Abstract
Cybersecurity is a growing concern in today’s society. Security policies have been developed to ensure that data and assets remain protected for legitimate users, but there must be a mechanism to verify that these policies can be enforced. This paper addresses the verification problem of security policies in role-based access control of enterprise software. Most existing approaches employ traditional logic or procedural programming that tends to involve complex expressions or search with backtrack. These can be time-consuming, and hard to understand, and update, especially for large-scale security verification problems. Declarative programming paradigms such as “Answer Set” programming have been widely used to alleviate these issues by ways of elegant and flexible modeling for complex search problems. However, solving problems using these paradigms can be challenging due to the nature and limitation of the declarative problem solver. This paper presents an approach to automated security policy verification using Answer Set programming. In particular, we investigate how the separation of duty security policy in role-based access control can be verified. Our contribution is a modeling approach that maps this verification problem into a graph-coloring problem to facilitate the use of generate-and-test in a declarative problem-solving paradigm. The paper describes a representation model and rules that drive the Answer Set Solver and illustrates the proposed approach to securing web application software to assist the hiring process in a company.
Similar content being viewed by others
Notes
The assumption that the truth does not hold unless there is evidence that it does [21]
References
Barka E, Sandhu R (2000) Framework for role-based delegation models. In: 16th Annual Conference Security Applications Computer, 2000. ACSAC’00 pp 168–176. IEEE
Bertino E, Ferrari E, Atluri V (1999) The specification and enforcement of authorization constraints in workflow management systems. ACM Trans Inf Syst Secur 2(1):65–104. doi:10.1145/300830.300837
Boenn G, Brain M, De Vos M, Ffitch J (2011) Automatic music composition using answer set programming. Theory and practice of logic programming 11(2-3):397–427
Botha RA, Eloff JHP (2001) Separation of duties for access control enforcement in workflow environments. IBM Syst J 40(3):666–682
Brewka G, Eiter T, Truszczyński M (2011) Answer set programming at a glance. Commun ACM 54 (12):92–103
Ferraiolo D, Cugini J, Kuhn DR (1995) Role-based access control (rbac): Features and motivations. In: Proceedings of 11th annual computer security application conference, pp 241–48
Gebser M, Guziolowski C, Ivanchev M, Schaub T, Siegel A, Thiele S, Veber P (2010) Repair and prediction (under inconsistency) in large biological networks with answer set programming. In: KR
Gelfond M, Lifschitz V (1988) The stable model semantics for logic programming. In: ICLP/SLP, vol 88, pp 1070–1080
Gelfond M, Lifschitz V (1991) Classical negation in logic programs and disjunctive databases. New generation computing 9(3–4):365–385
Gomes CP, Kautz H, Sabharwal A, Selman B (2008) Satisfiability solvers. Foundations of Artificial Intelligence 3:89–134
Hewett R, Kijsanayothin P (2008) Protecting role-based information infrastructures from conflict of interest. In: Proceedings of Computer Security Conference
Karp RM (1972) Reducibility among combinatorial problems. Springer
Kuhn DR (1997) Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: Proceedings of the second ACM workshop on Role-based access control, pp 23–30. ACM
Leymann F, Roller D (2000) Production workflow: concepts and techniques
Li N, Tripunitara MV, Bizri Z (2007) On mutually exclusive roles and separation-of-duty. ACM Trans Inf Syst Secur (TISSEC) 10(2):5
Lifschitz V (2008) What is answer set programming?. In: AAAI, vol 8, pp 1594–1597
Moore RC (1985) Semantical considerations on nonmonotonic logic. Artif Intell 25(1):75–94
Niemelä I, Simons P (1997) Smodelsan implementation of the stable model and well-founded semantics for normal logic programs. In: Logic Programming and Nonmonotonic Reasoning, pp 420–429. Springer
Nogueira M, Balduccini M, Gelfond M, Watson R, Barry M (2001) An a-prolog decision support system for the space shuttle. In: Practical Aspects of Declarative Languages, pp 169–183. Springer
Papatheodorou I, Ziehm M, Wieser D, Alic N, Partridge L, Thornton JM (2012) Using answer set programming to integrate rna expression with signalling pathway information to infer how mutations affect ageing
Reiter R (1978) On closed world data bases. Springer
Reiter R (1980) A logic for default reasoning. Artif Intell 13(1):81–132
Ricca F, Grasso G, Alviano M, Manna M, Lio V, Iiritano S, Leone N (2012) Team-building with answer set programming in the gioia-tauro seaport. Theory and Practice of Logic Programming 12(03):361–381
Sandhu R (1988) Transaction control expressions for separation of duties. In: Aerospace Computer Security Applications Conference, 1988., Fourth, pp 282–286. IEEE
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 2:38–47
Acknowledgments
This work is partially supported by NSF CNS-1359359. The last two authors are our summer REU (Research Experience Undergraduate) students.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hewett, R., Kijsanayothin, P., Bak, S. et al. Cybersecurity policy verification with declarative programming. Appl Intell 45, 83–95 (2016). https://doi.org/10.1007/s10489-015-0749-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-015-0749-8