A Fully Decentralized Data Usage Control Enforcement Infrastructure

  • Florian KelbertEmail author
  • Alexander Pretschner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9092)


Distributed data usage control enables data owners to constrain how their data is used by remote entities. However, many data usage policies refer to events happening within several distributed systems, e.g. “at each point in time at most two clerks might have a local copy of this contract”, or “a contract must be approved by at least two clerks before it is sent to the customer”. While such policies can intuitively be enforced using a centralized infrastructure, major drawbacks are that such solutions constitute a single point of failure and that they are expected to cause heavy communication and performance overhead. Hence, we present the first fully decentralized infrastructure for the preventive enforcement of data usage policies. We provide a thorough evaluation of our infrastructure and show in which scenarios it is superior to a centralized approach.


Policy Evaluation Communication Overhead Policy Enforcement Global Policy Expression Tree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by the DFG Priority Programme 1496 “Reliably Secure Software Systems - RS3”, grant PR-1266/3.

Supplementary material


  1. 1.
    Pretschner, P., Alexander, A., Hilty, H., Manuel, M., Basin, B., David, D.: Distributed usage control. Commun. ACM 49(9), 39–44 (2006)CrossRefGoogle Scholar
  2. 2.
    Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, pp. 57–64 (2002)Google Scholar
  3. 3.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  4. 4.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)CrossRefGoogle Scholar
  5. 5.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  6. 6.
    Basin, D., Harvan, M., Klaedtke, F., Zălinescu, E.: Monitoring data usage in distributed systems. IEEE Trans. Softw. Eng. 39(10), 1403–1426 (2013)CrossRefGoogle Scholar
  7. 7.
    Pretschner, A., Lovat, E., Büchler, M.: Representation-independent data usage control. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 122–140. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Lazouski, A., Mancini, G., Martinelli, F., Mori, P.: Architecture, workflows, and prototype for stateful data usage control in cloud. In: IEEE Security and Privacy Workshops, pp. 23–30, May 2014Google Scholar
  9. 9.
    Fromm, A., Kelbert, F., Pretschner, A.: Data protection in a cloud-enabled smart grid. In: Cuellar, J. (ed.) SmartGridSec 2012. LNCS, vol. 7823, pp. 96–107. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    Harvan, M., Pretschner, A.: State-based usage control enforcement with data flow tracking using system call interposition. In: 3rd International Conference on Network and System Security, pp. 373–380, October 2009Google Scholar
  11. 11.
    Kelbert, F., Pretschner, A.: Towards a policy enforcement infrastructure for distributed usage control. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 119–122, June 2012Google Scholar
  12. 12.
    Kelbert, F., Pretschner, A.: Data usage control enforcement in distributed systems. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, pp. 71–82 (2013)Google Scholar
  13. 13.
    Kelbert, F., Pretschner, A.: Decentralized distributed data usage control. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 353–369. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Basin, D., Klaedtke, F., Müller, S., Zălinescu, E.: Monitoring metric firstorder temporal properties. J. ACM 62, 15:1–15:45 (2015)CrossRefGoogle Scholar
  15. 15.
    Adobe Systems Incorporated. Adobe Content Server (2015). Accessed 02 April 2015
  16. 16.
    Janicke, H., Cau, A., Siewe, F., Zedan, H.: Concurrent enforcement of usage control policies. In: IEEE Workshop on Policies for Distributed Systems and Networks, pp. 111–118, June 2008Google Scholar
  17. 17.
    Gay, R., Mantel, H., Sprick, B.: Service automata. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 148–163. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  18. 18.
    Bauer, A., Falcone, Y.: Decentralised LTL monitoring. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 85–100. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Kumari, P., Pretschner, A.: Deriving implementation-level policies for usage control enforcement. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, pp. 83–94 (2012)Google Scholar
  20. 20.
    Lakshman, A., Malik, P.: Cassandra: a decentralized structured storage system. ACM SIGOPS Operating Syst. Rev. 44(2), 35–40 (2010)CrossRefGoogle Scholar
  21. 21.
    The Apache Software Foundation. The Apache Cassandra Project (2014). Accessed 02 April 2015
  22. 22.
    Brewer, E.A.: Towards robust distributed systems. In: Proceedings of the 19th Annual ACM Symposium on Principles of Distributed Computing. Keynote (2000)Google Scholar
  23. 23.
    Lamport, L.: The part-time parliament. ACM Trans. Comput. Syst. 16(2), 133–169 (1998)CrossRefGoogle Scholar
  24. 24.
    The Apache Software Foundation. Apache Thrift (2014). Accessed 02 April 2015
  25. 25.
    Basin, D., Caronni, G., Ereth, S., Harvan, M., Klaedtke, F., Mantel, H.: Scalable offline monitoring. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 31–47. Springer, Heidelberg (2014) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Technische Universität MünchenMunichGermany

Personalised recommendations