Skip to main content
SpringerLink
Log in
Book cover

Semantics and Algebraic Specification pp 21–42Cite as

Component-Based Security Policy Design with Colored Petri Nets

  • Chapter

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 5700))

Abstract

Security policies are one of the most fundamental elements of computer security. This paper uses colored Petri net process (CPNP) to specify and verify security policies in a modular way. It defines fundamental policy properties, i.e., completeness, termination, consistency and confluence, in Petri net terminology and gets some theoretical results. According to XACML combiners and property-preserving Petri net process algebra (PPPA), several policy composition operators are specified and property-preserving results are stated for the policy correctness verification.

This work was supported in part by National Natural Science Foundation of China with Grant No. 10701030.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Astesiano, E., Bidoit, M., Kirchner, H., Krieg-Brückner, B., Mosses, P.D., Sannella, D., Tarlecki, A.: Casl: the common algebraic specification language. Theor. Comput. Sci. 286(2), 153–196 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  2. Barker, S., Fernández, M.: Term rewriting for access control. In: DBSec, pp. 179–193 (2006)

    Google Scholar 

  3. Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: PLDI, pp. 305–314 (2005)

    Google Scholar 

  4. Bell, D., LaPadula, L.: Secure computer systems: A mathematical model. Journal of Computer Security ii. 4(2/3), 229–263 (1996)

    Google Scholar 

  5. Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst. 23(3), 231–285 (1998)

    Article  Google Scholar 

  6. Bertolissi, C., Fernández, M.: An algebraic-functional framework for distributed access control. In: International Conference on Risks and Security of Internet and Systems (CRISIS 2008), Tozeur, Tunisia. Proceedings IEEE Xplorer to appear (2008)

    Google Scholar 

  7. Bertolissi, C., Fernández, M.: A rewriting framework for the composition of access control policies. In: Proceedings of PPDP 2008, Valencia. ACM Press, New York (2008)

    Google Scholar 

  8. Biba, K.: Integrity considerations for secure computer systems. Technical Report TR-3153, Mitre, Bedford, MA (1975)

    Google Scholar 

  9. Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)

    Article  Google Scholar 

  10. Bonatti, P., Olmedilla, D.: Driving and monitoring provisional trust negotiation with metapolicies. In: Proceedings IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY). IEEE Society, Los Alamitos (2005)

    Google Scholar 

  11. Bonatti, P., Samarati, P.: A uniform framework for regulating service access and information release on the web. Journal of Computer Security 10(3), 241–272 (2002)

    Article  Google Scholar 

  12. Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: Proc. IEEE Symposium on Security and Privacy, pp. 206–214 (1989)

    Google Scholar 

  13. Bruns, G., Dantas, D., Huth, M.: A simple and expressive semantic framework for policy composition in access control. In: FMSE 2007: Proceedings of the 2007 ACM workshop on Formal methods in security engineering, pp. 12–21. ACM Press, New York (2007)

    Chapter  Google Scholar 

  14. Bruns, G., Huth, M.: Access-control policies via belnap logic: Effective and efficient composition and analysis. In: 21st IEEE Computer Security Foundations Symposium (CSF), pp. 163–176. IEEE Computer Society Press, Los Alamitos (2008)

    Google Scholar 

  15. Campbell, R., Al-Muhtadi, J., Naldurg, P., Sampemane, G., Mickunas, M.D.: Towards security and privacy for pervasive computing. In: Okada, M., Pierce, B.C., Scedrov, A., Tokuda, H., Yonezawa, A. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 1–15. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  16. Cholvy, L., Cuppens, F.: Analyzing consistency of security policies. In: IEEE Symposium on Security and Privacy, pp. 103–112 (1997)

    Google Scholar 

  17. Choppy, C., Petrucci, L.: Towards a methodology for modeling with Petri nets. In: Proc. Workshop on Practical Use of Coloured Petri Nets (CPN 2004), pp. 39–56 (2004)

    Google Scholar 

  18. Cirstea, H., Moreau, P., Santana de Oliveira, A.: Rewrite based specification of access control policies. In: Dougherty, D., Escobar, S. (eds.) Security and Rewriting Techniques, 3rd International Workshop SecRet 2008. Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam (2008)

    Google Scholar 

  19. Cuppens, F., Cuppens-Boulahia, N., Sans, T.: A security model with non-atomic actions and deadlines. In: CSFW, pp. 186–196. IEEE Society, Los Alamitos (2005)

    Google Scholar 

  20. de Oliveira, A.S., Wang, E.K., Kirchner, C., Kirchner, H.: Weaving rewrite-based access control policies. In: FMSE 2007: Proceedings of the 2007 ACM workshop on Formal methods in security engineering. ACM, New York (2007)

    Google Scholar 

  21. Deng, Y., Wang, J.C., Tsai, J., Beznosov, K.: An approach for modeling and analysis of security system architectures. IEEE Transactions on Knowledge and Data Engineering 15(5), 1099–1119 (2003)

    Article  Google Scholar 

  22. Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  23. Dougherty, D.J., Kirchner, C., Kirchner, H., Santana de Oliveira, A.: Modular access control via strategic rewriting. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 578–593. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Habib, L., Jaume, M., Morisset, C.: A formal comparison of the bell & lapadula and rbac models. In: Fourth International Symposium on Information Assurance and Security (IAS 2008), pp. 3–8. IEEE Computer Society Press, Los Alamitos (2008)

    Google Scholar 

  25. Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: CSFW, pp. 187–201 (2003)

    Google Scholar 

  26. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)

    Article  MATH  Google Scholar 

  27. Huang, H.J.: Enhancing the Property-Preserving Petri Net Process Algebra for Component-based System Design (with Application to Designing Multi-agent Systems and Manufacturing Systems). PhD thesis, Department of Computer Science, City University of Hong Kong (2004)

    Google Scholar 

  28. Huang, H.J., Kirchner, H.: Modular security policy design based on extended Petri nets. Technical Report inria-00396924, INRIA (2009), http://hal.inria.fr/inria-00396924/fr/

  29. Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)

    Article  MATH  Google Scholar 

  30. Jarvis, B., Jain, L.: Trust in LORA: Towards a formal definition of trust in BDI agents. In: Gabrys, B., Howlett, R.J., Jain, L.C. (eds.) KES 2006. LNCS (LNAI), vol. 4252, pp. 458–463. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Jaume, M., Morisset, C.: Towards a formal specification of access control. In: Degano, P., Kusters, R., Vigano, L., Zdancewic, S. (eds.) Proceedings of the Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis FCS-ARSPA 2006, pp. 213–232 (2006)

    Google Scholar 

  32. Jensen, K.: Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use, vol. 1. Springer, Berlin (1997)

    Book  MATH  Google Scholar 

  33. Juszczyszyn, K.: Verifying enterprise’s mandatory access control policies with coloured Petri nets. In: Proceedings of the 12th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (2003)

    Google Scholar 

  34. Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: Proceedings IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 120–131. IEEE Society, Los Alamitos (2003)

    Google Scholar 

  35. Kirchner, C., Kirchner, H., Santana de Oliveira, A.: Analysis of rewrite-based access control policies. In: Dougherty, D., Escobar, S. (eds.) Security and Rewriting Techniques, 3rd International Workshop Secret 2008, Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam (2008)

    Google Scholar 

  36. Knorr, K.: Dynamic access control through Petri net workflows. In: Proceedings of 16th Annual Conference on Computer Security Applications, pp. 159–167 (2000)

    Google Scholar 

  37. Leahu, I., Tiplea, F.: The confluence property for Petri nets and its applications. In: Proceedings of the 8th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (2006)

    Google Scholar 

  38. Lee, A.J., Boyer, J.P., Olson, L., Gunter, C.A.: Defeasible security policy composition for web services. In: Winslett, M., Gordon, A.D., Sands, D. (eds.) FMSE, pp. 45–54. ACM Press, New York (2006)

    Chapter  Google Scholar 

  39. Li, N., Mitchell, J.C.: Datalog with constraints: A foundation for trust management languages. In: PADL, pp. 58–73 (2003)

    Google Scholar 

  40. Mak, W.: Verifying Property Preservation for Component-based Software Systems (A Petri-net Based Methodology). PhD thesis, Department of Computer Science, City University of Hong Kong (2001)

    Google Scholar 

  41. Mortensen, K.: Automatic code generation method based on coloured Petri net models applied on an access control system. In: Nielsen, M., Simpson, D. (eds.) ICATPN 2000. LNCS, vol. 1825, pp. 367–386. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  42. Moses, T.: Extensible access control markup language (XACML) version 2.0. Technical report, OASIS (February 2005)

    Google Scholar 

  43. Mosses, P.D.: Component-based description of programming languages. In: Visions of Computer Science, Electronic Proceedings, pp. 275–286. BCS (2008)

    Google Scholar 

  44. Murata, T.: Petri nets: Properties, analysis, and applications. Proceedings of IEEE 77(4), 541–580 (1985)

    Article  Google Scholar 

  45. Santana de Oliveira, A.: Réécriture et modularité pour les politiques de sécurité. PhD thesis, UHP Nancy 1 (2008)

    Google Scholar 

  46. Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: Proceedings of the 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (2005)

    Google Scholar 

  47. Shandu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  48. Stehr, M.-O., Meseguer, J., Olveczky, P.C.: Rewriting logic as a unifying framework for Petri nets. In: Ehrig, H., Juhás, G., Padberg, J., Rozenberg, G. (eds.) APN 2001. LNCS, vol. 2128, pp. 250–303. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  49. Tiplea, F., Jucan, T., Masalagiu, C.: Term rewriting systems and Petri nets. Analele Stiintifice ale Universitatii Al. I. Cuza 34(4), 305–317 (1988)

    MATH  Google Scholar 

  50. Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: Ferraiolo, D.F., Ray, I. (eds.) SACMAT, pp. 160–169. ACM Press, New York (2006)

    Chapter  Google Scholar 

  51. Verma, R., Rusinowitch, M., Lugiez, D.: Algorithms and reductions for rewriting problems. Fundamental Informatics 46(3), 257–276 (2001)

    MathSciNet  MATH  Google Scholar 

  52. Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur. 6(2), 286–325 (2003)

    Article  Google Scholar 

  53. Zhang, Z., Hong, F., Liao, J.: Modeling chinese wall policy using colored Petri nets. In: Proceedings of the 6th IEEE International Conference on Computer and Information Technology (2006)

    Google Scholar 

  54. Zhang, Z., Hong, F., Xiao, H.: Verification of strict integrity policy via Petri nets. In: Proceedings of the International Conference on Systems and Networks Communication (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Harbin Institute of Technology Shenzhen Graduate School, China

    Hejiao Huang

  2. INRIA Bordeaux Sud-Ouest, France

    Hejiao Huang & Hélène Kirchner

Authors
  1. Hejiao Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hélène Kirchner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California, Los Angeles, 4531K Boelter Hall, 90095-1596, Los Angeles, CA, USA

    Jens Palsberg

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Huang, H., Kirchner, H. (2009). Component-Based Security Policy Design with Colored Petri Nets. In: Palsberg, J. (eds) Semantics and Algebraic Specification. Lecture Notes in Computer Science, vol 5700. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04164-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04164-8_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04163-1

  • Online ISBN: 978-3-642-04164-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation