AAL and Static Conflict Detection in Policy

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)


Security and privacy requirements in ubiquitous systems need a sophisticated policy language with features to express access restrictions and obligations. Ubiquitous systems involve multiple actors owning sensitive data concerning aspects such as location, discrete and continuous time, multiple roles that can be shared among actors or evolve over time. Policy consistency is an important problem in languages supporting these aspects. In this paper we present an abstract language (AAL) to specify most of these security and privacy features and compare it with XACML. We also classified the existing conflict detection mechanisms for XACML in dynamic, testing, or static detection. A thorough analysis of these mechanisms reveals that they have several weaknesses and they are not applicable in our context. We advocate for a classic approach using the notion of logical consistency to detect conflicts in AAL.


  1. 1.
    Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii, S.: Typing for conflict detection in access control policies. In: Babin, G., Kropf, P., Weiss, M. (eds.) E-Technologies: Innovation in an Open World. LNBIP, vol. 26, pp. 212–226. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Armando, A., Ranise, S.: Automated and efficient analysis of role-based access control with attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 25–40. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Benghabrit, W., Grall, H., Royer, J.C., Sellami, M.: Abstract accountability language: translation, compliance and application. In: APSEC, pp. 214–221. IEEE Computer Society, New Delhi (2015)Google Scholar
  4. 4.
    Degtyarev, A., Fisher, M., Konev, B.: Monodic temporal resolution. ACM Trans. Comput. Logic 7(1), 108–150 (2006)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Delmas, R., Polacsek, T.: Formal methods for exchange policy specification. In: Salinesi, C., Norrie, M.C., Pastor, Ó. (eds.) CAiSE 2013. LNCS, vol. 7908, pp. 288–303. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Dunlop, N., Indulska, J., Raymond, K.: Methods for conflict resolution in policy-based management systems. In: Enterprise Distributed Object Computing Conference, pp. 98–111. IEEE Computer Society (2003)Google Scholar
  7. 7.
    Fatema, K., Chadwick, D.: Resolving policy conflicts - integrating policies from multiple authors. In: Iliadis, L., Papazoglou, M., Pohl, K. (eds.) CAiSE Workshops 2014. LNBIP, vol. 178, pp. 310–321. Springer, Heidelberg (2014)Google Scholar
  8. 8.
    Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur. 11(4), 1–41 (2008)CrossRefGoogle Scholar
  9. 9.
    Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Sec. Comput 10(6), 341–354 (2013)CrossRefGoogle Scholar
  10. 10.
    Huang, C., Sun, J., Wang, X., Si, Y.: Inconsistency management of role based access control policy. In: International Conference on E-Business and Information System Security (2009)Google Scholar
  11. 11.
    Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer 10(6), 503–520 (2008)CrossRefGoogle Scholar
  12. 12.
    Hwang, J., Xie, T., Hu, V.C.: Detection of multiple-duty-related security leakage in access control policies. In: Secure Software Integration and Reliability Improvement, pp. 65–74. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Li, N., Wang, Q., Qardaji, W.H., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Carminati, B., Joshi, J. (eds.) Proceedings of SACMAT, pp. 135–144. ACM (2009)Google Scholar
  14. 14.
    Liu, A.X., Chen, F., Hwang, J., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: Liu, Z., Misra, V., Shenoy, P.J. (eds.) Proceedings of SIGMETRICS, pp. 265–276. ACM (2008)Google Scholar
  15. 15.
    Ludwig, M., Hustadt, U.: Implementing a fair monodic temporal logic prover. AI Commun. 23(2–3), 69–96 (2010)MathSciNetMATHGoogle Scholar
  16. 16.
    Mohan, A., Blough, D.M., Kurç, T.M., Post, A.R., Saltz, J.H.: Detection of conflicts and inconsistencies in taxonomy-based authorization policies. In: Wu, F.X., Zaki, M.J., Morishita, S., Pan, Y., Wong, S., Christianson, A., Hu, X. (eds.) International Conference on Bioinformatics and Biomedicine, pp. 590–594. IEEE Computer Society (2011)Google Scholar
  17. 17.
    OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0, 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html (2013)
  18. 18.
    Schuppan, V.: Towards a notion of unsatisfiable and unrealizable cores for LTL. Sci. Comput. Program. 77(7–8), 908–939 (2012)CrossRefMATHGoogle Scholar
  19. 19.
    Schuppan, V., Darmawan, L.: Evaluating LTL satisfiability solvers. In: Bultan, T., Hsiung, P.-A. (eds.) ATVA 2011. LNCS, vol. 6996, pp. 397–413. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: Information Assurance and Security, pp. 204–209. IEEE Computer Society (2010)Google Scholar
  21. 21.
    St-Martin, M., Felty, A.P.: A verified algorithm for detecting conflicts in XACML access control rules. In: Avigad, J., Chlipala, A. (eds.) Proceedings of the Conference on Certified Programs and Proofs, pp. 166–175. ACM (2016)Google Scholar
  22. 22.
    Stepien, B., Matwin, S., Felty, A.P.: Strategies for reducing risks of inconsistencies in access control policies. In: Availability, Reliability, and Security, pp. 140–147. IEEE Computer Society (2010)Google Scholar
  23. 23.
    Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015)Google Scholar
  24. 24.
    Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)CrossRefGoogle Scholar
  25. 25.
    Xia, X.: A conflict detection approach for XACML policies on hierarchical resources. In: Proceedings of Conference on Green Computing and Communications, pp. 755–760. IEEE Computer Society (2012)Google Scholar
  26. 26.
    Xiao, Z., Nandhakumar Kathiresshan, Y.X.: A survey of accountability in computer networks and distributed systems. Security and Communication. Networks 5(10), 1083–1085 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Jean-Claude Royer
    • 1
  • Anderson Santana De Oliveira
    • 2
  1. 1.Mines NantesNantesFrance
  2. 2.SAP Labs FranceMougins, Sophia AntipolisFrance

Personalised recommendations