Abstract
An apparently prevailing myth is that safety is undecidable in
Discretionary Access Control (DAC); therefore, one needs to invent new
DAC schemes in which safety analysis is decidable. In this paper, we
dispel this myth. We argue that DAC should not be equated with the
Harrison-Ruzzo-Ullman scheme, in which safety is undecidable. We
present an efficient (running time cubic in its input size) algorithm
for deciding safety in the Graham-Denning DAC scheme, which subsumes the
DAC schemes used in the literature on comparing DAC with other access control
models. We also refute several claims made in recent work by Solworth
and Sloan, in which the authors present a new access control
scheme based on labels and relabelling and claim that it can ``implement
the full range of DAC models''. We present a precise characterization of
their access control scheme and show that it does not adequately capture a simple DAC scheme.