Date of Award


Degree Type


Degree Name

Doctor of Philosophy


This thesis presents a study of realizing commercial security, as defined in the Clark and Wilson Model (CW87), using Object-Oriented (O-O) concepts.;Role-based security is implied in the Clark and Wilson model in which specified operations are grouped to compose roles. This approach to protection is suitable for applications involving large numbers of users with overlapping user requirements and/or where there is a large number of objects. It presents a flexible (hence adaptive) means for enforcing differing ranges of security policies. It enforces the principle of least privilege, hence minimizing the risk of Trojan horse attacks.;Consequently, in part, this work focuses on role-based protection, formalizes the role concept and proposes a model for role organization and administration. This model, intended to ease access rights administration, is defined by a set of properties. Algorithms for role administration are presented. These guarantee the properties of the role organization model. Role-based protection is also studied with respect to traditional protection schemes. One aspect of this enquiry focuses on information flow analysis in role-based security systems; the other addresses the realization of mandatory access control using role-based protection. This involves the imposition of acyclic information flows and rules that ensure secrecy. It demonstrates the strength of the role-based protection approach.;A role is a named collection of responsibilities and functions which we term privileges. Execution of one or more privileges of a role facilitates access to information available via the role. Access to information is realized both via user authorization to the role and the role's privilege list. A role exists as a separate entity from the role-holder and/or the role administrator. In determining role organization, role relationships are used based on privilege sharing. This results in an acyclic role graph with roles being nodes and edges being role relationships. These relationships help us infer those privileges of a role that are implicitly defined. Analysis of this model indicates that it can simulate lattice-like models, hierarchical structures and privilege graphs.;Principles from the O-O paradigm are utilized to impose segmented access to object information. This approach uses methods to "window" an object's interface to facilitate segmented access to object data through different roles, and hence different users. By defining these methods to suit the intended functionality and associating them with specific roles, we in effect distribute the object interface to different roles and users. An object model is proposed as the basis of O-O executions. Further, in order to impose the well-formed transaction (WFTs) requirement, a transaction model is proposed that imposes transactional properties on method executions. By use of transaction scripts we can design executions to realize desirable outcomes.;Separation of duty is another major requirement in the Clark and Wilson model. It requires object history for its enforcement. Our proposal ensures that objects track their history. Moreover, every execution on an object utilizes the object history to determine access and updates the history with any attempted access. (Abstract shortened by UMI.)



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.