Abstract
Usage control is concerned with how data is used after access to it has been granted. In existing usage control enforcement frameworks, policies are assumed to exist and the derivation of implementation-level policies from specification-level policies has not been looked into. This work fills this gap. One challenge in the derivation of policies is the absence of clear semantics of high-level domain-specific constructs like data and action. In this paper we present a model-based refinement of these constructs. Using this refinement, we translate usage control policies from the specification to the implementation level. We also provide methodological guidance to partially automate this translation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Iannella, R. (ed.): Open Digital Rights Language v1.1 (2008), http://odrl.net/1.1/ODRL-11.pdf
Multimedia framework (MPEG-21) – Part 5: Rights Expression Language. ISO/IEC standard 21000-5:2004 (2004)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). IBM Technical Report (2003)
Open Mobile Alliance. DRM Rights Expression Language V2.1 (2008), http://www.openmobilealliance.org/Technical/release_program/drm_v2_1.aspx
Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical specification for usage control. In: Proc. SACMAT, pp. 1–10 (2004)
Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
W3C. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification (2005), http://www.w3.org/TR/2005/WD-P3P11-20050104/
Harvan, M., Pretschner, A.: State-based Usage Control Enforcement with Data Flow Tracking using System Call Interposition. In: Proc. 3rd Intl. Conf. on Network and System Security, pp. 373–380 (2009)
Pretschner, A., Buechler, M., Harvan, M., Schaefer, C., Walter, T.: Usage control enforcement with data flow tracking for x11. In: Proc. STM 2009, pp. 124–137 (2009)
Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security Monitor Inlining for Multithreaded Java. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 546–569. Springer, Heidelberg (2009)
Ion, I., Dragovic, B., Crispo, B.: Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices. In: Proc. Annual Computer Security Applications Conference, pp. 233–242. IEEE Computer Society (2007)
Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The S3MS.NET Run Time Monitor: Tool Demonstration. ENTCS 253(5), 153–159 (2009)
Erlingsson, U., Schneider, F.: SASI enforcement of security policies: A retrospective. In: Proc. New Security Paradigms Workshop, pp. 87–95 (1999)
Yee, B., Sehr, D., Dardyk, G., Chen, J., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In: Proc. IEEE Symposium on Security and Privacy, pp. 79–93 (2009)
Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In: Proc. ICTM (2010)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference (June 2007)
Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.: Distributed data usage control for web applications: a social network implementation. In: Proc. 1st ACM Conf. on Data and Application Security and Privacy, pp. 85–96 (2011)
Pretschner, A., Lovat, E., Büchler, M.: Representation-Independent Data Usage Control. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 122–140. Springer, Heidelberg (2012)
Feth, D., Pretschner, A.: Flexible Data-Driven Security for Android. In: SERE 2012, pp. 41–50 (June 2012)
Kumari, P., Kelbert, F., Pretschner, A.: Data Protection in Heterogeneous Distributed Systems: A Smart Meter Example. In: INFORMATIK 2011 - Dependable Software for Critical Infrastructures (2011)
Kumari, P., Pretschner, A.: Deriving implementation-level policies for usage control enforcement. In: Proc. 2nd ACM Conference on Data and Application Security and Privacy, CODASPY 2012, pp. 83–94. ACM (2012)
Spivey, J.M.: The Z Notation: A Reference Manual. Prentice Hall, UK (1998)
Roque, R.: Open Blocks (2009), http://education.mit.edu/openblocks
Abadi, M., Lamport, L.: The existence of refinement mappings. In: LICS 1988 (1988)
Su, L., Chadwick, D., Basden, A., Cunningham, J.: Automated decomposition of access control policies. In: Proc. 6th IEEE Intl. Workshop on Policies for Distributed Systems and Networks, pp. 6–8 (2005)
Young, J.: Commitment analysis to operationalize software requirements from privacy policies. Requirements Engineering 16, 33–46 (2011)
Bandara, A.K., Lupu, E.C., Moffett, J., Russo, A.: A goal-based approach to policy refinement. In: Proc. 5th IEEE Workshop on Policies for Distributed Systems and Networks, pp. 229–239 (2004)
Udupi, Y.B., Sahai, A., Singhal, S.: A classification-based approach to policy refinement. In: Proc. 10th Intl Symp. on Integrated Network Management (2007)
Davy, S., Jennings, B., Strassner, J.: Conflict Prevention Via Model-Driven Policy Refinement. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds.) DSOM 2006. LNCS, vol. 4269, pp. 209–220. Springer, Heidelberg (2006)
Basile, C., Lioy, A., Scozzi, S., Vallini, M.: Ontology-Based Policy Translation. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 2009. AISC, vol. 63, pp. 117–126. Springer, Heidelberg (2009)
Guerrero, A., Villagrá, V.A., de Vergara, J.E.L., Sánchez-Macián, A., Berrocal, J.: Ontology-Based Policy Refinement Using SWRL Rules for Management Information Definitions in OWL. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds.) DSOM 2006. LNCS, vol. 4269, pp. 227–232. Springer, Heidelberg (2006)
Aziz, B., Arenas, A.E., Wilson, M.: Model-Based Refinement of Security Policies in Collaborative Virtual Organisations. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 1–14. Springer, Heidelberg (2011)
Craven, R., Lobo, J., Lupu, E., Russo, A., Sloman, M.: Decomposition techniques for policy refinement. In: Proc. CNSM 2010, pp. 72–79 (2010)
O’Rourke, C., Fishman, N., Selkow, W.: Enterprise architecture using the Zachman Framework. Course Technology (2003)
Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26, 276–292 (1987)
The Open Group. TOGAF Version 9 (2009)
Gruler, A., Harhurin, A., Hartmann, J.: Modeling the functionality of multi-functional software systems. In: Proc. ECBS 2007, pp. 349–358. IEEE Computer Society (2007)
Ziegenbein, D., Braun, P., Freund, U., Bauer, A., Romberg, J., Schatz, B.: Automode - model-based development of automotive software. In: Proc. DATE 2005, pp. 171–177. IEEE Computer Society (2005)
Penzenstadler, B.: Tackling Automotive Challenges with an Integrated RE & Design Artifact Model. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2008 Workshops. LNCS, vol. 5333, pp. 426–431. Springer, Heidelberg (2008)
Miller, J., Mukerji, J.: Mda guide version 1.0.1. Technical Report omg/03-06-01, Object Management Group (OMG) (June 2003)
Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. Electr. Notes Theor. Comput. Sci. 244, 109–123 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kumari, P., Pretschner, A. (2013). Model-Based Usage Control Policy Derivation. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-36563-8_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36562-1
Online ISBN: 978-3-642-36563-8
eBook Packages: Computer ScienceComputer Science (R0)