This older model is based on the idea that there is a central managing authority, called the system administration, that is ultimately responsible for the management of computer security. This management is usually done with some form of a discretionary access control method, where each user is granted (or denied) privileges and resources depending on the security policies enforced at that particular system. The system administration, among other things, manages the system resources, creates and destroys user accounts, and grants and revokes user privileges. This model is typified by an operating system such as UNIX.
This model introduces several difficulties when working in a distributed computing environment. The scope of this technical report is in the problem areas of resource management and access control. The solution proposed herein is a ``Distributed Compartment'' model consisting of two major components. First, ``Distributed Handles'' are a method for user identification and access control. Second, ``Distributed Compartments'' are a method for allowing users to manage resources within a distributed system across computer system administrative boundaries without many of the restraints of the old model. A formal security model is presented that defines these concepts, and further refines them into a state transition model.
The formal axiomatic model presented consists of component sets
and their members. There is a set of binary relations used to partially
order the sets and specify operations on sets. The model defines a secure
system state and rules of operation provide secure state transitions from
one secure system state to another. There is a set of secure system state
invariants that each rule must satisfy in order to maintain a secure system
state. Each rule is proven secure within the model.