On Using Object Relabelling To Change Ownership

In the Solworth-Sloan scheme, which rights a subject has over a particular object are determined indirectly in the following three steps.

  1. There is a labelling function that maps each object to an object label.  An object's label may be changed by an object relabelling action; whether an action succeeds or not is determined by a sequence of object relabelling rules.
  2. There is an authorization function auth that maps each pair of object label b and right r to a group g; members of the group g have the right r over objects that have the label b.  When an object label b is created, auth(b,r) is determined for each r; and auth(b,r) never changes.
  3. Which subjects are members of a group is determined by native group sets (NGS's), which are complicated structures that we describe below.  A subject's group membership may change by changing tags assigned to a subject.

In SDCO, given a subject s that owns an object o, if s wants to give out the own right to s', one wants to make sure that all subjects that can read the object o can still read o after the change of ownership. 

To implement change of ownership in the Solworth-Sloan scheme, one can either relabel the object o, or relabel the subjects s and s'.  The latter approach is the one discussed in our paper.  The reason that the first one was not discussed was because it has obvious problems.  When an object's label changes from b to b', the group that has the right r to the object o changes from auth(b,r) to auth(b',r).