Logical Approaches to Authorization Policies

  • Steve Barker
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7360)


We show how core concepts in access control can be represented in axiomatic terms and how multiple access control models and policies can be uniformly represented as particular logical theories in the axiom system that we introduce. Authorization policies are represented in our framework by using a form of answer set programming. We describe the motivations for our approach and we consider how properties of policies can be proven in our scheme.


Access Control Logic Programming Access Control Policy Access Control Model Logic Programming Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Burrows, M., Lampson, B.W., Plotkin, G.D.: A calculus for access con-trol in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)CrossRefGoogle Scholar
  2. 2.
    ANSI. RBAC, INCITS 359-2004 (2004)Google Scholar
  3. 3.
    Baral, C.: Knowledge Representation, Reasoning and Declarative Problem Solving. Cambridge University Press (2003)Google Scholar
  4. 4.
    Barker, S.: The next 700 access control models or a unifying meta-model? In: SACMAT, pp. 187–196 (2009)Google Scholar
  5. 5.
    Barker, S., Genovese, V.: Secommunity: A Framework for Distributed Access Control. In: Delgrande, J.P., Faber, W. (eds.) LPNMR 2011. LNCS, vol. 6645, pp. 297–303. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Barker, S., Sergot, M.J., Wijesekera, D.: Status-based access control. ACM Trans. Inf. Syst. Secur. 12(1) (2008)Google Scholar
  7. 7.
    Barker, S., Stuckey, P.: Flexible access control policy specification with constraint logic programming. ACM Trans. on Information and System Security 6(4), 501–546 (2003)CrossRefGoogle Scholar
  8. 8.
    Bauer, L., Schneider, M.A., Felten, E.W.: A general and flexible access-control system for the web. In: USENIX Security Symposium, pp. 93–108 (2002)Google Scholar
  9. 9.
    Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. Journal of Computer Security 18(4), 619–665 (2010)Google Scholar
  10. 10.
    Bell, D.E., LaPadula, L.J.: Secure computer system: Unified exposition and multics interpretation. MITRE-2997 (1976)Google Scholar
  11. 11.
    Biba, K.: Integrity considerations for secure computer systems. MITRE Report MTR-3153 (1977)Google Scholar
  12. 12.
    Brewer, D.F.C., Nash, M.J.: The Chinese Wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214 (1989)Google Scholar
  13. 13.
    Cholak, P., Blair, H.A.: The complexity of local stratification. Fundam. Inform. 21(4), 333–344 (1994)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Clark, K.: Negation as failure. In: Gallaire, H., Minker, J. (eds.) Logic and Databases, pp. 293–322. Plenum (1978)Google Scholar
  15. 15.
    Craven, R., Lobo, J., Ma, J., Russo, A., Lupu, E.C., Bandara, A.K.: Expressive policy analysis with enhanced system dynamicity. In: ASIACCS, pp. 239–250 (2009)Google Scholar
  16. 16.
    Dell’Armi, T., Faber, W., Ielpa, G., Leone, N., Pfeifer, G.: Aggregate functions in disjunctive logic programming: Semantics, complexity, and implementation in DLV. In: Proceedings of the Eighteenth International Joint Conference on Artificial Intelligence IJCAI, pp. 847–852 (2003)Google Scholar
  17. 17.
    DeTreville, J.: Binder, a logic-based security language. In: Proc. IEEE Symposium on Security and Privacy, pp. 105–113 (2002)Google Scholar
  18. 18.
    Gelfond, M., Lifschitz, V.: Classical negation in logic programs and disjunctive databases. New Generation Computing 9, 365–385 (1991)CrossRefGoogle Scholar
  19. 19.
    Gelfond, M., Lobo, J.: Authorization and Obligation Policies in Dynamic Systems. In: Garcia de la Banda, M., Pontelli, E. (eds.) ICLP 2008. LNCS, vol. 5366, pp. 22–36. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur. 11(4) (2008)Google Scholar
  21. 21.
    Jajodia, S., Samarati, P., Sapino, M., Subrahmaninan, V.: Flexible support for mul-tiple access control policies. ACM TODS 26(2), 214–260 (2001)zbMATHCrossRefGoogle Scholar
  22. 22.
    Jim, T.: SD3: A trust management system with certified evaluation. In: IEEE Symp. Security and Privacy, pp. 106–115 (2001)Google Scholar
  23. 23.
    Jones, J.I., Sergot, M.J.: Formal Specification of Security Requirements Using the Theory of Normative Positions. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 103–121. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  24. 24.
    Jones, A.J.I., Sergot, M.J.: A formal characterisation of institutionalised power. Logic Journal of the IGPL 4(3), 427–443 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Kowalski, R., Sergot, M.: A logic-based calculus of events. New Generation Computing 4(1), 67–95 (1986)CrossRefGoogle Scholar
  26. 26.
    Kuhn, T.: The Structure of Scientific Revolutions, 3rd edn. University of Chicago Press (1996)Google Scholar
  27. 27.
    Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to dis- tributed authorization. ACM Trans. Inf. Syst. Secur. 6(1), 128–171 (2003)CrossRefGoogle Scholar
  28. 28.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE Symposium on Security and Privacy, pp. 114–130 (2002)Google Scholar
  29. 29.
    Lloyd, J.: Foundations of Logic Programming. Springer, Heidelberg (1987)zbMATHCrossRefGoogle Scholar
  30. 30.
    Przymusinski, T.C.: On the declarative semantics of deductive databases and logic programs. In: Foundations of Deductive Databases and Logic Programming, pp. 193–216. Morgan Kaufmann (1988)Google Scholar
  31. 31.
    Russell, B.: The Principles of Mathematics. Cambridge University Press (1903)Google Scholar
  32. 32.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  33. 33.
    Thomas, R.: Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments. In: ACM Workshop on Role-Based Access Control, pp. 13–19 (1997)Google Scholar
  34. 34.
    Wang, S., Zhang, Y.: Handling distributed authorization with delegation through answer set programming. Int. J. Inf. Sec. 6(1), 27–46 (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Steve Barker
    • 1
  1. 1.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations