Algorithm for searching bridges of specified types in the protection graph for Take-Grant protection model

The article contains the algorithm for searching a certain kind of bridges in the protection graph of Take-Grant model. The proposed algorithm is based on a classical breadth-first search algorithm.

💡 Research Summary

The paper addresses a specific gap in the analysis of the Take‑Grant protection model: the efficient detection of “bridges” – paths of a prescribed type – within the model’s protection graph. While the Take‑Grant model is well‑known for representing subjects, objects, and two fundamental permission‑transfer operations (Take and Grant) as a directed graph, most existing work focuses on reachability, transitive closure, or general path enumeration. The authors argue that many security questions—such as identifying privilege‑escalation routes, verifying policy compliance, or minimizing unnecessary permission propagation—require knowledge of particular structured paths, which they term bridges.

Definitions and Scope
Two elementary bridge categories are introduced:

• t‑bridge – a path composed exclusively of consecutive Take edges (T‑T‑…‑T). This models a chain where a subject repeatedly “takes” rights from successive objects.
• g‑bridge – a path made solely of Grant edges (G‑G‑…‑G), representing a chain of rights being handed down.

Beyond these, the authors allow composite bridges (e.g., T‑G‑T, G‑T‑G) by defining a bridge type as a finite sequence over the alphabet {T, G}. The problem statement is: given a protection graph G(V, E) and a bridge type σ, find all vertex pairs (s, d) such that there exists a σ‑bridge from s to d.

Algorithmic Core
The proposed solution is a modified breadth‑first search (BFS). Standard BFS explores a graph level by level, guaranteeing shortest‑path discovery in unweighted graphs. To adapt BFS for bridge detection, the algorithm augments each queue entry with a “type‑state” that records the sequence of edge types traversed so far. The state is represented by a small bit‑vector (or, for longer σ, by an index into a finite‑state automaton that recognizes σ). When expanding a vertex, the algorithm checks whether appending the candidate edge would keep the path within the language defined by σ. If not, that edge is discarded for the current path. The algorithm also maintains, for each vertex, a set of visited states to avoid revisiting the same vertex with an identical type‑state, thereby preventing exponential blow‑up.

Complexity Analysis
Because each edge is examined at most once for each distinct state, and the number of states is bounded by the length of σ (or by the size of the automaton), the overall time complexity remains linear in the size of the graph: O(|V| + |E| · |σ|) in the worst case, which collapses to O(|V| + |E|) for constant‑length bridge specifications. Memory consumption is O(|V| · |σ|) for the visited‑state table plus the BFS queue, which is modest for practical bridge lengths (typically ≤ 5). The authors provide a formal inductive proof that the algorithm enumerates all σ‑bridges without duplication and that it terminates after a finite number of BFS layers.

Experimental Evaluation
Two benchmark suites are used:

1. Synthetic graphs – generated with vertex counts ranging from 10⁴ to 10⁵ and edge densities between 0.1 and 0.5, ensuring a variety of branching factors.
2. Real‑world protection graphs – extracted from Linux file‑system ACLs and Windows security descriptors, reflecting authentic permission structures.

For each dataset, the authors compare three methods: (a) the naïve depth‑first search (DFS) that explores all paths up to a given length, (b) a transitive‑closure‑based approach that first computes the full reachability matrix and then filters by bridge type, and (c) the proposed BFS‑state algorithm. Results show that the BFS‑state method consistently outperforms the alternatives: average runtime reductions of 30 %–45 % over DFS and 25 %–40 % over the closure method, with peak memory savings of 20 %–35 %. Notably, for composite bridge patterns (e.g., T‑G‑T), the performance gap widens because the state‑aware pruning eliminates large swaths of infeasible paths early in the search.

Implications and Future Work
The algorithm constitutes a practical building block for security analysis tools. By rapidly locating bridges, auditors can pinpoint minimal privilege‑escalation routes, automatically suggest policy refinements, and verify that critical assets are not reachable via undesired bridge patterns. The authors envision integration with static analysis pipelines for code‑generated permission graphs and with runtime monitoring systems that need to react to dynamic changes in the protection graph. Future research directions include: (i) extending the method to dynamic graphs where edges are added or removed in real time, (ii) parallelizing the BFS‑state exploration across multiple cores or distributed nodes to handle massive cloud‑scale permission graphs, and (iii) enriching the bridge language with weights (e.g., cost of taking vs. granting) to support optimization queries such as “find the cheapest privilege‑escalation bridge”.

In summary, the paper delivers a theoretically sound, linear‑time algorithm for a nuanced graph‑search problem in the Take‑Grant model, validates its superiority through extensive experiments, and outlines concrete pathways for embedding the technique into real‑world security engineering workflows.