Donald Bren School of Information and Computer Sciences

This thesis presents a study of problems in protection and security that arise in a general-purpose computing facility. We study these problems in the context of a dataflow system. The protection mechanisms are based on attaching keys to values exchanged among different subjects (users) of the system. Subjects are modelled as dataflow resource managers. A key attached to a value does not prevent that value from being propagated to any place within the system; rather, it guarantees that the value and any information derived from that value cannot leave the system (cannot be output) unless the same key is presented. The idea of attaching a key to a value is also used to allow the origin of that value to be verified. This facility is employed to provide a basis for private/secret interprocess communication. The operations of attaching and detaching keys in the low-level system are controlled by the user via special primitives incorporated in the high-level dataflow language Id.

The capabilities of the protection system are demonstrated by giving solutions to several well-known protection problems, e.g. "The Selective Confinement Problem", "The Trojan Horse Problem", "Mutual Suspicion", "The Prison Mail System Problem", and others. Also discussed is the inherently difficult problem of "sneaky signaling" using time delays, absence of information, and the error of handling facility itself.