Noninterference Analysis of Delegation Subterfuge in Distributed Authorization Systems

  • Simon N. Foley
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 401)


A principal carrying out a delegation may not be certain about the state of its delegation graph as it may have been perturbed by an attacker. This perturbation may come about from the attacker concealing the existence of selected delegation certificates and/or injecting new delegation certificates. As a consequence of this delegation subterfuge the principal may violate its own policy that guides delegation actions. This paper considers the verification of the absence of subterfuge in systems that accept and issue delegation certificates. It is argued that this absence of subterfuge is not a safety property and a non-interference style security-property based interpretation is proposed.


Inference Rule Delegation State Computer Security Safety Property Authorization Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alpern, B., Schneider, F.: Recognizing safety and liveness. Distributed Computing 2, 117–126 (1987)zbMATHCrossRefGoogle Scholar
  2. 2.
    Becker, M.Y.: Information flow in trust management systems. Journal of Computer Security 20(6), 677–708 (2012)Google Scholar
  3. 3.
    Becker, M.Y., Fournet, C., Gordon, A.D.: Secpal: Design and semantics of a decentralized authorization language. Journal of Computer Security 18(4), 619–665 (2010)Google Scholar
  4. 4.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote Trust-Management System Version 2. RFC 2704, Informational (September 1999),
  5. 5.
    Blaze, M., Feigenbaum, J., Strauss, M.: Compliance checking in the policymaker trust management system. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 254–274. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693, Experimental (September 1999),
  8. 8.
    Engelhardt, K., van der Meyden, R., Zhang, C.: Intransitive noninterference in nondeterministic systems. In: ACM Conference on Computer and Communications Security, pp. 869–880 (2012)Google Scholar
  9. 9.
    Feeney, K., Lewis, D., O’Sullivan, D.: Service oriented policy management for web-application frameworks. IEEE Internet Computing Magazine 13(6), 39–47 (2009)CrossRefGoogle Scholar
  10. 10.
    Foley, S.N., Zhou, H.: Authorisation subterfuge by delegation in decentralised networks. In: International Security Protocols Workshop, Cambridge, UK (April 2005)Google Scholar
  11. 11.
    Foley, S.: A non-functional approach to system integrity. IEEE Journal on Selected Areas in Communications 21(1) (January 2003)Google Scholar
  12. 12.
    Foley, S.N., Abdi, S.: Avoiding delegation subterfuge using linked local permission names. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 100–114. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Goguen, J., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–87 (1984)Google Scholar
  14. 14.
    Gurevich, Y., Neeman, I.: DKAL: Distributed-knowledge authorization language. In: CSF (2008)Google Scholar
  15. 15.
    Jacob, J.: Basic theorems about security. Journal of Computer Security 1, 385–411 (1992)Google Scholar
  16. 16.
    Geer Jr., D.: Power. law. IEEE Security & Privacy 10(1) (January 2012)Google Scholar
  17. 17.
    Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and pratice. ACM Trans. Computer Systems 10(4), 265–310 (1992)CrossRefGoogle Scholar
  18. 18.
    Li, N., Mitchell, J.C.: RT: A role-based trust-management framework. In: The Third DARPA Information Survivability Conference and Exposition (DISCEX III), pp. 201–212. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  19. 19.
    Mantel, H.: Information flow and noninterference. In: Encyclopedia of Cryptography and Security, 2nd edn., pp. 605–607. Springer (2011)Google Scholar
  20. 20.
    Roscoe, A.W., Goldsmith, M.H.: What is intransitive noninterference? In: CSFW, pp. 228–238 (1999)Google Scholar
  21. 21.
    Ryan, P.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Zeller, T.: Purloined domain name is an unsolved mystery. In: New York Times (January 18, 2005)Google Scholar
  23. 23.
    Zhou, H., Foley, S.N.: A logic for analysing subterfuge in delegation chains. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2005. LNCS, vol. 3866, pp. 127–141. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Zhou, H., Foley, S.: A framework for establishing decentralized secure coalitions. In: Proceedings of IEEE Computer Security Foundations Workshop. IEEE CS Press (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Simon N. Foley
    • 1
  1. 1.Department of Computer ScienceUniversity College CorkIreland

Personalised recommendations