The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. It is an extension of the Graham-Denning model, based around the idea of a finite set of procedures being available to edit the access rights of a subject on an object .

The security model proposed by Harrison, Ruzzo, and Ullman (HRU) [1] is a discretionary access control model. In HRU, the current set of access rights at any given time can be represented by a matrix, with one row for each subject and one column …

2020年4月10日 · 是指在DAC的基础上提出的、能够为数据提供较高强度保护的一类安全模型。 是根据客体中信息的敏感程度和访问敏感信息的主体的安全级别，对客体的访问实行限制的一种方法。

The HRU Model uses a set of six primitive operations to manipulate access rights: create object, destroy object, create subject, destroy subject, enter right, and delete right. The model considers the security of a system by studying the possible sequences of operations that may lead to a violation of the safety property.

HRU Model – Safety of States Definition 1: “access to resources without the concurrence of the owner is impossible” [HRU76] Definition 2: “the user should be able to tell whether what he is about to do (give away a right, presumably) can lead to the further leakage of that right to truly unauthorized subjects” [HRU76]

2016年6月23日 · HRU模型是访问控制矩阵模型中的一种。 访问矩阵是以主体为行索引、以客体为列索引的矩阵的第i行第j列的矩阵元素 a[si,oj] ⊆ R a [s i, o j] ⊆ R 表示主体 si s i 对客体 oj o j 拥有的权限。 对于文件客体的r、w、a、own都比较清楚。 对于进程的读、写等在不同的系统中可能含义不同。 读：“读”进程可以接收“被读”进程发送的消息。 读：“读”进程可以读取“被读”进程的状态。 系统的保护状态可以用三元组 (S, O, A) (S, O, A) 表示。 假设P是所有的保护状态的集合，Q …

The HRU Model – States Definition. A state, i.e. an access matrix M, is said to leak the right r if there exists a command c that adds the right r into an entry in the access matrix that previously did not contain r. More formally, there exist s and o such that r …

This paper focuses on the efficient algorithmic safety analysis of HRU security models. We present the theory and practical application of a method that decomposes a model into smaller and autonomous sub-models that are more efficient to analyze.

[HRU] We say that a command α(x1,...,xk) leaks generic right r from Q if α, when run on Q, can execute a primitive operation which enters r into a cell of the access matrix which did not previously contain r.

Dorothy Denning, in her 1999 National Computer Systems Security Award: “[HRU] showed that it was theoretically undecidable whether an arbitrary access-matrix model is safe” and, “This result ... showed that there were limits to the widely-used access-matrix model.''