Abstract
In distributed computer systems, it is possible that the evaluation of an authorization policy may suffer unexpected failures, perhaps because a sub-policy cannot be evaluated or a sub-policy cannot be retrieved from some remote repository. Ideally, policy evaluation should be resilient to such failures and, at the very least, fail “gracefully” if no decision can be computed. We define syntax and semantics for an XACML-like policy language. The semantics are incremental and reflect different assumptions about the manner in which failures can occur. Unlike XACML, our language uses simple binary operators to combine sub-policy decisions. This enables us to characterize those few binary operators likely to be used in practice, and hence to identify a number of strategies for optimizing policy evaluation and policy representation.
Download conference paper PDF
References
Aho, A., Hopcroft, J., Ullman, J.: The Design and Analysis of Computer Algorithms. Addison-Wesley, Reading (1975)
Aireli, O., Avron, A.: The value of the four values. Artificial Intelligence 102, 97–141 (1998)
Backes, M., Dürmuth, M., Steinwandt, R.: An algebra for composing enterprise privacy policies. In: Proceedings of the 9th European Symposium on Research in Computer Security, pp. 33–52 (2004)
Bertino, E., Castano, S., Ferrari, E.: Author-\(\mathcal{X}\): A comprehensive system for securing XML documents. IEEE Internet Computing 5(3), 21–31 (2001)
Bonatti, P., Vimercati, S.D.C.D., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)
Bruns, G., Huth, M.: Access-control policies via Belnap logic: Effective and efficient composition and analysis. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, pp. 163–176 (2008)
Crampton, J., Leung, W., Beznosov, K.: The secondary and approximate authorization model and its application to Bell-LaPadula policies. In: Proceedings of 11th ACM Symposium on Access Control Models and Technologies (2006)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Transactions on Information and System Security 5(2), 169–202 (2002)
Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: Theory meets practice. In: Proceedings of 14th ACM Symposium on Access Control Models and Technologies, pp. 135–144 (2009)
Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Proceedings of 2009 ACM Symposium on Information, Computer and Communications Security, pp. 298–309 (2009)
Nielson, F., Nielson, H., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. In: Moses, T. (ed.) OASIS Committee Specification (2005)
Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Transactions on Information and System Security 6(2), 286–235 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Crampton, J., Huth, M. (2010). An Authorization Framework Resilient to Policy Evaluation Failures. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)