           Gaétan Hains                 !  "!     #" !#   # "   #     "$ #% # & !    #  ! ! #   ’()     #    !   ! *#    #    "  $#    #   ##!   *    +  #,# # #  #  ! "  #    "   " *     !    - "  " !"# Access Control in Collaborative Environments, Security of Grid and Cluster Architectures Supporting Cooperative Applications. Static checking of MAC meta!policy. Parallel processing. $% &"  "&"’# ( )(&* + &(  (*) Discretionary Access Control has shown its limits as malicious hackers usually find their way to root access. The need for stronger control is clear and Mandatory Access Control is prefered where management is not delegated to end!users but to an independent kernel!level entity. There are many models of access control, the most generic being the Lampson model [8] of access matrix. The classic Bell ! La Padula model [2] implements access control in a hierarchical way: “No Read Up”, “No Write Down” to ensure the absence of downwards information flow. Such models have been heavily criticized as difficult to apply on standard operating systems. Toinard, Blanc et al [3], [4] have presented a novel approach where distributed nodes can update locally their MAC policies. It enables distributed nodes to update their access rights to satisfy their local policy while satisfying a common and static . This approach can serve for distributed applications relying on a set of Internet nodes and on a shared parallel processing environment like the one we address here. The framework provides a meta!policy guarantying that distributed modifications satisfy a control policy telling who has the right to make local modifications and for which attributes and rules. The purpose is to be able to guarantee that there is no information flow for non permitted interactions and that all permitted interactions remain so after an arbitrary set of local changes to access rights. We first outline the meta!policy MAC framework, explain how static checking reduces to accessibility in an infinite graph and propose a parallel algorithm for solving decidable fragments of this problem. Finally we will estimate performance levels for this algorithm on realistic architectures. ,% ) -."’( ..") " # ( )(&* +#  ! are represented by a protection matrix similar to that of SLAT for SELinux [5]. From this protection matrix, we derive an information flow matrix describing the possibility of information from one entity (called “security context”) to another, or its absence. It is a square matrix, or alternatively, a graph whose edges are the security contexts. Reachability in the information flow graph provides sufficient information to detect the possible failure of usual security properties and conversely the assurance of required information flow i.e. confidentiality and availability. 33 0-9785699-1-1/07/$25.00 ©2007 IEEE.