A State-Transition Model Of Trust Management And Access Control

We use a state-transition approach to analyze and compare the core access control mechanisms that are characteristic of a variety of trust management, access control list, and capability-based systems. The framework, which characterizes the set of rights a subject has over an object after any sequence of actions, is based on abstract system states, state transitions, and logical deduction of access control judgments. We present abstract models representing the access control portion of trust management, access control lists, and two versions of capabilities, proving various correspondence and simulation relations between these models. The main results include an equivalence between access control lists (ACLs) and capabilities viewed as rows of the Lampson access matrix and the (proper) subsumption of a form of ACLs by an "unforgeable reference" form of capabilities. The access control mechanism at the heart of distributed trust management systems is formally shown to provide a tractable compromise between unrestricted capability passing from the capability models and easy revocation provided by access control lists. The underlying simulations show how trust management compares with more established access control mechanisms, independent of features such as local name spaces and certificate authorization hierarchies.