Skip to main content
SpringerLink
Log in

Model-Based Usage Control Policy Derivation

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7781))

Included in the following conference series:

Abstract

Usage control is concerned with how data is used after access to it has been granted. In existing usage control enforcement frameworks, policies are assumed to exist and the derivation of implementation-level policies from specification-level policies has not been looked into. This work fills this gap. One challenge in the derivation of policies is the absence of clear semantics of high-level domain-specific constructs like data and action. In this paper we present a model-based refinement of these constructs. Using this refinement, we translate usage control policies from the specification to the implementation level. We also provide methodological guidance to partially automate this translation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Iannella, R. (ed.): Open Digital Rights Language v1.1 (2008), http://odrl.net/1.1/ODRL-11.pdf

  2. Multimedia framework (MPEG-21) – Part 5: Rights Expression Language. ISO/IEC standard 21000-5:2004 (2004)

    Google Scholar 

  3. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). IBM Technical Report (2003)

    Google Scholar 

  4. Open Mobile Alliance. DRM Rights Expression Language V2.1 (2008), http://www.openmobilealliance.org/Technical/release_program/drm_v2_1.aspx

  5. Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical specification for usage control. In: Proc. SACMAT, pp. 1–10 (2004)

    Google Scholar 

  6. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  7. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. W3C. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification (2005), http://www.w3.org/TR/2005/WD-P3P11-20050104/

  9. Harvan, M., Pretschner, A.: State-based Usage Control Enforcement with Data Flow Tracking using System Call Interposition. In: Proc. 3rd Intl. Conf. on Network and System Security, pp. 373–380 (2009)

    Google Scholar 

  10. Pretschner, A., Buechler, M., Harvan, M., Schaefer, C., Walter, T.: Usage control enforcement with data flow tracking for x11. In: Proc. STM 2009, pp. 124–137 (2009)

    Google Scholar 

  11. Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security Monitor Inlining for Multithreaded Java. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 546–569. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Ion, I., Dragovic, B., Crispo, B.: Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices. In: Proc. Annual Computer Security Applications Conference, pp. 233–242. IEEE Computer Society (2007)

    Google Scholar 

  13. Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The S3MS.NET Run Time Monitor: Tool Demonstration. ENTCS 253(5), 153–159 (2009)

    Google Scholar 

  14. Erlingsson, U., Schneider, F.: SASI enforcement of security policies: A retrospective. In: Proc. New Security Paradigms Workshop, pp. 87–95 (1999)

    Google Scholar 

  15. Yee, B., Sehr, D., Dardyk, G., Chen, J., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In: Proc. IEEE Symposium on Security and Privacy, pp. 79–93 (2009)

    Google Scholar 

  16. Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In: Proc. ICTM (2010)

    Google Scholar 

  17. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference (June 2007)

    Google Scholar 

  18. Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.: Distributed data usage control for web applications: a social network implementation. In: Proc. 1st ACM Conf. on Data and Application Security and Privacy, pp. 85–96 (2011)

    Google Scholar 

  19. Pretschner, A., Lovat, E., Büchler, M.: Representation-Independent Data Usage Control. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 122–140. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. Feth, D., Pretschner, A.: Flexible Data-Driven Security for Android. In: SERE 2012, pp. 41–50 (June 2012)

    Google Scholar 

  21. Kumari, P., Kelbert, F., Pretschner, A.: Data Protection in Heterogeneous Distributed Systems: A Smart Meter Example. In: INFORMATIK 2011 - Dependable Software for Critical Infrastructures (2011)

    Google Scholar 

  22. Kumari, P., Pretschner, A.: Deriving implementation-level policies for usage control enforcement. In: Proc. 2nd ACM Conference on Data and Application Security and Privacy, CODASPY 2012, pp. 83–94. ACM (2012)

    Google Scholar 

  23. Spivey, J.M.: The Z Notation: A Reference Manual. Prentice Hall, UK (1998)

    Google Scholar 

  24. Roque, R.: Open Blocks (2009), http://education.mit.edu/openblocks

  25. Abadi, M., Lamport, L.: The existence of refinement mappings. In: LICS 1988 (1988)

    Google Scholar 

  26. Su, L., Chadwick, D., Basden, A., Cunningham, J.: Automated decomposition of access control policies. In: Proc. 6th IEEE Intl. Workshop on Policies for Distributed Systems and Networks, pp. 6–8 (2005)

    Google Scholar 

  27. Young, J.: Commitment analysis to operationalize software requirements from privacy policies. Requirements Engineering 16, 33–46 (2011)

    Article  Google Scholar 

  28. Bandara, A.K., Lupu, E.C., Moffett, J., Russo, A.: A goal-based approach to policy refinement. In: Proc. 5th IEEE Workshop on Policies for Distributed Systems and Networks, pp. 229–239 (2004)

    Google Scholar 

  29. Udupi, Y.B., Sahai, A., Singhal, S.: A classification-based approach to policy refinement. In: Proc. 10th Intl Symp. on Integrated Network Management (2007)

    Google Scholar 

  30. Davy, S., Jennings, B., Strassner, J.: Conflict Prevention Via Model-Driven Policy Refinement. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds.) DSOM 2006. LNCS, vol. 4269, pp. 209–220. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Basile, C., Lioy, A., Scozzi, S., Vallini, M.: Ontology-Based Policy Translation. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 2009. AISC, vol. 63, pp. 117–126. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  32. Guerrero, A., Villagrá, V.A., de Vergara, J.E.L., Sánchez-Macián, A., Berrocal, J.: Ontology-Based Policy Refinement Using SWRL Rules for Management Information Definitions in OWL. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds.) DSOM 2006. LNCS, vol. 4269, pp. 227–232. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  33. Aziz, B., Arenas, A.E., Wilson, M.: Model-Based Refinement of Security Policies in Collaborative Virtual Organisations. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 1–14. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  34. Craven, R., Lobo, J., Lupu, E., Russo, A., Sloman, M.: Decomposition techniques for policy refinement. In: Proc. CNSM 2010, pp. 72–79 (2010)

    Google Scholar 

  35. O’Rourke, C., Fishman, N., Selkow, W.: Enterprise architecture using the Zachman Framework. Course Technology (2003)

    Google Scholar 

  36. Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26, 276–292 (1987)

    Article  Google Scholar 

  37. The Open Group. TOGAF Version 9 (2009)

    Google Scholar 

  38. Gruler, A., Harhurin, A., Hartmann, J.: Modeling the functionality of multi-functional software systems. In: Proc. ECBS 2007, pp. 349–358. IEEE Computer Society (2007)

    Google Scholar 

  39. Ziegenbein, D., Braun, P., Freund, U., Bauer, A., Romberg, J., Schatz, B.: Automode - model-based development of automotive software. In: Proc. DATE 2005, pp. 171–177. IEEE Computer Society (2005)

    Google Scholar 

  40. Penzenstadler, B.: Tackling Automotive Challenges with an Integrated RE & Design Artifact Model. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2008 Workshops. LNCS, vol. 5333, pp. 426–431. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  41. Miller, J., Mukerji, J.: Mda guide version 1.0.1. Technical Report omg/03-06-01, Object Management Group (OMG) (June 2003)

    Google Scholar 

  42. Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. Electr. Notes Theor. Comput. Sci. 244, 109–123 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität München, Germany

    Prachi Kumari & Alexander Pretschner

Authors
  1. Prachi Kumari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexander Pretschner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, TU Dortmund und Fraunhofer ISST, Otto-Hahn-Straße 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. One Microsoft Way, Microsoft Research, 98052-6399, Redmond, WA, USA

    Benjamin Livshits

  3. Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kumari, P., Pretschner, A. (2013). Model-Based Usage Control Policy Derivation. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36563-8_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36562-1

  • Online ISBN: 978-3-642-36563-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation