Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Formal Aspects in Security and Trust

FAST 2011: Formal Aspects of Security and Trust pp 198–213Cite as

TBA : A Hybrid of Logic and Extensional Access Control Systems

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7140))

Abstract

Logical policy-based access control models are greatly expressive and thus provide the flexibility for administrators to represent a wide variety of authorization policies. Extensional access control models, on the other hand, utilize simple data structures to better enable a less trained and non-administrative workforce to participate in the day-to-day operations of the system. In this paper, we formally study a hybrid approach, tag-based authorization (TBA ), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems. TBA employs an extensional data structure to represent metadata tags associated with subjects and objects, as well as a logical language for defining the access control policy in terms of those tags. We formally define TBA and introduce variants that include tag ontologies and delegation. We evaluate the resulting system by comparing to well-known extensional and logical access control models.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Becker, M.Y., Fournet, C.Y., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. JCS (2009)

    Google Scholar 

  2. Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM TISSEC 6(1), 71–127 (2003)

    Article  Google Scholar 

  3. Bertino, E., Ferrari, E., Buccafurri, F., Rullo, P.: A logical framework for reasoning on data access control policies. In: IEEE CSFW (1999)

    Google Scholar 

  4. Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM TISSEC 17(2), 101–140 (1999)

    Google Scholar 

  5. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 164–173 (1996)

    Google Scholar 

  6. Bonatti, P.A., di Vimercati, S.D., Samarati, P.: A modular approach to composing access control policies. In: ACM CCS, pp. 164–173 (2000)

    Google Scholar 

  7. Bowers, K.D., Bauer, L., Garg, D., Pfenning, F., Reiter, M.K.: Consumable credentials in logic-based access-control systems. In: NDSS, pp. 143–157 (2007)

    Google Scholar 

  8. Bruns, G., Huth, M.: Access-control policies via belnap logic: Effective and efficient composition and analysis. In: IEEE CSF (2008)

    Google Scholar 

  9. Cholvy, L., Cuppens, F.: Analyzing consistency of security policies. In: IEEE S&P (1997)

    Google Scholar 

  10. Crampton, J.: Understanding and developing role-based administrative models. In: ACM CCS, pp. 158–167 (2005)

    Google Scholar 

  11. Cuppens, F., Cholvy, L., Saurel, C., Carrere, J.: Merging security policies: analysis of a practical example. In: IEEE CSFW (1998)

    Google Scholar 

  12. Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: IEEE CSFW (2003)

    Google Scholar 

  13. Hinrichs, T., Garrison, W., Lee, A., Saunders, S., Mitchell, J.: TBA: A hybrid of logic and extensional access control systems (Extended version). Technical Report TR-11-182, University of Pittsburgh (October 2011)

    Google Scholar 

  14. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE S&P (2002)

    Google Scholar 

  15. Razavi, M.N., Iverson, L.: Supporting selective information sharing with people-tagging. In: CHI Extended Abstracts, pp. 3423–3428 (2008)

    Google Scholar 

  16. Ribeiro, C., Zuquete, A., Ferreira, P., Guedes, P.: SPL: An access control language for security policies with complex constraints. In: NDSS (2001)

    Google Scholar 

  17. Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. JCS 15(2), 231–272 (2007)

    Google Scholar 

  18. U.S. Air Force Scientific Advisory Board. Networking to enable coalition operations. Technical report, MITRE Corporation (2004)

    Google Scholar 

  19. Wang, Q., Jin, H., Li, N.: Usable Access Control in Collaborative Environments: Authorization Based on People-Tagging. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 268–284. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Wijesekera, D., Jajodia, S.: Policy algebras for access control - the predicate case. In: ACM CCS, pp. 171–180 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Chicago, USA

    Timothy L. Hinrichs

  2. University of Pittsburgh, USA

    William C. Garrison III & Adam J. Lee

  3. MITRE Corporation, USA

    Skip Saunders

  4. Stanford University, USA

    John C. Mitchell

Authors
  1. Timothy L. Hinrichs
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. William C. Garrison III
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adam J. Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Skip Saunders
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. John C. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Universidad Politecnica de Madrid, Campus Montegancedo, 28660, Boadilla del Monte, Madrid, Spain

    Gilles Barthe

  2. Carnegie Mellon University, NASA Research Park, Bldg. 23 (MS 23-11), P.O. Box 1, 94035-0001, Moffet Field, CA, USA

    Anupam Datta

  3. Faculty of Mathematics and Computer Science, Embedded Systems Security Group, Technical University of Eindhoven, P.O. Box 513, 5600 MB, Eindhoven, The Netherlands

    Sandro Etalle

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hinrichs, T.L., Garrison, W.C., Lee, A.J., Saunders, S., Mitchell, J.C. (2012). TBA : A Hybrid of Logic and Extensional Access Control Systems. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29420-4_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29419-8

  • Online ISBN: 978-3-642-29420-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation