Specifying and Reasoning About Dynamic Access-Control Policies

  • Daniel J. Dougherty
  • Kathi Fisler
  • Shriram Krishnamurthi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4130)


Access-control policies have grown from simple matrices to non- trivial specifications written in sophisticated languages. The increasing complexity of these policies demands correspondingly strong automated reasoning techniques for understanding and debugging them. The need for these techniques is even more pressing given the rich and dynamic nature of the environments in which these policies evaluate. We define a framework to represent the behavior of access-control policies in a dynamic environment. We then specify several interesting, decidable analyses using first-order temporal logic. Our work illustrates the subtle interplay between logical and state-based methods, particularly in the presence of three-valued policies. We also define a notion of policy equivalence that is especially useful for modular reasoning.


Access Control Model Check Temporal Logic Policy Context Accessible State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley, Reading (1995)MATHGoogle Scholar
  2. 2.
    Abiteboul, S., Vianu, V., Fordham, B.S., Yesha, Y.: Relational transducers for electronic commerce. Journal of Computer and System Sciences 61(2), 236–269 (2000)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Ahmed, T., Tripathi, A.R.: Static verification of security requirements in role based CSCW systems. In: Symposium on Access Control Models and Technologies, pp. 196–203 (2003)Google Scholar
  4. 4.
    Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy policies. In: Symposium on Applied Computing, pp. 375–382 (2004)Google Scholar
  5. 5.
    Becker, M.Y., Sewell, P.: Cassandra: Flexible trust management, applied to electronic health records. In: IEEE Computer Security Foundations Workshop (2004)Google Scholar
  6. 6.
    Bell, D., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, The Mitre Corporation (1976)Google Scholar
  7. 7.
    Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: A temporal role-based access control model. ACM Transactions on Information and Systems Security 4(3), 191–233 (2001)CrossRefGoogle Scholar
  8. 8.
    Bertino, E., Samarati, P., Jajodia, S.: Authorizations in relational database management systems. In: ACM Conference on Computer and Communications Security, pp. 130–139 (1993)Google Scholar
  9. 9.
    Bonatti, P., di Vimercati, S.D.C., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and Systems Security 5(1), 1–35 (2002)CrossRefGoogle Scholar
  10. 10.
    Cosmadakis, S., Kanellakis, P.: Functional and inclusion dependencies: A graph theoretic approach. In: Kanellakis, P., Preparata, F. (eds.) Advances in Computing Research. Theory of Databases, vol. 3, pp. 163–185. JAI Press (1986)Google Scholar
  11. 11.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: ACM Symposium on Principles of Programming Languages, pp. 238–252 (1977)Google Scholar
  12. 12.
    DeTreville, J.: Binder: a logic-based security language. In: IEEE Symposium on Security and Privacy, pp. 95–103 (2002)Google Scholar
  13. 13.
    Deutsch, A., Sui, L., Vianu, V.: Specification and verification of data-driven web services. In: ACM Symposium on Principles of Database Systems, pp. 71–82 (2004)Google Scholar
  14. 14.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: International Conference on Software Engineering, pp. 196–205 (May 2005)Google Scholar
  15. 15.
    Frias, M.F., Galeotti, J.P., Pombo, C.G.L., Aguirre, N.M.: DynAlloy: upgrading Alloy with actions. In: International Conference on Software Engineering, pp. 442–451. ACM Press, New York (2005)Google Scholar
  16. 16.
    Gottlob, G., Leone, N., Scarcello, F.: The complexity of acyclic conjunctive queries. J. ACM 48(3), 431–498 (2001)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Guelev, D.P., Ryan, M.D., Schobbens, P.-Y.: Model-checking access control policies. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)MATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Hodkinson, I., Wolter, F., Zakharyaschev, M.: Decidable fragments of first-order temporal logics. Annals of Pure and Applied Logic 106, 85–134 (2000)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Hodkinson, I., Wolter, F., Zakharyaschev, M.: Decidable and undecidable fragments of first-order branching temporal logics. In: IEEE Symposium on Logic in Computer Science, pp. 393–402 (2002)Google Scholar
  21. 21.
    Hughes, G., Bultan, T.: Automated verification of access control policies. Technical Report 2004-22, University of California, Santa Barbara (2004)Google Scholar
  22. 22.
    Jackson, D.: Automating first-order relational logic. In: ACM SIGSOFT International Symposium on the Foundations of Software Engineering (November 2000)Google Scholar
  23. 23.
    Jim, T.: SD3: A trust management system with certified evaluation. In: IEEE Symposium on Security and Privacy, pp. 106–115 (2001)Google Scholar
  24. 24.
    Jones, N.D.: Space-bounded reducibility among combinatorial problems. Journal of Computer and System Sciences 11(1), 68–85 (1975)MATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Koch, M., Mancini, L.V., Parisi-Presicce, F.: Decidability of safety in graph-based models for access control. In: European Symposium on Research in Computer Security, pp. 299–243 (2002)Google Scholar
  26. 26.
    Kolaczek, G.: Specification and verification of constraints in role based access control for enterprise security system. In: International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 190–195 (2003)Google Scholar
  27. 27.
    Krishnamurthi, S.: The Continue server. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 2–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Lampson, B.W.: Protection. ACM Operating Systems Review 8(1), 18–24 (1974)CrossRefGoogle Scholar
  29. 29.
    Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and Systems Security 6(1), 128–171 (2003)CrossRefGoogle Scholar
  30. 30.
    Li, N., Mitchell, J.C.: Datalog with constraints: A foundation for trust management languages. In: Symposium on the Practical Aspects of Declarative Languages, pp. 58–73 (2003)Google Scholar
  31. 31.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52(3), 474–514 (2005)CrossRefMathSciNetGoogle Scholar
  32. 32.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. In: ACM Symposium on Access Control Models and Technologies (2004)Google Scholar
  33. 33.
    Moses, T.: eXtensible Access Control Markup Language (XACML) version 1.0. Technical report, OASIS (February 2003)Google Scholar
  34. 34.
    Pimlott, A., Kiselyov, O.: Soutei, a logic-based trust-management system. In: Functional and Logic Programming, pp. 130–145 (2006)Google Scholar
  35. 35.
    Sagiv, Y.: Optimizing datalog programs. In: Foundations of Deductive Databases and Logic Programming, pp. 659–698. Morgan Kaufmann, San Francisco (1988)Google Scholar
  36. 36.
    Sandhu, R.: The schematic protection model: its definition and analysis for acyclic attenuating systems. Journal of the ACM 35(2), 404–432 (1988)CrossRefGoogle Scholar
  37. 37.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  38. 38.
    Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced Linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security, pp. 1–12 (April 2004)Google Scholar
  39. 39.
    Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: Symposium on Access Control Models and Technologies, pp. 13–22 (2002)Google Scholar
  40. 40.
    Shmueli, O.: Decidability and expressiveness aspects of logic queries. In: ACM Symposium on Principles of Database Systems, pp. 237–249 (1987)Google Scholar
  41. 41.
    Spielmann, M.: Verification of relational transducers for electronic commerce. In: ACM Symposium on Principles of Database Systems, pp. 92–103. ACM Press, New York (2000)Google Scholar
  42. 42.
    Vardi, M.Y.: The complexity of relational query languages (extended abstract). In: Symposium on the Theory of Computing, pp. 137–146. ACM Press, New York (1982)Google Scholar
  43. 43.
    Weissman, V., Halpern, J.: Using first-order logic to reason about policies. In: IEEE Computer Security Foundations Workshop, pp. 187–201 (2003)Google Scholar
  44. 44.
    Yahav, E., Reps, T., Sagiv, M., Wilhelm, R.: Verifying temporal heap properties specified via evolution logic. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 204–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Daniel J. Dougherty
    • 1
  • Kathi Fisler
    • 1
  • Shriram Krishnamurthi
    • 2
  1. 1.Department of Computer ScienceWPI 
  2. 2.Computer Science DepartmentBrown University 

Personalised recommendations