Representation-Independent Data Usage Control

  • Alexander Pretschner
  • Enrico Lovat
  • Matthias Büchler
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7122)


Usage control is concerned with what happens to data after access has been granted. In the literature, usage control models have been defined on the grounds of events that, somehow, are related to data. In order to better cater to the dimension of data, we extend a usage control model by the explicit distinction between data and representation of data. A data flow model is used to track the flow of data in-between different representations. The usage control model is then extended so that usage control policies can address not just one single representation (e.g., delete file1.txt after thirty days) but rather all representations of the data (e.g., if file1.txt is a copy of file2.txt, also delete file2.txt). We present three proof-of-concept implementations of the model, at the operating system level, at the browser level, and at the X11 level, and also provide an ad-hoc implementation for multi-layer enforcement.


Policy Language Semantic Model System Layer Usage Control Policy Decision Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lovat, E., Pretschner, A.: Data-centric multi-layer usage control enforcement: A social network example. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 151–152 (2011)Google Scholar
  2. 2.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Harvan, M., Pretschner, A.: State-based Usage Control Enforcement with Data Flow Tracking using System Call Interposition. In: Proc. 3rd Intl. Conf. on Network and System Security, pp. 373–380 (2009)Google Scholar
  4. 4.
    Pretschner, A., Buechler, M., Harvan, M., Schaefer, C., Walter, T.: Usage control enforcement with data flow tracking for x11. In: Proc. 5th Intl. Workshop on Security and Trust Management, pp. 124–137 (2009)Google Scholar
  5. 5.
    Schaefer, C., Walter, T., Pretschner, A., Harvan, M.: Usage control policy enforcement in and information flow. In: Proc. Annual ISSA (2009)Google Scholar
  6. 6.
    Pretschner, A., Hilty, M., Basin, D., Schaefer, C., Walter, T.: Mechanisms for Usage Control. In: Proc. ACM Symposium on Information, Computer & Communication Security, pp. 240–245 (2008)Google Scholar
  7. 7.
    Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Log. Algebr. Program. 78(5), 293–303 (2009)zbMATHCrossRefGoogle Scholar
  8. 8.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: Monitors for usage control. In: Proc. Trust Management, vol. 238, pp. 411–414 (2007)Google Scholar
  9. 9.
    Neisse, R., Holling, D., Pretschner, A.: Implementing trust in cloud infrastructures. In: CCGrid (2011),
  10. 10.
    Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security Monitor Inlining for Multithreaded Java. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 546–569. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Ion, I., Dragovic, B., Crispo, B.: Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices. In: Proc. Annual Computer Security Applications Conference, pp. 233–242. IEEE Computer Society (2007)Google Scholar
  12. 12.
    Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The S3MS.NET Run Time Monitor: Tool Demonstration. ENTCS 253(5), 153–159 (2009)Google Scholar
  13. 13.
    Erlingsson, U., Schneider, F.: SASI enforcement of security policies: A retrospective. In: Proc. New Security Paradigms Workshop, pp. 87–95 (1999)Google Scholar
  14. 14.
    Yee, B., Sehr, D., Dardyk, G., Chen, J., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In: Proc. IEEE Symposium on Security and Privacy, pp. 79–93 (2009)Google Scholar
  15. 15.
    Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In: Nishigaki, M., Jøsang, A., Murayama, Y., Marsh, S. (eds.) IFIPTM 2010. IFIP AICT, vol. 321, pp. 63–78. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference (June 2007)Google Scholar
  17. 17.
    Adobe livecycle rights management es (August 2010),
  18. 18.
    Microsoft. Windows Rights Management Services (2010),
  19. 19.
    Pretschner, A., Hilty, M., Schutz, F., Schaefer, C., Walter, T.: Usage control enforcement: Present and future. IEEE Security & Privacy 6(4), 44–53 (2008)CrossRefGoogle Scholar
  20. 20.
    Mantel, H.: Possibilistic definitions of security - an assembly kit. In: IEEE Computer Security Foundations Workshop, p. 185 (2000)Google Scholar
  21. 21.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8, 399–422 (2009), 10.1007/s10207-009-0086-1CrossRefGoogle Scholar
  22. 22.
    Luckham, D.C.: The Power of Events: An Introduction to Complex Event Processing in Distributed Enterprise Systems. In: Bassiliades, N., Governatori, G., Paschke, A. (eds.) RuleML 2008. LNCS, vol. 5321, p. 3. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Pretschner, A., Lovat, E., Büchler, M.: Representation-Independent Data Usage Control. Technical Report 2011,23, Karlsruhe Institute of Technology (August 2011),
  24. 24.
    Pretschner, A., Rüesch, J., Schaefer, C., Walter, T.: Formal analyses of usage control policies. In: ARES, pp. 98–105 (2009)Google Scholar
  25. 25.
    Havelund, K., Rosu, G.: Efficient monitoring of safety properties. Int. J. Softw. Tools Technol. Transf. 6 (August 2004)Google Scholar
  26. 26.
    Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.M.: Distributed data usage control for web applications: a social network implementation. In: Proc. of 1st ACM Conference on Data and Application Security and Privacy, CODASPY (2011)Google Scholar
  27. 27.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the asbestos operating system. In: Proc. SOSP, pp. 17–30 (2005)Google Scholar
  28. 28.
    Zeldovich, N., Boyd-Wickizer, S., Mazières, D.: Securing distributed systems with information flow control. In: Proc. of NSDI, pp. 293–308 (2008)Google Scholar
  29. 29.
    Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proc. of USENIX OSDI (2010)Google Scholar
  30. 30.
    Demsky, B.: Garm: cross application data provenance and policy enforcement. In: Proceedings of the 4th USENIX Conference on Hot Topics in Security, HotSec 2009, pages 10. USENIX Association, Berkeley (2009)Google Scholar
  31. 31.
    Rushby, J.: Noninterference, transitivity and channel-control security policies (1992)Google Scholar
  32. 32.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. of IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  33. 33.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: Rifle: An architectural framework for user-centric information-flow security. In: Proc. of 37th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 37, pp. 243–254 (2004)Google Scholar
  34. 34.
    Rissanen, E.: Extensible access control markup language v3.0 (2010),
  35. 35.
    Twidle, K., Lupu, E., Dulay, N., Sloman, M.: Ponder2 - a policy environment for autonomous pervasive systems. In: IEEE International Workshop on Policies for Distributed Systems and Networks (2008)Google Scholar
  36. 36.
    Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  37. 37.
    Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical specification for usage control. In: SACMAT (2004)Google Scholar
  38. 38.
    Nair, S.K., Tanenbaum, A.S., Gheorghe, G., Crispo, B.: Enforcing drm policies across applications. In: Proceedings of the 8th ACM Workshop on Digital Rights Management, DRM 2008, pp. 87–94. ACM, New York (2008)CrossRefGoogle Scholar
  39. 39.
    Gheorghe, G., Mori, P., Crispo, B., Martinelli, F.: Enforcing UCON Policies on the Enterprise Service Bus. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2010, Part II. LNCS, vol. 6427, pp. 876–893. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  40. 40.
    McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: PLDI, pp. 193–205 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Alexander Pretschner
    • 1
  • Enrico Lovat
    • 1
  • Matthias Büchler
    • 1
  1. 1.Karlsruhe Institute of TechnologyGermany

Personalised recommendations