Unidirectional Transport of Rights and Take–Grant Control

One of the most critical and least understood aspects of protection is the exercise of control over the movement of rights between the subjects of a system. The conventional Take-Grant mechanism for exercising such control suffers from a puzzling and unfortunate limitation: it cannot enforce strictly unidirectional channels for the flow of rights. That is, if rights can be moved directly or indirectly from some subject p to another subject q, then one cannot prevent rights from flowing in the opposite direction, from q to p. This property limits the applicability of this mechanism and therefore that of any protection scheme utilizing it. We analyze the nature and ramifications of this limitation and demonstrate that its root cause is the fact that (under this mechanism) a right possessed by a sender suffices to authorize a movement of rights. We propose an alternative, "Take-Receive," model in which this limitation is eliminated, thus enabling the implementation of more useful protection disciplines. We prove this result by analyzing tl-e dynamic behavior of the proposed model.