Foundations of Dynamic Access Control

  • Prasad Naldurg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7671)


New commercial operating systems e.g., Windows 7 and 8, and research operating systems such as Asbestos and Flume, include labels for integrity/confidentiality protection. Unlike the strict Bell-LaPadula mandatory access controls, these labels are allowed to change in controlled ways by users and applications. The implications of these dynamic changes need to be examined carefully, and existing formalisms cannot express or help us understand their impact on access control safety. We present a logic-programming framework to specify, analyze and automatically verify such dynamic access control models. We study the problem of reachability (equivalently safety) in these models and show that they are undecidable in the general case. We also identify an expressive fragment of this formalism that has a sound and complete decision procedure. We build a theory (and tools) for reasoning about information-flow in the general context, and show its application on real-world use-cases. We are able to highlight several important vulnerabilities in these models, as well as suggest design changes that can be provably validated.


Access Control Query Evaluation Access Control Model Constraint Logic Programming Temporal Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: On protection in operating systems. In: SOSP 1975: Proceedings of the Fifth ACM Symposium on Operating Systems Principles, pp. 14–24 (1975)Google Scholar
  2. 2.
    Denning, D.: Cryptography and Data Security. Addison Wesley (1982)Google Scholar
  3. 3.
    Lampson, B.W.: Protection. In: Proc. Fifth Princeton Symposium on Information Sciences and Systems (1971)Google Scholar
  4. 4.
    Jones, A.K., Lipton, R.J., Snyder, L.: A linear time algorithm for deciding security. In: Symposium on Foundations of Computer Science, pp. 33–41 (1976)Google Scholar
  5. 5.
    Bishop, M.: Theft of information in the take-grant protection model. In: CSFW, pp. 194–218 (1988)Google Scholar
  6. 6.
    Hicks, B., Rueda, S., St. Clair, L., Jaeger, T., McDaniel, P.: A logical specification and analysis for selinux mls policy. ACM Trans. Inf. Syst. Secur. 13, 26:1–26:31 (2010)Google Scholar
  7. 7.
    Mao, Z., Li, N., Chen, H., Jiang, X.: Trojan horse resistant discretionary access control. In: SACMAT, pp. 237–246 (2009)Google Scholar
  8. 8.
    Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., Mazières, D.: Labels and event processes in the asbestos operating system. ACM Trans. Comput. Syst. 25(4), 11 (2007)CrossRefGoogle Scholar
  9. 9.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in histar. In: OSDI 2006: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p. 19. USENIX Association, Berkeley (2006)Google Scholar
  10. 10.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corp. (1975)Google Scholar
  11. 11.
    Biba, K.J.: Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corp. (1977)Google Scholar
  12. 12.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Loscocco, P., Smalley, S., Muckelbauer, P., Taylor, R., Turner, J., Farrell, J.: The inevitability of failure: The flawed assumption of security in modern computing environments. Technical report, United Stated National Security Agency, NSA (1995)Google Scholar
  14. 14.
    Naldurg, P., Schwoon, S., Rajamani, S., Lambert, J.: Netra: seeing through access control. In: FMSE 2006: Proceedings of the Fourth ACM Workshop on Formal Methods in Security, pp. 55–66 (2006)Google Scholar
  15. 15.
    Ramakrishnan, R., Gehrke, J.: Database Management Systems. McGraw-Hill Science/Engineering/Math. (2002)Google Scholar
  16. 16.
    Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security, WITS, pp. 1–12 (April 2004),
  17. 17.
    Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and Reasoning About Dynamic Access-Control Policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Guttman, J., Herzog, A.: Rigorous automated network security management (2004)Google Scholar
  19. 19.
    Lampson, B.W.: Protection. ACM Operating Systems Rev. 8(1), 18–24 (1974)CrossRefGoogle Scholar
  20. 20.
    Chaudhuri, A., Naldurg, P., Rajamani, S.K., Ramalingam, G., Velaga, L.: Eon: modeling and analyzing dynamic access control systems with logic programs. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 381–390 (2008)Google Scholar
  21. 21.
    Levy, A., Mumick, I.S., Sagiv, Y., Shmueli, O.: Equivalence, query-reachability and satisfiability in Datalog extensions. In: PODS 1993: Proc. Principles of Database Systems, pp. 109–122. ACM Press (1993)Google Scholar
  22. 22.
    Halevy, A.Y., Mumick, I.S., Sagiv, Y., Shmueli, O.: Static analysis in datalog extensions. J. ACM 48(5), 971–1012 (2001)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Naldurg, P., Raghavendra, K.R.: Seal: a logic programming framework for specifying and verifying access control models. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 83–92 (2011)Google Scholar
  24. 24.
    Paveza, R.: User-prompted elevation of unintended code in windows vista. World Wide Web Electronic Publication (2009)Google Scholar
  25. 25.
    Barker, S., Leuschel, M., Varea, M.: Efficient and flexible access control via jones-optimal logic program specialisation. Higher Order Symbol. Comput. 21, 5–35 (2008)zbMATHCrossRefGoogle Scholar
  26. 26.
    Barker, S., Stuckey, P.J.: Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur. 6, 501–546 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Prasad Naldurg
    • 1
  1. 1.Microsoft Research IndiaBangaloreIndia

Personalised recommendations