Abstract
Formal foundations for access control policies with both authority delegation and policy composition operators are partial and limited. Correctness guarantees cannot therefore be formally stated and verified for decentralized composite access control systems, such as those based on XACML 3. To address this problem we develop a formal policy language BelLog that can express both delegation and composition operators. We illustrate, through examples, how BelLog can be used to specify practical policies. Moreover, we present an analysis framework for reasoning about BelLog policies and we give decidability and complexity results for policy entailment and policy containment in BelLog.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote Trust-Management System Version 2. RFC 2704 (Informational) (September 1999)
SNIC: SweGrid: e-Infrastructure for Computing and Storage, http://www.snic.vr.se/projects/swegrid/
Axiomatics: Policy Decision Points (September 2013)
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A View of Cloud Computing. Commun. ACM 53(4), 50–58 (2010)
Ceri, S., Gottlob, G., Tanca, L.: What You Always Wanted to Know About Datalog (And Never Dared to Ask). IEEE Trans. on Knowl. and Data Eng., 146–166 (1989)
Belnap, N.D.: A Useful Four-Valued Logic. In: Modern Uses of Multiple-Valued Logic. D. Reidel (1977)
Bruns, G., Huth, M.: Access Control via Belnap Logic: Intuitive, Expressive, and Analyzable Policy Composition. ACM Trans. Inf. Syst. Secur., 1–27 (2011)
Crampton, J., Morisset, C.: PTaCL: A Language for Attribute-Based Access Control in Open Systems. In: Degano, P., Guttman, J.D. (eds.) POST 2013. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012)
Ni, Q., Bertino, E., Lobo, J.: D-Algebra for Composing Access Control Policy Decisions. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 298–309. ACM (2009)
Gurevich, Y., Neeman, I.: DKAL: Distributed-Knowledge Authorization Language. Computer Security Foundations Symposium, 149–162 (2008)
Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. Journal of Computer Security, 619–665 (2010)
Li, N., Mitchell, J., Winsborough, W.: Design of a Role-based Trust-management Framework. In: IEEE Symposium on Security and Privacy, pp. 114–130 (2002)
Garg, D., Pfenn, F.: Non-Interference in Constructive Authorization Logic. In: Proceedings of the 19th IEEE Workshop on Computer Security Foundations, CSFW 2006, pp. 283–296. IEEE Computer Society, Washington, DC (2006)
Abadi, M.: Access Control in a Core Calculus of Dependency. Electronic Notes in Theoretical Computer Science 172, 5–31 (2007)
Fitting, M.: Bilattices in Logic Programming. In: Proceedings of the Twentieth International Symposium on Multiple-Valued Logic, pp. 238–246 (1990)
Marinovic, S., Craven, R., Ma, J., Dulay, N.: Rumpole: A Flexible Break-glass Access Control Model. In: Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 73–82. ACM (2011)
Dong, C., Dulay, N.: Shinren: Non-monotonic Trust Management for Distributed Systems. In: Nishigaki, M., Jøsang, A., Murayama, Y., Marsh, S. (eds.) IFIPTM 2010, vol. 321, pp. 125–140. Springer, Heidelberg (2010)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing Web Access Control Policies. In: Proceedings of the 16th International Conference on WWW, pp. 677–686. ACM (2007)
Tsankov, P., Marinovic, S., Dashti, M.T., Basin, D.: Decentralized Composite Access Control. Technical report, ETH Zurich (2014), http://dx.doi.org/10.3929/ethz-a-010045530
Apt, K.R., Blair, H.A., Walker, A.: Towards a Theory of Declarative Knowledge. In: Minker, J. (ed.) Foundations of Deductive Databases and Logic Programming, pp. 89–148. Morgan Kaufmann Publishers Inc. (1988)
Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley (1995)
Vardi, M.Y.: The Complexity of Relational Query Languages (Extended Abstract). In: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC 1982, pp. 137–146. ACM, New York (1982)
Shmueli, O.: Decidability and Expressiveness Aspects of Logic Queries. In: Proceedings of the ACM Symposium on Principles of Database Systems. ACM (1987)
Rissanen, E.: XACML 3.0 Additional Combining Algorithms Profile Version 1.0. Technical report, Axiomatics
OASIS: eXtensible Access Control Markup Language, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Seitz, L., Rissanen, E., Sandholm, T., Firozabadi, B.S., Mulmo, O.: Policy Administration Control and Delegation Using XACML and Delegent. In: Proceedings of the International Workshop on Grid Computing, pp. 49–54. IEEE (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsankov, P., Marinovic, S., Dashti, M.T., Basin, D. (2014). Decentralized Composite Access Control. In: Abadi, M., Kremer, S. (eds) Principles of Security and Trust. POST 2014. Lecture Notes in Computer Science, vol 8414. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54792-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-54792-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54791-1
Online ISBN: 978-3-642-54792-8
eBook Packages: Computer ScienceComputer Science (R0)