What is "The Statement Episode" at the 2005's Oakland Conference?

In the first session of the second day of the conference, my graduate student Mahesh Tripunitara presented a paper titled "On Safety in Discretionary Access Control", coauthored by me (Ninghui Li) and Mahesh.  In the paper, we assess the validity of the motivations and claims in a paper presented at the 2004 Oakland conference by Jon Solworth and Robert Sloan, titled "A Layered Design of Discretionary Access Controls with Decidable Safety Properties".

After the presentation, a graduate student of Prof. Jon Solworth stood up and announced that he has a statement from Prof. Jon Solworth and Prof. Robert Sloan to read.  He read the statement and distributed a one-page written statement discussing this issue.  In addition, Prof. Solworth set up a Webpage about this debate.  Please see that webpage for the statements from Prof. Solworth.  (The oral and the written statements have been removed from Prof. Solworth's webpage as of May 18.)

This page is our response to the oral statement, the written statement, and the webpage set up by Prof. Solworth.

A Summary of the Technical Issues in the Debate

What is the Solworth-Sloan paper about?

The paper by Profs. Solworth and Sloan begins by claiming that "all general access control models that were known to be sufficiently expressive to implement the full range of DAC models had an undecidable safety problem."  They use this to motivate a new access control scheme, which we refer to as the Solworth-Sloan scheme.  The scheme is presented without a precise and detailed specification.  They then claim that the Solworth-Sloan scheme can implement the full range of DAC models, which refers to a family of DAC models discussed in a paper by Osborn, Sandhu, and Munawer in the context of comparing DAC with RBAC.  There are then a few paragraphs discussing how these DAC schemes can be implemented in the Solworth-Sloan scheme.

What is in our paper?

We begin by observing that the assertion that safety is undecidable in DAC is a prevailing myth expressed by some security researchers and that this myth stems from equating DAC with the well-known Harrison-Ruzzo-Ullman (HRU) scheme, in which safety is known to be undecidable.  We then do the following.

What is the objection raised by Profs. Solworth and Sloan?

In their statements, Profs. Solworth and Sloan assert that our construction of SDCO in the Solworth-Sloan scheme is not what they intended in their paper.  In particular, they argue that they handle change of ownership by relabling the object, rather than the subject.  Based on this, they asked us to withdraw our conclusion that the claim in their paper (i.e., the claim that the Solworth-Sloan scheme can implement a range of DAC schemes) is incorrect.

What are our responses?

On the other hand, Profs. Solworth and Sloan can probably point to other things in our construction and claim that they do not match their intention.  As details are not provided in their paper, their intended construction can always be a moving target. 

Towards raising the level of rigorousness in access control research

One main reason that we wrote our paper was to hope to raise the level of rigorousness in access control research.  We cannot imagine that a paper that presents a new cryptographic construction without presenting details of the construction, definition of security, or a proof of security, would be accepted in a top cryptography conference.  A reviewer would look for these things, and will reject a paper if it doesn't contain them.  While such a level of rigorousness may not be appropriate for all topics within access control; we feel that it is definitely needed for papers dealing with safety or other analysis issues.  We also feel that striving to raise the level of rigorousness is in general a good thing for the field.

If a paper presents a new access control scheme, especially in the context of discussing safety or other kinds of analyses, the scheme should be specified in a precise fashion using a meta-formalism.  One suitable meta-formalism is a state-transition system (also known as a state machine).  This enables one to precisely specify what information is maintained in a state and how state may change.  Without such a precise specification, it is often impossible for a reviewer to judge the correctness of the content of a paper.  The use of state-transition systems in access control can be traced back at least to the fundamental work of Bell and LaPadula.  Personally, I consider one of the most important contributions Bell and LaPadula have made is to use state-transition systems to formally model computer systems and their protection states.  This has been used in numerous later landmark works, such as, e.g., the Harrison-Ruzzo-Ullman model and the non-interference and the non-deducibility models.

Other related information

Some related information that is not essential to the technical debate is included in the following page. 

Thank you for reading this, and if you have comments you would like to share, please send email to ninghui@cs.purdue.edu and/or tripunit@cerias.purdue.edu

First created on May 12, 2005.

Last updated on May 18, 2005.