Abstract
We describe the design and implementation of a trust-management system Soutei, a dialect of Binder, for access control in distributed systems. Soutei policies and credentials are written in a declarative logic-based security language and thus constitute distributed logic programs. Soutei policies are modular, concise, and readable. They support policy verification, and, despite the simplicity of the language, express role- and attribute-based access control lists, and conditional delegation.
We describe the real-world deployment of Soutei into a publish-subscribe web service with distributed and compartmentalized administration, emphasizing the often overlooked aspect of authorizing the creation of resources and the corresponding policies.
Soutei brings Binder from a research prototype into the real world. Supporting large, truly distributed policies required non-trivial changes to Binder, in particular mode-restriction and goal-directed top-down evaluation. To improve the robustness of our evaluator, we describe a fair and terminating backtracking algorithm.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M. Logic in access control. In: LICS [16], pp. 228–233
Blaze, M.: Using the KeyNote Trust Management System (March 2001), http://www.crypto.com/trustmgt/
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE Symposium on Security and Privacy (May 1996)
Bruscoli, P., Guglielmi, A.: A tutorial on proof theoretic foundations of logic programming. In: Palamidessi, C. (ed.) ICLP 2003. LNCS, vol. 2916, pp. 109–127. Springer, Heidelberg (2003)
Chisholm, P.: IA roadmap. Military Information Technology 9, 5 (2005)
Claessen, K., Ljunglöf, P.: Typed logical variables in haskell. Electr. Notes Theor. Comput. Sci. 41, 1 (2000)
Detreville, J.: Binder, a logic-based security language. In: IEEE Symposium on Security and Privacy, pp. 105–113 (2002)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Veri- fication and change impact analysis of access-control policies. In: International Conference on Software Engineering (May 2005)
Garg, D., Pfenning, F.: Non-interference in constructive authorization logic. Submitted for publication (October 2005)
Hinze, R.: Deriving backtracking monad transformers. In: ICFP 2000: Proceedings of the 5th ACM SIGPLAN International Conference on Functional Programming, pp. 186–197. ACM Press, New York (2000)
A declarative applicative logic programming system (2005), http://kanren.sourceforge.net/
Kiselyov, O.: Metcast Channels (February 2003), http://www.metnet.navy.mil/Metcast/Metcast-Channels.html , The working server with Soutei Authorization can be accessed via, http://www.metnet.navy.mil/cgi-bin/oleg/server
Kiselyov, O.: Soutei: syntax, semantics, and use cases (June 13, 2005), http://www.metnet.navy.mil/Metcast/Auth-use-cases.html
Kiselyov, O., Shan, C., Friedman, D.P., Sabry, A.: Backtracking, interleaving, and terminating monad transformers. In: ICFP 2005: ACMSIGPLAN International Conference on Functional Programming. ACM Press, New York (2005)
Li, N., Mitchell, J.C.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)
Proceedings of 18th IEEE Symposium on Logic in Computer Science (LICS 2003), Ottawa, Canada, June 22-25. IEEE Computer Society, Los Alamitos (2003)
Miller, D., Tiu, A.F.: A proof theory for generic judgments: An extended abstract. In: LICS [16], pp. 118–127
Seres, S., Spivey, J.M.: Embedding Prolog in Haskell. In: Proceedings of the 1999 Haskell Workshop (1999); Meier, E. (ed.) Tech. Rep. UU-CS-1999-28, Department of Computer Science, Utrecht University
Singer, A.: Life without firewalls. USENIX;login 28(6), 34–41 (2003)
Somogyi, Z., Henderson, F., Conway, T.: The execution algorithm of Mercury, an efficient purely declarative logic programming language. J. Log. Program. 29(1-3), 17–64 (1996)
Wadler, P.: How to replace failure by a list of successes: A method for exception handling, backtracking, and pattern matching in lazy functional languages. In: Jouannaud, J.-P. (ed.) FPCA 1985. LNCS, vol. 201, pp. 113–128. Springer, Heidelberg (1985)
Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., Waldbusser, S.: Terminology for policy-based management. RFC 3198 (November 2001)
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)
OASIS eXtensible Access Control Markup Language (XACML). Version 2.0 (February 2005), http://www.oasis-open.org/committees/tchome.php?wgabbrev=xacml
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pimlott, A., Kiselyov, O. (2006). Soutei, a Logic-Based Trust-Management System. In: Hagiya, M., Wadler, P. (eds) Functional and Logic Programming. FLOPS 2006. Lecture Notes in Computer Science, vol 3945. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11737414_10
Download citation
DOI: https://doi.org/10.1007/11737414_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33438-5
Online ISBN: 978-3-540-33439-2
eBook Packages: Computer ScienceComputer Science (R0)