Skip to main content
SpringerLink
Log in

Cybersecurity policy verification with declarative programming

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Cybersecurity is a growing concern in today’s society. Security policies have been developed to ensure that data and assets remain protected for legitimate users, but there must be a mechanism to verify that these policies can be enforced. This paper addresses the verification problem of security policies in role-based access control of enterprise software. Most existing approaches employ traditional logic or procedural programming that tends to involve complex expressions or search with backtrack. These can be time-consuming, and hard to understand, and update, especially for large-scale security verification problems. Declarative programming paradigms such as “Answer Set” programming have been widely used to alleviate these issues by ways of elegant and flexible modeling for complex search problems. However, solving problems using these paradigms can be challenging due to the nature and limitation of the declarative problem solver. This paper presents an approach to automated security policy verification using Answer Set programming. In particular, we investigate how the separation of duty security policy in role-based access control can be verified. Our contribution is a modeling approach that maps this verification problem into a graph-coloring problem to facilitate the use of generate-and-test in a declarative problem-solving paradigm. The paper describes a representation model and rules that drive the Answer Set Solver and illustrates the proposed approach to securing web application software to assist the hiring process in a company.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. The assumption that the truth does not hold unless there is evidence that it does [21]

References

  1. Barka E, Sandhu R (2000) Framework for role-based delegation models. In: 16th Annual Conference Security Applications Computer, 2000. ACSAC’00 pp 168–176. IEEE

  2. Bertino E, Ferrari E, Atluri V (1999) The specification and enforcement of authorization constraints in workflow management systems. ACM Trans Inf Syst Secur 2(1):65–104. doi:10.1145/300830.300837

    Article  Google Scholar 

  3. Boenn G, Brain M, De Vos M, Ffitch J (2011) Automatic music composition using answer set programming. Theory and practice of logic programming 11(2-3):397–427

    Article  MathSciNet  MATH  Google Scholar 

  4. Botha RA, Eloff JHP (2001) Separation of duties for access control enforcement in workflow environments. IBM Syst J 40(3):666–682

    Article  Google Scholar 

  5. Brewka G, Eiter T, Truszczyński M (2011) Answer set programming at a glance. Commun ACM 54 (12):92–103

    Article  Google Scholar 

  6. Ferraiolo D, Cugini J, Kuhn DR (1995) Role-based access control (rbac): Features and motivations. In: Proceedings of 11th annual computer security application conference, pp 241–48

  7. Gebser M, Guziolowski C, Ivanchev M, Schaub T, Siegel A, Thiele S, Veber P (2010) Repair and prediction (under inconsistency) in large biological networks with answer set programming. In: KR

  8. Gelfond M, Lifschitz V (1988) The stable model semantics for logic programming. In: ICLP/SLP, vol 88, pp 1070–1080

  9. Gelfond M, Lifschitz V (1991) Classical negation in logic programs and disjunctive databases. New generation computing 9(3–4):365–385

    Article  MATH  Google Scholar 

  10. Gomes CP, Kautz H, Sabharwal A, Selman B (2008) Satisfiability solvers. Foundations of Artificial Intelligence 3:89–134

    Article  Google Scholar 

  11. Hewett R, Kijsanayothin P (2008) Protecting role-based information infrastructures from conflict of interest. In: Proceedings of Computer Security Conference

  12. Karp RM (1972) Reducibility among combinatorial problems. Springer

  13. Kuhn DR (1997) Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: Proceedings of the second ACM workshop on Role-based access control, pp 23–30. ACM

  14. Leymann F, Roller D (2000) Production workflow: concepts and techniques

  15. Li N, Tripunitara MV, Bizri Z (2007) On mutually exclusive roles and separation-of-duty. ACM Trans Inf Syst Secur (TISSEC) 10(2):5

    Article  Google Scholar 

  16. Lifschitz V (2008) What is answer set programming?. In: AAAI, vol 8, pp 1594–1597

  17. Moore RC (1985) Semantical considerations on nonmonotonic logic. Artif Intell 25(1):75–94

    Article  MathSciNet  MATH  Google Scholar 

  18. Niemelä I, Simons P (1997) Smodelsan implementation of the stable model and well-founded semantics for normal logic programs. In: Logic Programming and Nonmonotonic Reasoning, pp 420–429. Springer

  19. Nogueira M, Balduccini M, Gelfond M, Watson R, Barry M (2001) An a-prolog decision support system for the space shuttle. In: Practical Aspects of Declarative Languages, pp 169–183. Springer

  20. Papatheodorou I, Ziehm M, Wieser D, Alic N, Partridge L, Thornton JM (2012) Using answer set programming to integrate rna expression with signalling pathway information to infer how mutations affect ageing

  21. Reiter R (1978) On closed world data bases. Springer

  22. Reiter R (1980) A logic for default reasoning. Artif Intell 13(1):81–132

    Article  MathSciNet  MATH  Google Scholar 

  23. Ricca F, Grasso G, Alviano M, Manna M, Lio V, Iiritano S, Leone N (2012) Team-building with answer set programming in the gioia-tauro seaport. Theory and Practice of Logic Programming 12(03):361–381

    Article  MathSciNet  MATH  Google Scholar 

  24. Sandhu R (1988) Transaction control expressions for separation of duties. In: Aerospace Computer Security Applications Conference, 1988., Fourth, pp 282–286. IEEE

  25. Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 2:38–47

    Article  Google Scholar 

Download references

Acknowledgments

This work is partially supported by NSF CNS-1359359. The last two authors are our summer REU (Research Experience Undergraduate) students.

Author information

Authors and Affiliations

  1. Department of Computer Science, Texas Tech University, Lubbock, TX, USA

    Rattikorn Hewett

  2. Department of Electrical and Computer Engineering, Naresuan University, Phitsanulok, Thailand

    Phongphun Kijsanayothin

  3. Department of Computer Science, Cornell University, Itica, NY, USA

    Stephanie Bak

  4. Department of Physics, Nazarene University, Bourbonnais, IL, USA

    Marry Galbrei

Authors
  1. Rattikorn Hewett
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Phongphun Kijsanayothin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stephanie Bak
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marry Galbrei
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Phongphun Kijsanayothin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hewett, R., Kijsanayothin, P., Bak, S. et al. Cybersecurity policy verification with declarative programming. Appl Intell 45, 83–95 (2016). https://doi.org/10.1007/s10489-015-0749-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-015-0749-8

Keywords

Search

Navigation