Abstract
Logical policy-based access control models are greatly expressive and thus provide the flexibility for administrators to represent a wide variety of authorization policies. Extensional access control models, on the other hand, utilize simple data structures to better enable a less trained and non-administrative workforce to participate in the day-to-day operations of the system. In this paper, we formally study a hybrid approach, tag-based authorization (TBA ), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems. TBA employs an extensional data structure to represent metadata tags associated with subjects and objects, as well as a logical language for defining the access control policy in terms of those tags. We formally define TBA and introduce variants that include tag ontologies and delegation. We evaluate the resulting system by comparing to well-known extensional and logical access control models.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Becker, M.Y., Fournet, C.Y., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. JCS (2009)
Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM TISSEC 6(1), 71–127 (2003)
Bertino, E., Ferrari, E., Buccafurri, F., Rullo, P.: A logical framework for reasoning on data access control policies. In: IEEE CSFW (1999)
Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM TISSEC 17(2), 101–140 (1999)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 164–173 (1996)
Bonatti, P.A., di Vimercati, S.D., Samarati, P.: A modular approach to composing access control policies. In: ACM CCS, pp. 164–173 (2000)
Bowers, K.D., Bauer, L., Garg, D., Pfenning, F., Reiter, M.K.: Consumable credentials in logic-based access-control systems. In: NDSS, pp. 143–157 (2007)
Bruns, G., Huth, M.: Access-control policies via belnap logic: Effective and efficient composition and analysis. In: IEEE CSF (2008)
Cholvy, L., Cuppens, F.: Analyzing consistency of security policies. In: IEEE S&P (1997)
Crampton, J.: Understanding and developing role-based administrative models. In: ACM CCS, pp. 158–167 (2005)
Cuppens, F., Cholvy, L., Saurel, C., Carrere, J.: Merging security policies: analysis of a practical example. In: IEEE CSFW (1998)
Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: IEEE CSFW (2003)
Hinrichs, T., Garrison, W., Lee, A., Saunders, S., Mitchell, J.: TBA: A hybrid of logic and extensional access control systems (Extended version). Technical Report TR-11-182, University of Pittsburgh (October 2011)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE S&P (2002)
Razavi, M.N., Iverson, L.: Supporting selective information sharing with people-tagging. In: CHI Extended Abstracts, pp. 3423–3428 (2008)
Ribeiro, C., Zuquete, A., Ferreira, P., Guedes, P.: SPL: An access control language for security policies with complex constraints. In: NDSS (2001)
Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. JCS 15(2), 231–272 (2007)
U.S. Air Force Scientific Advisory Board. Networking to enable coalition operations. Technical report, MITRE Corporation (2004)
Wang, Q., Jin, H., Li, N.: Usable Access Control in Collaborative Environments: Authorization Based on People-Tagging. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 268–284. Springer, Heidelberg (2009)
Wijesekera, D., Jajodia, S.: Policy algebras for access control - the predicate case. In: ACM CCS, pp. 171–180 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hinrichs, T.L., Garrison, W.C., Lee, A.J., Saunders, S., Mitchell, J.C. (2012). TBA : A Hybrid of Logic and Extensional Access Control Systems. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-29420-4_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29419-8
Online ISBN: 978-3-642-29420-4
eBook Packages: Computer ScienceComputer Science (R0)