Abstract
Security policies, in particular access control, are fundamental elements of computer security. We address the problem of authoring and analyzing policies in a modular way using techniques developed in the field of term rewriting, focusing especially on the use of rewriting strategies. Term rewriting supports a formalization of access control with a clear declarative semantics based on equational logic and an operational semantics guided by strategies. Well-established term rewriting techniques allow us to check properties of policies such as the absence of conflicts and the property of always returning a decision. A rich language for expressing rewriting strategies is used to define a theory of modular construction of policies, in which we can better understand the preservation of properties of policies under composition. The robustness of the approach is illustrated on the composition operators of XACML.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Arts, T., Giesl, J.: Termination of term rewriting using dependency pairs. Theoretical Computer Science 236, 133–178 (2000)
Baader, F., Nipkow, T.: Term Rewriting and all That. Cambridge University Press, Cambridge (1998)
Balland, E., Brauner, P., Kopetz, R., Moreau, P.-E., Reilles, A.: Tom Manual. LORIA, Nancy (France), version 2.4 edn. (October 2006)
Balland, E., Kirchner, C., Moreau, P.-E.: Formal islands. In: Johnson, M., Vene, V. (eds.) AMAST 2006. LNCS, vol. 4019, pp. 51–65. Springer, Heidelberg (2006)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: Sarkar, V., Hall, M.W. (eds.) PLDI, pp. 305–314. ACM Press, New York (2005)
Bezem, M., Klop, J.W., de Vrijer, R. (eds.): Term Rewriting Systems. Cambridge University Press, Cambridge (2002)
Bonatti, P.A., di Vimercati, S.D.C., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)
Bouhoula, A.: Spike: a system for sufficient completeness and parameterized inductive proofs. In: Bundy, A. (ed.) Automated Deduction - CADE-12. LNCS, vol. 814, pp. 836–840. Springer, Heidelberg (1994)
Cirstea, H., Kirchner, C.: The rewriting calculus — Part I and II. Logic Journal of the Interest Group in Pure and Applied Logics 9, 427–498 (2001)
Cirstea, H., Kirchner, C., Liquori, L., Wack, B.: Rewrite strategies in the rewriting calculus. In: Gramlich, B., Lucas, S. (eds.) Electronic Notes in Theoretical Computer Science, vol. 86, Elsevier, Amsterdam (2003)
Comon, H.: Sufficient completness, term rewriting systems and ”anti-unification. In: Siekmann, J.H. (ed.) 8th International Conference on Automated Deduction. LNCS, vol. 230, pp. 128–140. Springer, Heidelberg (1986)
de Oliveira, A.S.: Rewriting-based access control policies. In: Fernandez, M., Kirchner, C. (eds.) SecRet’06. Proceedings of the 1st International Workshop on Security and Rewriting Techniques (June 2006)
Dershowitz, N.: Termination of rewriting. Journal of Symbolic Computation 3(1 & 2), 69–116 (1987)
Dershowitz, N.: Hierarchical termination. In: Lindenstrauss, N., Dershowitz, N. (eds.) Conditional and Typed Rewriting Systems. LNCS, vol. 968, pp. 89–105. Springer, Heidelberg (1995)
Dougherty, D.J.: Core XACML and term-rewriting systems. Technical Report WPI-CS-TR-07-07, Worcester Polytechnic Institute (2007)
Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)
Gnaedig, I., Kirchner, H.: Computing constructor forms with non terminating rewrite programs. In: Bossi, A., Maher, M.J. (eds.) PPDP, pp. 121–132. ACM Press, New York (2006)
Gramlich, B.: Generalized sufficient conditions for modular termination of rewriting. In: Kirchner, H., Levi, G. (eds.) Algebraic and Logic Programming. LNCS, vol. 632, pp. 53–68. Springer, Heidelberg (1992)
Gramlich, B.: On proving termination by innermost termination. In: Ganzinger, H. (ed.) Rewriting Techniques and Applications. LNCS, vol. 1103, pp. 93–107. Springer, Heidelberg (1996)
Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: CSFW, pp. 187–201. IEEE Computer Society Press, Los Alamitos (2003)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)
Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: Policies for Distributed Systems and Networks, 2003. Proceedings. POLICY 2003. IEEE 4th International Workshop, pp. 120–131. IEEE Computer Society Press, Los Alamitos (2003)
Kapur, D., Narendran, P., Rosenkrantz, D.J., Zhang, H.: Sufficient-completeness, ground-reducibility and their complexity. Acta Inf. 28(4), 311–350 (1991)
Kirchner, C., Kirchner, H., Vittek, M.: Designing clp using computational systems. In: Hentenryck, P.V., Saraswat, S. (eds.) Principles and Practice of Constraint Programming, pp. 133–160. MIT press, Cambridge (1995)
Knuth, D.E., Bendix, P.B.: Simple word problems in universal algebras. In: Leech, J. (ed.) Computational Problems in Abstract Algebra, pp. 263–297. Pergamon Press, Oxford (1970)
Kurihara, M., Ohuchi, A.: Modularity of simple termination of term rewriting systems. Journal of IPS Japan 31(5), 633–642 (1990)
Kurihara, M., Ohuchi, A.: Modularity of simple termination of term rewriting systems with shared constructors. Theor. Comput. Sci. 103(2), 273–282 (1992)
Lampson, B.: Protection. ACM Operating Systems Review. Vol 8, 18–24 (1974)
Lee, A.J., Boyer, J.P., Olson, L., Gunter, C.A.: Defeasible security policy composition for web services. In: Winslett, M., Gordon, A.D., Sands, D. (eds.) FMSE, pp. 45–54. ACM Press, New York (2006)
Martí-Oliet, N., Meseguer, J., Verdejo, A.: Towards a strategy language for maude. Electr. Notes Theor. Comput. Sci. 117, 417–441 (2005)
Middeldorp, A.: A sufficient condition for the termination of the direct sum of term rewriting systems. In: Proceedings 4th IEEE Symposium on Logic in Computer Science, Pacific Grove, pp. 396–401. IEEE Computer Society Press, Los Alamitos (1989)
Middeldorp, A., Toyama, Y.: Completeness of combinations of constructor systems. In: Proceedings 4th Conference on Rewriting Techniques and Applications, Como (Italy) (1991) (also Report CS-R9058, CWI (1990))
Moreau, P.-E., Ringeissen, C., Vittek, M.: A pattern matching compiler for multiple target languages. In: Hedin, G. (ed.) CC 2003 and ETAPS 2003. LNCS, vol. 2622, pp. 61–76. Springer, Heidelberg (2003)
Moses, T.: eXtensible Access Control Markup Language (XACML) version 2.0. Technical report, OASIS (2005)
Ohlebusch, E.: Advanced Topics in Term Rewriting. Springer, Heidelberg (2002)
Rusinowitch, M.: On termination of the direct sum of term rewriting systems. Information Processing Letters 26(2), 65–70 (1987)
Toyama, Y.: Counterexamples to termination for the direct sum of term rewriting systems. Technical report, NTT Electrical Communications Laboratories Japan (1987)
Toyama, Y.: On the Church-Rosser property for the direct sum of term rewritig systens. Journal of the ACM 34(1), 128–143 (1987)
Visser, E.: Stratego: A language for program transformation based on rewriting strategies. System description of Stratego 0.5. In: Middeldorp, A. (ed.) RTA 2001. LNCS, vol. 2051, pp. 357–361. Springer, Heidelberg (2001)
Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur. 6(2), 286–325 (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dougherty, D.J., Kirchner, C., Kirchner, H., Santana de Oliveira, A. (2007). Modular Access Control Via Strategic Rewriting. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_38
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)