The Graham-Denning Model

• Based on access matrices

• Focuses on access control within an operating
system
• Explores various possibilities of discretionary
access control
 Access Matrix
• A set of subjects S
• A set of objects O
• A set of rights R
• An access control matrix
– One row for each subject
– one column for each subject/object
– elements are right of subject on another subject
or object
 Elements of Graham-Denning Model

• Each object has an “owner”

• Each subject has a “controller”
• A right may be transferable (with *) or not.

Kamal Nimal File 1 File 2 File 3

Kamal Control Owner Read

Read, Owner,
Nimal Control Write Read
 Seven Levels of Protection /
Separation
1. No sharing at all
2. Sharing copies of programs or data files
3. Sharing originals of programs or data files
4. Sharing programming systems or subsystems
5. Permitting the cooperation of mutually
suspicious subsystems, e.g., debugging or
proprietary subsystems
6. Providing memory-less subsystems
7. Providing “certified” subsystems
 Graham-Denning Model: 8 Commands

• Creating objects and subjects

– 1. Subject x creates object o
• Add column for o
• Add (x, o, “owner”)

– 2. Subject x creates subject s

• Add row and column for s
• Add (x, s, “control”) and (x, s, “owner”)
 Graham-Denning Model: 8 Commands

• Destroying objects and subjects

– 3. subject x destroys object o
• If (x, o, “owner”) then delete column o

– 4. subject x destroys subject s

• If (x, s, “owner”) then delete column s
 Graham-Denning Model: 8 Commands

• Granting and Transferring rights

– 5. Subject x grants a right r/r* on object o to
subject s
• If (x, o, “owner”) then Add (s, o, r/r*)
– 6 . Subject x transfers a right r/r* on object o to
subject s
• If (x, o, r*) then Add (s, o, r/r*)

r* – means a subject has the right to transfer the right r/r*

 Graham-Denning Model: 8 Commands

• Deleting “own” rights

– 7. subject x deletes right r/r* on object o from
subject s
• If (x, s, “control”) or (x, o, “owner”)
• Then Delete (s, o, r/r*)
 Graham-Denning Model: 8 Commands

• Querying
– 8. Subject x checks what rights subject s has o
object o
• If (x, s, “control”) or (x, o, “owner”)
• Then return (s, o, *)
Advantages of Graham Denning Model

• Provides a framework
• Defines a set of basic rights in terms of
commands.
• Provide more granularity and direction for
vendors on how to actually meet the goals
outlined in earlier models
Disadvantages of Graham Denning Model

• Lack of completeness when a process changes

protection environments.
 Conclusion
• Most current commercial systems do not
implement a complete protection
mechanisms.