Skip to main content
SpringerLink
Log in

Algebra and logic for access control

  • Original Article
  • Published:
Formal Aspects of Computing

An Erratum to this article was published on 21 April 2010

Abstract

The access control problem in computer security is fundamentally concerned with the ability of system entities to see, make use of, or alter various system resources. We provide a mathematical framework for modelling and reasoning about (distributed) systems with access control. This is based on a calculus of resources and processes together with a Hennessy–Milner-style modal logic, based on the connectives of bunched logic, for which an appropriate correspondence theorem obtains. As a consequence we get a consistent account of both operational behaviour and logical reasoning for systems with access control features. In particular, we are able to introduce a process combinator that describes, as a form of concurrent composition, the action of one agent in the role of another, and provide a logical characterization of this operator via a modality ‘says’. We give a range of examples, including analyses of co-signing, roles, and chains of trust, which illustrates the utility of our mathematical framework.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi M (2003) Logic in access control. In: Proceedings of LICS’03, pp 228–233

  2. Abadi M, Burrows M, Lampson B, Plotkin G (1993) A calculus for access control in distributed systems. ACM Trans Progrogram Lang Syst 4(15): 706–734

    Article  Google Scholar 

  3. Abadi M, Gordon A (1997) A calculus for cryptographic protocols: the spi calculus. In: Proceedings conference Computer and Communications Security. ACM Press, London, pp 36–47

  4. Baldwin A, Beres Y, Casassa Mont M, Griffin J, Shiu S (2008) Identity analytics: using modeling and simulation to improve data security decision making. Technical Report HPL-2008-188, HP Labs, 2008. http://www.hpl.hp.com/techreports/2008/HPL-2008-188.html

  5. Beautement A, Coles R, Griffin J, Ioannidis C, Monahan B, Pym D, Sasse MA, Wonham M (2008) Modelling the human and technological costs and benefits of USB memory stick security. In: Johnson ME (eds) Managing information risk and the economics of security. Springer, Heidelberg

    Google Scholar 

  6. Beres Y, Griffin J, Shiu S, Heitman M, Markle D, Ventura P (2008) Analysing the performance of security solutions to reduce vulnerability exposure window. In: Proceedings of 2008 annual computer security applications conference (ACSAC). IEEE

  7. Birtwistle G (1979) Demos—discrete event modelling on Simula. Macmillan, New York

    Google Scholar 

  8. Becker MY, Nanz S (2007) A logic for state-modifying authorization policies. In: 12th European symposium on research in computer security (ESORICS), Lecture Notes in Computer Science, vol 4734

  9. Coyne EJ, Feinstein HL, Sandhu R, Youman CE (1996) Role-based access control models. IEEE Comput 29(2): 38–47

    Google Scholar 

  10. Collinson M, Monahan B, Pym D (2008a) Located Demos2k—towards a tool for modelling processes and distributed resources. Technical Report HPL-2008-76, HP Labs, 2008. http://library.hp.com/techpubs/2008/HPL-2008-76.html

  11. Collinson M, Monahan B, Pym D (2008b) A logical and computational theory of located resource. Technical Report HPL-2008-74R1, HP Labs, 2008 (Submitted). http://library.hp.com/techpubs/2008/HPL-2008-74R1.html

  12. Collinson M, Monahan B, Pym D (2008c) An update to located Demos2k. Technical Report HPL-2008-205, HP Labs, 2008. http://library.hp.com/techpubs/2008/HPL-2008-205.html

  13. Collinson M, Pym D (2009) Algebra and logic for resource-based systems modelling. Technical Report HPL-2009-21, HP Labs, 2009 (Submitted). http://library.hp.com/techpubs/2009/HPL-2009-10.html.

  14. Collinson M, Pym D, Tofts C (2007) Errata for formal aspects of computing (2006) 18:495–517 and their consequences. Formal Aspects Comput 19(4):551–554

  15. Demos2k. http://www.demos2k.org

  16. DeTreville J (2002) Binder, a logic-based security language. In: Proceedings of 2002 IEEE symposium on security and privacy, pp 105–113

  17. Guelev DP, Ryan MD, Schobbens P-Y (2004) Model-checking access control policies. In: Seventh information security conference (ISC’04), Lecture Notes in Computer Science, vol 3225. Springer, Heidelberg

  18. Hennessy M, Milner R (1985) Algebraic laws for nondeterminism and concurrency. J ACM 32(1): 137–161

    Article  MATH  MathSciNet  Google Scholar 

  19. Hoare CAR (1985) Communicating sequential processes. Prentice-Hall, Englewood Cliffs

    MATH  Google Scholar 

  20. Ishtiaq S, O’Hearn PW (2001) BI as an assertion language for mutable data structures. In: Proceedings of POPL 2001. ACM, London, pp 14–26

  21. Kamoda H, Yamaoka M, Matsuda S, Broda K, Sloman M (2006) Access control policy analysis using free variable tableaux. Information Processing Society of Japan (IPSJ) Digital Courier, vol 2

  22. Lampson B, Abadi M, Burrows M, Wobber E (1992) Authentication in distributed systems: theory and practice. ACM Trans Comput Syst 4(10): 265–310

    Article  Google Scholar 

  23. Lampson BW (1971) Protection. In: Proceedings of fifth Princeton symposium information sciences and systems, pp 437–443

  24. Li N, Wang Q (2008) Beyond separation of duty: An algebra for specifying high-level security policies. J ACM 55(3)

  25. Milner R (1980) A calculus of communicating systems, Lecture Notes in Computer Science, vol 92. Springer, Heidelberg

    Google Scholar 

  26. Milner R (1983) Calculi for synchrony and asynchrony. Theor Comput Sci 25: 267–310

    Article  MATH  MathSciNet  Google Scholar 

  27. Milner R (1989) Communication and concurrency. Prentice-Hall, Englewood Cliffs

    MATH  Google Scholar 

  28. O’Hearn PW (2007) Resources, concurrency and local reasoning. Theor Comput Sci 375(1–3): 271–307

    Article  MATH  MathSciNet  Google Scholar 

  29. O’Hearn P, Pym D (1999) The logic of bunched implications. Bull Symb Logic 5(2): 215–244

    Article  MATH  MathSciNet  Google Scholar 

  30. Plotkin GD (2004) Structural operational semantics. J Logic Algebraic Program 60:17–139 (Original manuscript 1981)

    Google Scholar 

  31. Pym D, O’Hearn P, Yang H (2004) Possible worlds and resources: the semantics of BI. Theor Comput Sci 315(1): 257–305

    Article  MATH  MathSciNet  Google Scholar 

  32. Pym D, Tofts C (2006) A calculus and logic of resources and processes. Formal Aspects Comput 18(4):495–517. Errata in [CPT07]

    Google Scholar 

  33. Pym D, Tofts C (2007) Systems modelling via resources and processes: philosphy, calculus, semantics, and logic. In: Cardelli L, Fiore M, Winskel G (eds) Computation, meaning and logic: articles dedicated to Gordon Plotkin, Electronic Notes in Theoretical Computer Science, vol 107. Elsevier, Amsterdam, pp 545–587. Errata in [CPT07]

  34. Pym D (1999) On bunched predicate logic. In: Proceedings of LICS’99, pp 183–192. IEEE, New York

  35. Pym DJ (2002) The semantics and proof theory of the logic of bunched implications, Applied Logic Series, vol 26. Kluwer, Dordrecht. Errata at: http://www.cs.bath.ac.uk/~pym/BI-monograph-errata.pdf

  36. Reynolds JC (2002) Separation logic: a logic for shared mutable data structures. In: Proceedings of LICS’02. IEEE, New York, pp 55–74

  37. Ryan P, Schneider S, Goldsmith M, Lowe G, Roscoe B (2001) The modelling and analysis of security protocols. Addison-Wesley, Reading

    Google Scholar 

  38. Schneider S (1996) Security properties and CSP. In: IEEE symposium on security and privacy, pp 174–187

  39. Scedrov A, Mitchell JC, Ramanathan A, Teague V (2006) A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols. Theor Comput Scie 353: 118–164

    Article  MATH  MathSciNet  Google Scholar 

  40. Saltzer JH, Shroeder MD (1975) The protection of information in computer systems. Proc IEEE 63(9): 1278–1308

    Article  Google Scholar 

  41. Stirling C (2001) Modal and temporal properties of processes. Springer, Heidelberg

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, UK

    Matthew Collinson & David Pym

Authors
  1. Matthew Collinson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Pym
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthew Collinson.

Additional information

Communicated by J.V. Tucker

An erratum to this article can be found at http://dx.doi.org/10.1007/s00165-010-0155-2

Rights and permissions

Reprints and permissions

About this article

Cite this article

Collinson, M., Pym, D. Algebra and logic for access control. Form Asp Comp 22, 83–104 (2010). https://doi.org/10.1007/s00165-009-0107-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-009-0107-x

Keywords

Search

Navigation