Advertisement

λ-RBAC: Programming with Role-Based Access Control

  • Radha Jagadeesan
  • Alan Jeffrey
  • Corin Pitcher
  • James Riely
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4052)

Abstract

We study mechanisms that permit program components to express role constraints on clients, focusing on programmatic security mechanisms, which permit access controls to be expressed, in situ, as part of the code realizing basic functionality. In this setting, two questions immediately arise:
  • The user of a component faces the issue of safety: is a particular role sufficient to use the component?

  • The component designer faces the dual issue of protection: is a particular role demanded in all execution paths of the component?

We provide a formal calculus and static analysis to answer both questions.

Keywords

Access Control Access Control Policy Execution Path Domain Transition Access Control Mechanism 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Morrisett, G., Sabelfeld, A.: Language-based security. J. Funct. Program. 15(2), 129 (2005)CrossRefGoogle Scholar
  2. 2.
    Amadio, R.M., Cardelli, L.: Subtyping recursive types. ACM TOPLAS 15(4), 575–631 (1993)CrossRefGoogle Scholar
  3. 3.
    Barker, S., Stuckey, P.J.: Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur. 6(4), 501–546 (2003), doi:10.1145/950191.950194CrossRefGoogle Scholar
  4. 4.
    Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001), doi:10.1145/501978.501979CrossRefGoogle Scholar
  5. 5.
    Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: Proceedings of the Eighth National Computer Security Conference (1985)Google Scholar
  6. 6.
    Braghin, C., Gorla, D., Sassone, V.: A distributed calculus for role-based access control. In: CSFW, pp. 48–60 (2004)Google Scholar
  7. 7.
    Brandt, M., Henglein, F.: Coinductive axiomatization of recursive type equality and subtyping. Fundam. Inf. 33(4), 309–338 (1998)MATHMathSciNetGoogle Scholar
  8. 8.
    Chong, S., Myers, A.C.: Security policies for downgrading. In: ACM Conference on Computer and Communications Security, pp. 198–209 (2004)Google Scholar
  9. 9.
    Compagnoni, A., Garralda, P., Gunter, E.: Role-based access control in a mobile environment. In: Symposium on Trustworthy Global Computing (2005)Google Scholar
  10. 10.
    Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control, Artech House. Computer Security Series (2003)Google Scholar
  11. 11.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  12. 12.
    Hoffman, J.: Implementing RBAC on a type enforced system. In: 13th Annual Computer Security Applications Conference (ACSAC 1997), pp. 158–163 (1997)Google Scholar
  13. 13.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)MATHCrossRefGoogle Scholar
  14. 14.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Sec. 4(1-2), 2–16 (2005)CrossRefGoogle Scholar
  15. 15.
    Loscocco, P.A., Smalley, S.D.: Meeting critical security objectives with Security-Enhanced Linux. In: Proceedings of the 2001 Ottawa Linux Symposium (2001)Google Scholar
  16. 16.
    Mitchell, J.C.: Programming language methods in computer security. In: POPL, pp. 1–26 (2001)Google Scholar
  17. 17.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: CSFW, pp. 172–186 (2004)Google Scholar
  18. 18.
    Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)CrossRefGoogle Scholar
  19. 19.
    Park, J.S., Sandhu, R.S., Ahn, G.-J.: Role-based access control on the web. ACM Trans. Inf. Syst. Secur. 4(1), 37–71 (2001)CrossRefGoogle Scholar
  20. 20.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (Jan. 2003)CrossRefGoogle Scholar
  21. 21.
    Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: ISSS, pp. 174–191 (2003)Google Scholar
  22. 22.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2) (1996)Google Scholar
  23. 23.
    Sandhu, R.S., Park, J.: Usage control: A vision for next generation access control. In: ACM Trans. Inf. Syst. Secur (2004)Google Scholar
  24. 24.
    Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Dagstuhl Seminar 2000. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001)Google Scholar
  25. 25.
    Siewe, F., Cau, A., Zedan, H.: A compositional framework for access control policies enforcement. In: FMSE, pp. 32–42 (2003)Google Scholar
  26. 26.
    Sirer, E.G., Wang, K.: An access control language for web services. In: SACMAT 2002: Proceedings of the seventh ACM symposium on Access control models and technologies, pp. 23–30 (2002)Google Scholar
  27. 27.
    Walker, K.M., Sterne, D.F., Badger, M.L., Petkac, M.J., Shermann, D.L., Oostendorp, K.A.: Confining root programs with Domain and Type Enforcement (DTE). In: Proceedings of the Sixth USENIX UNIX Security Symposium (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Radha Jagadeesan
    • 1
  • Alan Jeffrey
    • 2
  • Corin Pitcher
    • 1
  • James Riely
    • 1
  1. 1.School of CTIDePaul University 
  2. 2.Bell Labs, Lucent Technologies 

Personalised recommendations