• Unary MTAM• Useless

• Binary MTAM• Single-parent creation or spontaneous double-

child creation• Less expressive than multi-parent creation

25

© 2004 Ravi Sandhuwww.list.gmu.edu

SOTAM: single object TAM

26

© 2004 Ravi Sandhuwww.list.gmu.edu

SOTAM

• SOTAM is equivalent in expressive power to TAM

27

© 2004 Ravi Sandhuwww.list.gmu.edu

ATAM: Augmented TAM

• Allow testing for absence of rights in the conditions of commands

• ATAM is equivalent in expressive power to TAM in unbounded simulation but most likely not in bounded simulation• “Most likely not” has recently been shown to be

“provably cannot”