On Using Object Relabelling To Change Ownership
In the Solworth-Sloan scheme, which rights a subject has over a particular
object are determined indirectly in the following three steps.
- There is a labelling function that maps each object to an object label.
An object's label may be changed by an object relabelling action; whether an
action succeeds or not is determined by a sequence of object relabelling
rules.
- There is an authorization function auth that maps each pair of
object label b and right r to a group g; members of the
group g have the right r over objects that have the label b.
When an object label b is created, auth(b,r) is
determined for each r; and auth(b,r) never changes.
- Which subjects are members of a group is determined by native group sets
(NGS's), which are complicated structures that we describe below. A
subject's group membership may change by changing tags assigned to a
subject.
In SDCO, given a subject s that owns an object o, if s
wants to give out the own right to s', one wants to make sure that all
subjects that can read the object o can still read o after the change of
ownership.
To implement change of ownership in the Solworth-Sloan scheme, one can either
relabel the object o, or relabel the subjects s and s'. The
latter approach is the one discussed in our paper. The reason that the
first one was not discussed was because it has obvious problems. When an
object's label changes from b to b', the group that has the right
r to the object o changes from auth(b,r) to
auth(b',r).