私密性（Security）模型

Access-control Matrix Model (访问控制矩阵)：

矩阵的行对应‘主体’（Subject），列表示‘实体’（Entity，包括主体Subject和客体Object）。

术语：

• Subject，is an active entity, such as a process or a user. 主动的实体，主体。
• Object, is a passive entity, such as a file.被动的实体，客体。
• Right, describes what a subject is allowed to do to an object; for example, the read right gives permission for a subject to read a file. 主体对客体的操作权限。
• Protection state, of a system simply refers to the rights held by all subjects on the system.系统所有主体拥有的权限。

Primitive Operations(原始操作/基本操作)：

Create subject s creates a new row and column, both labeled s

Create object o creates a new column labeled o

Enter r into A[s, o] adds the right r into the entry in row s and column o; it corresponds to giving the subject s the right r over the entity o

Delete r from A[s, o] removes the right r from the entry in row s and column o; it corresponds to deleting the subject s’s right r over the entity o

Destroy subject s removes the row and column labeled s

Destroy object o removes the column labeled o

每一个操作都能对应到一个命令（Commands），如：

command createread(p, f)
create object f
enter read into A[p, f]
enter own into A[p, f]
end.

Mono-operational command（单操作命令）:

A mono-operational command consists of a single primitive operation. 对应一个‘原始操作’ 的命令。

命令中可加入执行条件，如：

command grantexec(p, f)
if read in A[p, f] then
enter execute into A[p, f]
end.

Monoconditional command（单条件命令）：只有一个条件的命令。

Biconditional command（双条件命令）：命令执行条件是用and连接的两个子条件。如：

command copyread(p, q, f)
if read in A[p, f] and own in A[p, f] then
enter read into A[q, f]
end.

Mono-operational system（单操作系统）：所有命令都是‘单操作命令’的系统。

相似的，有Monocaonditionial system(单条件系统：所有命令都是单条件的)、Biconditional system（双条件系统：所有命令都是双条件的）。

Monotonic system（单调系统）：没有delete或destroy原始操作的系统。

monotonic policies：如：where access rights can be deleted only if the deletion is itself reversible.

系统安全的定义：A system is secure with repect to a generic right r if that right cannot be added to an entity in the access-control matrix unless that square already contains it.

如果任意权限无法加入现有的访问控制矩阵，则该系统是安全的。

Safety Question（安全问题）：Is there an algorithm to determine whether a given system with
initial state 𝜎 is secure with respect to a given right? 对于给定初态为𝜎的系统，是否存在一个算法，该算法可根据给定的某系统权限确定该系统是否是安全的？

定理1：Safety Question是不可判定的。

安全问题等价于‘停机问题’。没有一个通用的算法可确定系统是否是安全的。但对某类特定系统，安全问题是可判定的。

定理2：There is an algorithm that will determine whether mono-operational systems are secure with respect to a generic right r. 存在算法，可根据某权限r，确定‘单操作系统’是否是安全的。

定理3：The safety question for monotonic systems is undecidable. 单调系统的安全性是不可判定的。

定理4：The safety question for biconditional monotonic systems is undecidable. 双条件单调系统的安全性是不可判定的。

定理5：There is an algorithm that will determine whether monoconditional monotonic systems are secure with respect to a generic right r. 单条件单调系统的安全性是可判定的。

定理6：There is an algorithm that will determine whether monotonic systems that do not use the destroy primitive operations are secure with respect to a generic right r. 仅没有使用destroy原始操作的系统，其安全性是可判定的。

Typed Access-control Martix Model (TAM):

给访问控制矩阵中的实体增加了类型type，（而不只是主体和客体）。

定理7：There is an algorithm that will determine whether acyclic, monotonic typed matrix models are secure with respect to a generic right r. 非循环单调系统的TAM模型可用于判定系统是否是安全的。

In TAM, a rule set is acyclic非循环的 if neither an entity E nor any of its descendants can create a new entity with the same type as E.

非循环、单调，是安全性可判定的充分条件，但安全性可判定的必要条件仍是未知的。