Abstract
Many frameworks for defining authorization policies fail to make a clear distinction between policy and state. We believe this distinction to be a fundamental requirement for the construction of scalable, distributed authorization services. In this paper, we introduce a formal framework for the definition of authorization policies, which we use to construct the policy authoring language APOL. This framework makes the required distinction between policy and state, and APOL permits the specification of complex policy orchestration patterns even in the presence of policy gaps and conflicts. A novel aspect of the language is the use of a switch operator for policy orchestration, which can encode the commonly used rule- and policy-combining algorithms of existing authorization languages. We define denotational and operational semantics for APOL and then extend our framework with statically typed methods for policy orchestration, develop tools for policy analysis, and show how that analysis can improve the precision of static typing rules.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Arieli, O., Avron, A.: The value of the four values. Artificial Intelligence 102(1), 97–141 (1998)
Backes, M., Dürmuth, M., Steinwandt, R.: An Algebra for Composing Enterprise Privacy Policies. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 33–52. Springer, Heidelberg (2004)
Becker, M.Y., Sewell, P.: Cassandra: Distributed access control policies with tunable expressiveness. In: Proc. of 5th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 159–168 (2004)
Bell, D.E., La Padula, L.: Secure computer systems: Unified exposition and Multics interpretation. Technical Report MTR-2997, Mitre Corporation, Bedford, Massachusetts (1976)
Bertino, E., Castano, S., Ferrari, E.: Author-\(\mathcal{X}\): A comprehensive system for securing XML documents. IEEE Internet Computing 5(3), 21–31 (2001)
Bonatti, P., de Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)
Brewer, D., Nash, M.: The Chinese Wall security policy. In: Proc. of the 1989 IEEE Symp. on Security and Privacy, pp. 206–214 (1989)
Bruns, G., Dantas, D.S., Huth, M.: A simple and expressive semantic framework for policy composition in access control. In: Gligor, V.D., Mantel, H. (eds.) Proc. of the Fifth Workshop on Formal Methods in Security Engineering: From Specifications to Code, pp. 12–21 (2007)
Bruns, G., Huth, M.: Access control via Belnap logic: Effective and efficient composition and analysis. In: Sabelfeld, A. (ed.) Proc. of the 21st IEEE Computer Security Foundations Symp., pp. 163–176 (2008)
Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Transactions on Information and System Security 5(2), 169–202 (2002)
DeTreville, J.: Binder, a logic-based security language. In: Proc. of the 2002 IEEE Symp. on Security and Privacy, pp. 105–113 (2002)
Dougherty, D.J., Fisler, K., Adsul, B.: Specifying and Reasoning about Dynamic Access-Control Policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)
Gong, L.: Inside Java 2 Platform Security. Addison-Wesley (1999)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Jagadeesan, R., Marrero, W., Pitcher, C., Saraswat, V.: Timed constraint programming: A declarative approach to usage control. In: Proc. of the 7th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, pp. 164–175 (2005)
Meyer, B.: Applying “Design by Contract”. IEEE Computer 25(10), 40–51 (1992)
Ni, Q., Bertino, E., Lobo, J.: D-Algebra for composing access control policy decisions. In: Proc. of 4th ACM Symp. on Information, Computer and Communications Security, pp. 298–309 (2009)
OASIS. Xtensible Access Control Markup Language (XACML) Version 2.0, OASIS Committee Specification (T. Moses, editor) (2005)
Ribeiro, C., Zuquete, A., Ferreira, P., Guedes, P.: SPL: An access control language for security policies and complex constraints. In: Proc. of the Network and Distributed System Security Symp. (NDSS), pp. 89–107 (February 2001)
Sasao, T.: Ternary decision diagrams: Survey. In: Proc. of the 27th International Symp. on Multiple-Valued Logic (ISMVL 1997), pp. 241–250 (1997)
Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Transactions on Information and System Security 6(2), 286–325 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Crampton, J., Huth, M. (2012). A Framework for the Modular Specification and Orchestration of Authorization Policies. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-27937-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27936-2
Online ISBN: 978-3-642-27937-9
eBook Packages: Computer ScienceComputer Science (R0)