Algorithm for searching bridges

* and * in the protection graph for t t

Take-Grant protection model

1. Introduction Take-Grant protection model is one of the earliest and most profoundly developed discretionary access control models [1]. One of the most significant achievements of Take-Grant model can be considered the ability to analy e system security in polynomial time. There are several papers that offer different variants for checking the security of computer systems! based on a Take-Grant model ["!#]. This paper is a continuation of [$!%] &hich describe &ays of verifing the security of computer systems based on the terms set out in the classical Take-Grant model. This article describes a polynomial algorithm for searching bridges of type
* and * in t t

the protection graph. The proposed algorithm is based on a classical breadth-first search algorithm [']. 2. Initial conditions and notations (ased on the conditions formulated in the Take-Grant model! in order to investigate the possibility of access bet&een the t&o sub)ects of an arbitrary protection graph! it is necessary that in the graph &ere kno&n islands! bridges! initially and terminally spans of bridges. The islands are tg-connected subgraphs consisting only of sub)ect vertices. (ridges! initially and terminally spans of bridges are paths of a given form! running through the ob)ect vertices. *n this paper restrict the search of bridges label
* and * - paths in the graph! each arc of &hich contains a t t

or ! respectively. t t

+et there are already kno&n island in the graph! a &ay to find them is described in [%]. *t is necessary to find a bridge bet&een t&o islands I 1 and I " .

*ntroduce some notation. ,rc bet&een the vertices e i and e j ! containing the label
e , e ! denote by . *nitial verte- of the bridge &ill be denoted by s! and the t t i j

final . by f. The set of all ob)ect vertices of the original graph denote by O.
* t * . ,t first &e describe the t

3. Bridge

/onsider the search for a bridge of the type

algorithm informally. ,t the beginning the algorithm divides all set of ob)ect verteof the original graph into t&o subsets O r and Oi . To the set O r falls those vertices to &hich there is a bridge of a given type! all other vertices falls in the set Oi . ,t the beginning of the algorithm in the set O r is only one verte- . s 0initial verte-1. The algorithm looks at all the arcs of the graph &hich are associated &ith the vertices
from O r and if it detect arc of type &hich connects the top e r from O r &ith t

the top e i from Oi ! then e i is removed from the O i and entered into O r . ,fter revie&ing all the arcs there can be entered more than one verte- in the O r ! that is the cardinality of O r &ill increase! and the cardinality of O i &ill decrease by the same number. *f the verte- f falls in the set O r ! then it means that there is a path in the graph of a given form and the algorithm finishes its &ork. *n other case! the procedure is repeated for the modified O r and O i . 2o&ever! it is possible that after revie&ing all the arcs! to the O r &ill not be entered any vertices. This is possible &hen there are no arcs of the type
bet&een vertices from Or and vertices from t

O i . *n order not to to miss this situation need to check the cardinality of the sets that

&e are dealing &ith. *f the cardinality of the sets have not changed! it is necessary to finish the algorithm &ith a message that the specified type of bridge bet&een these islands do not e-ist. The formal algorithm is composed of three main steps. (efore the beginning

of the algorithm &e divide the set O into t&o subsets O r and Oi ! i.e. O =Oi O r . Step 1. 3nter the verte- s into O r ! enter all other vertices into Oi . Step 2. 4evie& all the arcs! &hich initial vertices are in O r ! if there is
e , e ! then enter e i into the O r and remove e i from the Oi . 2ere t r i

e r O r ! e i O i . 5hen all the arcs associated &ith the vertices from O r &ill be revie&ed! go to Step 3. Step 3. *f after Step 2 verte- f is in the O r ! then the algorithm finishes . the bridge of the specified type e-ists. *f after Step 2 cardinality of sets O r and
O i have not changed! the algorithm also finishes . the bridge of the specified

type bet&een these islands do not e-ist. Other&ise return to Step 2. ote. *t is possible to provide different implementations of the algorithm! depending on the task. 6or e-ample! if there is only need to sho& the presence or absence of a bridge bet&een the specified islands! then the above description &ould be enough - the algorithm reports the results of it7s &ork. (ut if there is need to identify a bridge! than it is necessary to support the sets of passed arcs and vertices. 6or e-ample! &e can construct a graph of paths after each passage of the Step 2! or &e can color passed vertices and arcs in some &ay. 3stimate the comple-ity of the algorithm. +et the original graph contains N vertices. 8ince the graph directed! the ma-imum number of arcs in it may be e9ual to N0N-11. *t is possible to limit the number of repetitions of Step 2 by the number of vertices! as in the case &here after each step in the set Or &ill be entered only one verte-! then the bridge in a graph &ill be found in N steps. *n the general case there &ill be entered more than one verte- to the set O r for each e-ecution of Step 2! that is! the bridge &ill be found for less than N steps. *f the bridge does not e-ist! than at some stage there &ill be no arc of the specified type and the algorithm does not entered in the set O r anything! ie! cardinality of the set O r &ill remain unchanged! then the algorithm &ill fail &ith appropriate message. Thus! at each Step 2 there are re9uired to revie& no more than N vertices and &ith each verte- is connected by no

more than N0N-11 arcs. That is! the comple-ity of the algorithm can be estimated as
O N # .

Theorem. The algorithm finds the bridge of type

* correctly. t

!roof. 6irst &e sho& that the algorithm finishes its &ork at all! and secondly! that the algorithm finds the right kind of bridge. 5e can sho& that the algorithm is finish it7s &ork based on the fact that the set of ob)ect vertices of the original graph is finite. The algorithm divides the set O into subsets O r and O i ! so that O =Oi O r . ,t each stage of Step 2! or any verte- is removed from the Oi and entered in O r and the cardinality of both sets! respectively! change! or there are no movement of the vertices . the cardinality of the sets do not change and the algorithm fails. +et O= M . There are three versions of events. 1. ,ll the vertices of the Oi &ill be transferred to O r ! then the algorithm is finished ne-t step! as there is impossible to change the cardinality of the sets any more. ,lgorithm &ill make a total of M:1 steps. ". ,t step k M algorithm finds the bridge. The algorithm &ill finished it7s &ork! and the number of steps it &ill make is e9ual k. #. ,t step k M algorithm detects that the cardinality of O r and Oi have not changed. The algorithm &ill finished it7s &ork! and the number of steps it &ill make is e9ual k. Thus! the algorithm is finished in any case! regardless of &hether there are bridges in the graph or not. The fact that the algorithm correctly finds the bridge! &e can sho& by induction on the length of the bridge. +et the length of the bridge is n. 5e can not choose n ; 1 as the induction basis! since this &ould mean that the initial and final vertices are connected by an arc
! and therefore belong to the same island. t

Therefore! &e choose n ; " as basis and sho& that the algorithm finds this bridge. The situation &here there is a bridge of length " in the graph! is sho&n in

6igure 1. There is at least one arc of the type

associated &ith the verte- s, t associated t

connecting vertices s and x. *n turn! there is at least one arc of the type &ith the verte- x! connecting vertices x and f.

6igure 1 . (ridge

* of length " t

The verte- s entered in the set Or in Step 1 of the algorithm. *n Step 2! &hile checking all the arcs of type associated &ith the vertices from the set Or ! t

the verte- x &ill be detected. The verte- x &ill be entered in the Or and removed from Oi ! but the bridge has not been detected yet. The bridge &ill be detected only after repeated e-ecution of Step 2! &hen the arcs of the type ! associated &ith the t

vertices from Or ! &ill be revie&ed again. This time &ill be found an arc connecting the x and f. ,s the induction hypothesis! &e choose the statement that for the length of the bridge n < l! &here l = "! the algorithm finds the bridge correctly. *nductive step> let the length of the bridge is e9ual l! the algorithm is e-ecuted l-1 stage! at this stage there &ere vertices x 1! x "! ... x m entered in the Or 0figure "1.

To each of the vertices x i bridge &as found correctly by the induction hypothesis. 8ince the length of the bridge is e9ual l! this means that bet&een at least one of the
x i and f there are arcs

x , y y , f and ! that are the lsat arcs of the j t t

re9uired bridge. 5e apply the algorithm for each of the x i . The algorithm is able to find the bridge! consisting of t&o arcs! correctly as it &as sho&n for the induction basis.

6igure " . *nductive step ". (ridge t*

Obviously! if in the Step 2 of the above described algorithm instead of the arcs of type
&e &ill search arcs of type ! than &e can use this algorithm for t t * . *n this case all of the above &ill be valid for a bridge of t

searching bridge of type type

! including the comple-ity of the algorithm &ill also be estimated as O N # . t*

#. $onclusions The search for bridges in the protection graph of Take-Grant protection model is needed to identify the channels of information leakage in a computer system. *n

order to find the channels of information leakage there are must also be &ays to find bridges of type
* * and * * ! as &ell as initially and terminally spans of t g t t g t

bridges. ?ethods of searching these structures are not considered in this paper. 2o&ever! the development of polynomial algorithms for searching these structures may form the basis for soft&are safety analysis of computer systems. The algorithm described in this paper is )ust one step to&ards creating of such soft&are. #. %eferences [1] +ipton 4.@.! 8nayder +. , linear time algorithm for deciding sub)ect security AA @ournal of ,/? 0,ddison-5esley1. B.#! 1CDD. p.$%%-$'$ ["] 6rank @.! (ishop ?.! 3-tending the Take-Grant protection system. Technical report. Eepartment of /omputer science! Fniversity of /alifornia in Eevis! 1CC'. 1$ p. [#] (ishop ?. Theft of information in the Take-Grant protection model AA /omputer security # 0$1! 1CC$. p."G#.#HC. [$] (rechka E. ,lgorithms for the analysis of computer system state security for the Take-Grant model AA ?athematical structures and modeling. B. "H! "HHC. p.1'H-1D". [%] (rechka E. ,nalysis of access in the Take-Grant model AA *n the &orld of scientific discoveries.! 8cientific *nformation /enter! 4ussia! Irasnoyarsk. "H1H. p. 11-1# ['] /ormen T. 2.J +eiserson! /. 3.! 4ivest! 4. +.! 8tein! /. 0"HHC1 [1CCH]. *ntroduction to ,lgorithms 0#rd ed.1. ?*T Kress and ?cGra&-2ill.