Computer Security: Art and Science

3.5 Expressive Power and the Models

The HRU and SPM models present different aspects of the answer to the safety question. The obvious issue is the relationship between these models. For example, if SPM and HRU are equivalent, then SPM provides a more specific answer to the safety question than the HRU analysis does (that is, safety in acyclic attenuating schemes is decidable). If HRU can describe some systems that SPM cannot, then SPM's answer applies only to a limited set of systems. This bears some examination.

3.5.1 Brief Comparison of HRU and SPM

Ammann and Sandhu [19] have used SPM to represent multilevel security models, integrity models, and the Take-Grant Protection Model, so SPM subsumes those models. But the HRU model is central to safety analysis problems, and we explore its relationship to SPM in more detail.

How does SPM compare with the HRU model? If the two models are equivalent, then any safety analysis of SPM also applies to HRU and SPM offers some significant advantages over HRU for such analyses.

First, SPM is a higher-level model than HRU. This allows policies to be expressed very succinctly and at a more abstract level than in the access control matrix model. Hence, safety analyses can focus on the limits of the model and not on the details of representation. By way of contrast, safety analyses using the HRU model usually require a detailed mapping of the policy to the model, followed by an analysis.

However, the HRU model allows rights to be revoked and entities to be deleted (the delete, destroy subject, and destroy object rules). The SPM model has no revocation rule. The justification is exactly the same as for the Take-Grant Protection Model analyses that ignore that model's creation rule: what is removed can be replaced. So, in some sense, comparing HRU and SPM directly is unfair. A better comparison is one between SPM and a monotonic HRU scheme, in which there are no revocation rules, and we will use that model for further comparison.

In terms of comprehensiveness, HRU allows multiconditional commands. For example, suppose a system has a parent right, similar to the create right but requiring two subjects to have those rights over one another. Then either subject can execute a multicreate command that creates a new object and gives both subjects r rights over the new object. The multicreate command would be

command multicreate(s₀, s₁, o)
   if p in a[s₀, s₁ ] and r in a[s₁, s₀ ]
   then
      create object o
      enter r into a[s₁, o ];
      enter r into a[s₂, o ];
   end

However, SPM cannot express this command easily because the can-create function allows creators to have at most one type. If s₀ and s₁ have different types, SPM has no mechanism for creating o. This suggests that SPM is less expressive than HRU.

3.5.2 Extending SPM

Ammann and Sandhu [19, 20, 872] revisited the notion of creation in SPM. Implicit in all models discussed so far is the assumption of a single parent. This assumption is not common in nature. (Consider humans, who have two parents.) It is more common in computer science, but (as we shall see) changing paradigms often simplifies solutions.

Consider two users, Anna and Bill, who must cooperate to perform a task but who do not trust each other. This problem of mutual suspicion is one of the oldest problems in security [413] and arises in multiuser computing systems. The usual solution is for Anna to define a proxy and give it only those rights she wishes Bill to have and for Bill to define a proxy similarly. Then Anna gives Bill's proxy the privileges to invoke Anna's proxy, and Bill gives Anna's proxy similar privileges. Working indirectly, the two proxies can work together and perform the task. Multiple indirection is disallowed (or else Anna's proxy could give her rights to Bill's proxy to a third party). Hence, the way the proxies use rights must be restricted, leading to a complex set of rights and manipulations.

Multiple parenting simplifies this model. Anna and Bill jointly create a proxy. Each then gives the proxy only those rights needed to perform the task. Neither parent is allowed to copy rights from the proxy. At this point, the copy operation must embody all restrictions on the manipulation of proxy rights and abilities, which is simpler than restricting the particular application of rights (as must be done in the preceding solution).

The Extended Schematic Protection Model (or ESPM) adds multiple parenting to SPM. The joint creation operation includes the SPM creation operation as a special case. The can-create function becomes

cc TS x … x TS x T;

The create rules for the parents in a joint creation operation can allow the parents to get one anothers' rights to the child as well as their own, but this is equivalent to a creation rule in which parent rights are not copied, followed by applications of the copy rule. For simplicity, we require that each parent be given tickets only for its own rights over the new child, and not for rights of other parents.

Let X₁, …, X_n be the n subject parents, let Y be the created entity, and let R₁,_i, R₂,_i, R₄,_i R for i = 1, …, n. Each creation rule has i components, each of which provides the tickets to the ith parent and the child; for example, the ith rule is

cr_P(t(X₁), …, t(X_n), t(Y)) = Y/R₁,_i X_i/R₂,_i

The child also has a rule of the form

cr_C(t(X₁), …, t(X_n), t(Y)) = Y/R₃ X_i/R₄,₁ _… X_n/R₄,_n

These rules are analogous to the single-parent creation rules, but with one for each parent.

EXAMPLE: To expand on this concept, let's revisit Anna and Bill's situation. Anna and Bill are equals, so for modeling purposes they have the same type a. The proxy is of type p; because the proxy has delegated authority, a and p may be different. We model the rights that Anna and Bill have over the proxy by the right x in R. Thus:

cc(a, a) = p
cr_Anna(a, a, p) = cr_Bill(a, a, p) = Ø
cc_proxy(a, a, p) = Anna/x Bill/x

Then the proxy can use the right x to transfer whatever set of privileges the proxy requires.

Considering two-parent joint creation operations is sufficient for modeling purposes. To demonstrate this, we show how the two-parent joint creation operation can implement a three-parent joint creation operation.

Let P₁, P₂, and P₃ be three subjects; they will create a (child) entity C. With a three-parent joint creation operation, can-create will be

cc(t(P₁), t(P₂), t(P₃)) = Z T

and the type of the child is t(C) T. The creation rules are

cr_P₁(t(P₁), t(P₂), t(P₃)) = C/R₁,₁ P₁/R₂,₁
cr_P₂(t(P₁), t(P₂), t(P₃)) = C/R₁,₂ P₁/R₂,₂
cr_P₃(t(P₁), t(P₂), t(P₃)) = C/R₁,₃ P₁/R₂,₃
cr_C(t(P₁), t(P₂), t(P₃)) = C/R₃ P₁/R₄,₁ P₂/R₄,₂ P₃/R₄,₃

Our demonstration requires that we use the two-parent joint creation rule, not the three-parent rule. At the end of the demonstration, the parents and the child should have exactly the same tickets for one another. We will create additional entities and types, but they cannot interact with any other entities (in effect, they do not exist for the rest of the entities). Finally, if the creation fails, the parents get no new tickets.

For convenience, and to simplify the notation, we assume that the parents and child are all of different types.

Define four new entities A₁, A₂, A₃, and S; each A_i, of type a_i = t(A_i), will act as an agent for the corresponding parent P_i, and S, of type s = t(S), will act as an agent for the child. Let the type t represent parentage�that is, an entity with the ticket X/t has X as a parent. Again, without loss of generality, we assume that a₁, a₂, a₃, s, and t are all new types.

During the construction, each agent will act as a surrogate for its parent; this agent obtains tickets on behalf of the parent, and only after the child is created does the agent give the parent the ticket. That way, if the construction fails, the parent has no new tickets.

Augment the can-create rules as follows:

cc(p_i) = a₁
cc(p₂, a₁) = a₂
cc(p₃, a₂) = a₃
cc(a₃) = s
cc(s) = c

These rules enable the parents to create the agents. The final agent can create the agent for the child, which subsequently creates the child. Note that the second agent has two parents (P₂ and A₁), as does the third agent (P₃ and A₂); these rules are the two-parent joint creation operation.

On creation, the creation rules dictate the new tickets given to the parent and the child. The following rules augment the existing rules.

cr_P(p₁, a₁) = Ø
cr_C(p₁, a₁) = p₁/Rtc
cr_Pfirst(p₂, a₁, a₂) = Ø

cr_Psecond(p₃, a₂, a₃) = Ø
cr_C(p₂, a₁, a₂) = p₂/Rtc a₁/tc
cr_Pfirst(p₃, a₃, a₃) = Ø

cr_Psecond(p₃, a₃, a₃) = Ø
cr_C(p₃, a₂, a₃) = p₃/Rtc a₂/tc
cr_P(a₃, s) = Ø
cr_C(a₃, s) = a₃/tc
cr_P(s, c) = C/Rtc
cr_C(s, c) = c/R₃t

cr_P(p₁, a₁) = Ø	cr_C(p₁, a₁) = p₁/Rtc
cr_Pfirst(p₂, a₁, a₂) = Ø
cr_Psecond(p₃, a₂, a₃) = Ø	cr_C(p₂, a₁, a₂) = p₂/Rtc a₁/tc
cr_Pfirst(p₃, a₃, a₃) = Ø
cr_Psecond(p₃, a₃, a₃) = Ø	cr_C(p₃, a₂, a₃) = p₃/Rtc a₂/tc
cr_P(a₃, s) = Ø	cr_C(a₃, s) = a₃/tc
cr_P(s, c) = C/Rtc	cr_C(s, c) = c/R₃t

Here, cr_Pfirst and cr_Psecond indicate the tickets given to the first and second parents, respectively.

The link predicates indicate over which links rights can flow; essentially, no tickets can flow to the parents until the child is created. The following links restrain flow to the parents by requiring each agent to have its own "parent" right.

link₁(A₁, A₂) = A₁/t dom(A₂) A₂/t dom(A₂)
link₁(A₂, A₃) = A₂/t dom(A₃) A₃/t dom(A₃)
link₂(S, A₂) = A₃/t dom(S) C/t dom(C)
link₃(A₁, C) = C/t dom(A₁)
link₃(A₂, C) = C/t dom(A₂)
link₃(A₃, C) = C/t dom(A₃)
link₄(A₁, P₁) = P₁/t dom(A₁) A₁/t dom(A₁)
link₄(A₂, P₂) = P₂/t dom(A₂) A₂/t dom(A₂)
link₄(A₃, P₃) = P₃/t dom(A₃) A₃/t dom(A₃)

The filter functions dictate which tickets are copied from one entity to another:

f₁(a₂, a₁) = a₁/t c/Rtc
f₁(a₃, a₂) = a₂/t c/Rtc
f₂(s, a₃) = a₃/t c/Rtc
f₃(a₁, c) = p₁/R₄,₁
f₃(a₂, c) = p₂/R₄,₂
f₃(a₃, c) = p₃/R₄,₃
f₄(a₁, p₁) = c/R₁,₁ p₁/R₂,₁
f₄(a₂, p₂) = c/R₁,₂ p₂/R₂,₂
f₄(a₃, p₃) = c/R₁,₃ p₃/R₂,₃

Now we begin the construction. The creations proceed in the obvious order; after all are completed, we have

P₁ has no relevant tickets.
P₂ has no relevant tickets.
P₃ has no relevant tickets.
A₁ has P₁/Rtc.
A₂ has P₂/Rtc A₁/tc.
A₃ has P₃/Rtc A₂/tc.
S has A₃/tc C/Rtc.
C has C/R₃.

We now apply the links and filter functions to copy rights. The only link predicate that is true is link₂(S, A₃), so we apply f₂; then A₃'s set of tickets changes, as follows:

A₃ has P₃/Rtc A₂/tc A₃/t C/Rtc.

Now link₁(A₃, A₂) is true, so applying f₁ yields

A₂ has P₂/Rtc A₁/tc A₂/t C/Rtc.

Now link₁(A₂, A₁) is true, so applying f₁ again yields

A₁ has P₁/Rtc A₁/t C/Rtc.

At this point, all link₃s in this construction hold, so

C has C/R₃ P₁/R₄,₁ P₂/R₄,₂ P₃/R₄,₃.

Then the filter functions associated with link₄, all of which are also true, finish the construction:

P₁ has C/R₁,₁ P₁/R₂,₁.
P₂ has C/R₁,₂ P₂/R₂,₂.
P₃ has C/R₁,₃ P₃/R₂,₃.

This completes the construction. As required, it adds no tickets to P₁, P₂, P₃, and C except those that would be added by the three-parent joint creation operation. The intermediate entities, being of unique types, can have no effect on other entities. Finally, if the creation of C fails, no tickets can be added to P₁, P₂, and P₃ because none of the link predicates in this construction is true; hence, no filter functions apply.

Generalizing this construction to n parents leads to the following theorem.

Theorem 3�17. [19] The two-parent joint creation operation can implement an n-parent joint creation operation with a fixed number of additional types and rights, and augmentations to the link predicates and filter functions.

A logical question is the relationship between ESPM and HRU; Ammann and Sandhu show that the following theorem holds.

Theorem 3�18. [19] Monotonic ESPM and the monotonic HRU model are equivalent.

Furthermore, the safety analysis is similar to that of SPM; the only difference is in the definition of the state function s. The corresponding function s' takes the joint creation operation into account; given this, the nature of the unfolding algorithm is roughly analogous to that of SPM. This leads to the equivalent of Theorem 3�16:

Theorem 3�19. [19] For an ESPM system with an acyclic attenuating scheme, for every history H that derives h from the initial state there exists a history G without create operations that derives g from the fully unfolded state u such that
( X, Y SUB^h)[flow^h(X, Y) flow^g(s'(X), s'(Y))]

Because the proof is analogous to that of Theorem 3�16, we omit it.

What is the benefit of this alternative representation? If SPM and ESPM model the same systems, the addition of n-parent joint creation operations is not at all interesting. But if ESPM can represent systems that SPM cannot, the addition is very interesting. More generally, how can we compare different models?

3.5.3 Simulation and Expressiveness

Ammann, Sandhu, and Lipton [21] use a graph-based representation to compare different models. An abstract machine represents an access control model; as usual, that machine has a set of states and a set of transformations for moving from one state to another. A directed graph represents a state of this machine. A vertex is an entity; it has an associated type that is static. Each edge corresponds to a right and, like a vertex, has a static type determined on creation. The source of the edge has some right(s) over the target. The allowed operations are as follows.

Initial state operations, which simply create the graph in a particular state
Node creation operations, which add new vertices and edges with those vertices as targets
Edge adding operations, which add new edges between existing vertices

As an example, we simulate the three-parent joint creation operation with two-parent joint creation operations. As before, nodes P₁, P₂, and P₃ are the parents; they create a new node C of type c with edges of type e. First, P₁ creates A₁, which is of type a, and an edge from P₁ to A₁ of type e'. Both a and e' are used only in this construction.

graphics/03fig01l.gif

Then A₁ and P₂ create a new node A₂, which is of type a, and A₂ and P₃ create a new node A₃, with type a, and edges of type e' as indicated:

graphics/03fig01m.gif

Next, A₃ creates a new node S, which is of type a, which in turn creates a new node C, of type c:

graphics/03fig01n.gif

Finally, an edge adding operation depending on the presence of edges P₁A₁, A₁A₂, A₂A₃, A₃S, and SC adds an edge of type e from P₁ to C. An edge adding operation depending on the presence of edges P₂A₂, A₂A₃, A₃S, and SC adds an edge of type e from P₂ to C. A last edge adding operation depending on the presence of edges P₃A₃, A₃S, and SC adds an edge of type e from P₃ to C:

graphics/03fig01o.gif

This completes the simulation. Exercise 10 suggests a simpler simulation.

The formal definition of simulation relies on two other notions: a scheme and a correspondence between schemes.

Definition 3�22. A scheme is an abstract finite-state machine that defines finite sets of node types, edge types, initial state operations, node creation operations, and edge adding operations. A model is a set of schemes.
Definition 3�23. Let NT(X) and ET(X) be the sets of node types and edge types, respectively, in scheme X. Then scheme A and scheme B correspond if and only if the graph defining the state in scheme A is identical to the subgraph obtained by taking the state in scheme B and deleting all nodes not in NT(A) and all edges not in ET(A).

Consider the simulation of a scheme C3 with a three-parent joint creation operation by a scheme C2 with a two-parent joint creation operation, as was done earlier. After the three-parent joint creation operation, the C3 state would be as follows:

graphics/03fig01p.gif

Contrasting this with the result of the C2 construction, and the fact that the types a and e' do not exist in C3, this state in C3 clearly corresponds to the state resulting from the construction in C2.

Intuitively, scheme A simulates scheme B if every state reachable by A corresponds to a state reachable by B. Because A may have more edge types and node types than B, simulation implies that if A can enter a state a, either there is a corresponding state reachable by B or, if not, A can transition to another state a' from a and there is a state reachable by B that corresponds to a'. The last condition means that if scheme A has a halting state, then scheme B must have a corresponding halting state; otherwise, the simulation is incorrect.

Definition 3�24. Scheme A simulates scheme B if and only if both of the following are true.
For every state b reachable by scheme B, there exists some corresponding state a reachable by scheme A; and
For every state a reachable by scheme A, either the corresponding state b is reachable by scheme B or there exists a successor state a' reachable by scheme A that corresponds to a state reachable by scheme B.
Now we can contrast the expressive power of models.
Definition 3�25. If there is a scheme in model MA that no scheme in model MB can simulate, then model MB is less expressive than model MA. If every scheme in model MA can be simulated by a scheme in model MB, then model MB is as expressive as model MA. If MA is as expressive as MB and MB is as expressive as MA, the models are equivalent.

EXAMPLE: Consider a model M with one scheme A that defines three nodes called X₁, X₂, and X₃ and a two-parent joint creation operation. A has one node type and one edge type. The two-parent joint creation operation creates a new node and adds edges from both parents to the child. A has no edge adding operations. A's initial state is simply X₁, X₂, and X₃, with no edges. Now, consider a model N with one scheme B that is the same as scheme A except that scheme B has a one-parent creation operation instead of a two-parent joint creation operation. Both A and B begin at the identical initial state. Which, if either, is more expressive?

Clearly, scheme A can simulate scheme B by having the two parents be the same node. Hence model M is as expressive as model N.

How might scheme B simulate the creation operation of scheme A? Suppose X₁ and X₂ jointly create a new node Y in scheme A; then there are edges from X₁ and X₂ to Y, but no edge from X₃ to Y. Scheme B can use its single-parent creation operation to create a node Y with parent X₁. However, an edge adding operation must allow the edge from X₂ to Y to be added. Consider what this edge adding operation must allow. Because there is only one type of node, and one type of edge, the edge adding operation must allow an edge to be added between any two nodes.

Because edges can be added only by using the two-parent joint creation operation in scheme A, all nodes in scheme A have even numbers of incoming edges. But given the edge adding rule in scheme B, because we can add an edge from X₂ to Y, we can also add an edge from X₃ to Y. Thus, there is a state in scheme B containing a node with three incoming edges. Scheme A cannot enter this state. Furthermore, because there is no remove rule and only one edge type, scheme B cannot transition from this state to a state in which Y has an even number of incoming edges. Hence, scheme B has reached a state not corresponding to any state in scheme A, and from which no state corresponding to a state in scheme A can be reached. Thus, scheme B cannot simulate scheme A, and so model N is less expressive than model M.

Given these definitions, Ammann, Lipton, and Sandhu prove the following theorem.

Theorem 3�20. [21] Monotonic single-parent models are less expressive than monotonic multiparent models.
Proof Begin with scheme A in the preceding example. We show by contradiction that this scheme cannot be simulated by any monotonic scheme B with only a single-parent creation operation. (The example does not show this because we are removing the requirement that scheme B begin in the same initial state as scheme A.)
Consider a scheme B that simulates scheme A. Let nodes X₁ and X₂ in A create node Y₁ with edges from X₁ and X₂ to Y₁. Then in scheme B there is a node W that creates Y₁ with a single incoming edge from W. The simulation must also use edge adding operations to add edges from X₁ to Y₁ and from X₂ to Y₁ (assuming that W X₁ and W X₂).
Let W invoke the single-parent creation operation twice more to create nodes Y₂ and Y₃ and use the edge adding rules to add edges from X₁ to Y₁, Y₂, and Y₃ and from X₂ to Y₁, Y₂, and Y₃. The resulting state clearly corresponds to a state in scheme A.
Because scheme A has exactly one node type, Y₁, Y₂, and Y₃ are indistinguishable as far as the application of the node creation and edge adding rules is concerned. So proceed as in the example above: in scheme A, let Y₁ and Y₂ create Z. In the simulation, without loss of generality, let Y₁ create Z using a single-parent creation operation. Then scheme B uses an edge adding operation to add an edge from Y₂ to Z�but that same edge adding rule can be used to add one more edge into Z, from Y₃. Thus, there are three edges coming into Z, which (as we saw earlier) is a state that scheme A cannot reach, and from which no future state in scheme B that corresponds to a state in scheme A can be reached. Hence, scheme B does not simulate scheme A, which contradicts the hypothesis.
Thus, no such scheme B can exist.

This theorem answers the question posed earlier: because ESPM has a multiparent joint creation operation and SPM has a single-parent creation operation, ESPM is indeed more expressive than SPM.

3.5.4 Typed Access Matrix Model

The strengths of SPM and ESPM appear to derive from the notion of "types." In particular, ESPM and HRU are equivalent, but the safety properties of ESPM are considerably stronger than those of HRU. Sandhu expanded the access control matrix model by adding a notion of "type" and revisiting the HRU results. This model, called the Typed Access Matrix (TAM) Model [875], has safety properties similar to those of ESPM and supports the notion that types are critical to the safety problem's analysis.

TAM augments the definitions used in the access control matrix model by adding types.

Definition 3�26. There is a finite set of types T, containing a subset of types TS for subjects.

The type of an entity is fixed when the entity is created (or in the initial state) and remains fixed throughout the lifetime of the model. The notion of protection state is similarly augmented.

Definition 3�27. The protection state of a system is (S, O, t, A), where S is the set of subjects, O is the set of objects, A is the access control matrix, and t:OT is a type function that specifies the type of each object. If X S, then t(X) TS, and if X O, then t(X) T � TS.

The TAM primitive operations are the same as for the access control matrix model, except that the create operations are augmented with types.

Precondition: s S
Primitive command: create subject s of type ts
Postconditions: S' = S { s }, O' = O { s },
(y O)[t'(y) = t(y)], t'(s') = ts,
(y O')[a'[s, y] = Ø], (x S')[a'[x, s] = Ø],
(x S)(y O)[a'[x, y] = a[x, y]]
In other words, this primitive command creates a new subject s. Note that s must not exist as a subject or object before this command is executed.
Precondition: o O
Primitive command: create object o of type to
Postconditions: S' = S, O' = O { o },
(y O)[t'(y) = t(y)], t'(o') = to,
(x S')[a'[x, o] =,Ø], (x S')(y O)[a'[x, y] = a[x, y]]
In other words, this primitive command creates a new object o. Note that o must not exist before this command is executed.

These primitive operations are combined into commands defined as in the access control matrix model. Commands with conditions are called conditional commands; commands without conditions are called unconditional commands.

Finally, we define the models explicitly.

Definition 3�28. A TAM authorization scheme consists of a finite set of rights R, a finite set of types T, and a finite collection of commands. A TAM system is specified by a TAM scheme and an initial state.
Definition 3�29. The MTAM (Monotonic Typed Access Matrix) Model is the TAM Model without the delete, destroy subject, and destroy object primitive operations.
Definition 3�30. Let a(x₁ : t₁, …, x_k : t_k) be a creating command, where x₁, …, x_k O and t(x₁) = t₁, …, t(x_k) = t_k. Then t_i is a child type in a(x₁ : t₁, …, x_k : t_k) if any of create subject x_i of type t_i or create object x_i of type t_i occurs in the body of a(x₁ : t₁, …, x_k : t_k). Otherwise, t_i is a parent type in a(x₁ : t₁, …, x_k : t_k).
From this, we can define the notion of acyclic creations.
Definition 3�31. The creation graph of an MTAM scheme is a directed graph with vertex set V and an edge from u V to v V if and only if there is a creating command in which u is a parent type and v is a child type. If the creation graph is acyclic, the MTAM system is said to be acyclic; otherwise, the MTAM system is said to be cyclic.

As an example, consider the following command, where s and p are subjects and f is an object.

command create•havoc(s : u, p : u, f : v, q : w)
   create subject p of type u;
   create object f of type v;
   enter own into a[s,p];
   enter r into a[q,p];
   enter own into a[p,f];
   enter r into a[p,f];
   enter w into a[p,f];
end

Here, u and v are child types and u and w are parent types. Note that u is both a parent type and a child type. The creation graph corresponding to the MTAM scheme with the single command create•havoc has the edges (u, u), (u, w), (v, u), and (v, w). Thus, this MTAM scheme is cyclic. Were the create subject p of type u deleted from the command, however, u would no longer be a child type, and the resulting MTAM scheme would be acyclic.

Sandhu has shown that the following theorem is true.

Theorem 3�21. [875] Safety is decidable for systems with acyclic MTAM schemes.

The proof is similar in spirit to the proof of Theorem 3�16.

Furthermore, because MTAM subsumes monotonic mono-operational HRU systems, a complexity result follows automatically:

Theorem 3�22. [875] Safety is NP-hard for systems with acyclic MTAM schemes.

However, Sandhu [875] has also developed a surprising result. If all MTAM commands are limited to three parameters, the resulting model (called "ternary MTAM") is equivalent in expressive power to MTAM. However:

Theorem 3�23. [875] Safety for the acyclic ternary MTAM model is decidable in time polynomial in the size of the initial access control matrix.

Top