Abstract
In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.
Similar content being viewed by others
References
AC 2 proof tools at http://www.cs.ru.nl/paw
Abadi, M.: Logic in access control. In: Kolaitis, P.G. (ed.) Proceedings of the Symposium on Logic in Computer Science (LICS), pp. 228–233. IEEE Computer Society Press (2003)
Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: Tsudik, G. (ed.) Proceedings of the Conference on Computer and Communications Security (CCS), pp. 52–62. ACM Press (1999)
Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-p3p privacy policies and privacy authorization. In: Samarati, P. (ed.) Proceedings of the ACM workshop on Privacy in the Electronic Society (WPES 2002), pp. 103–109. ACM Press (2002)
Bandmann, O.L., Firozabadi, B.S., Dam, M.: Constrained delegation. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Security and Privacy (S&P), pp. 131–140. IEEE Computer Society Press (2002)
Becker, M.Y., Sewell, P.: Cassandra: flexible trust management, applied to electronic health records. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 139–154. IEEE Computer Society Press (2004)
Beckert B. and Posegga J. (1995). leantap: lean tableau-based deduction. J. Autom. Reasoning 15(3): 339–358
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the Symposium on Security and Privacy (S&P), pp. 164–173. IEEE Computer Society Press (1996)
Cederquist, J.G., Corin, R.J., Dekker, M.A.C., Etalle, S., den Hartog, J.I.: An audit logic for accountability. In: Sahai, A., Winsborough, W.H. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 34–43. IEEE Computer Society Press (2005)
Chong, C.N., Peng, Z., Hartel, P.H.: Secure audit logging with tamper-resistant hardware. In: Gritzalis, D., S.D.C., Samarati, P., Katsikas, S.K. (eds.) 18th IFIP TC11 International Conference on Information Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, pp. 73–84. Kluwer Academic, Dordrecht (2003)
Corin, R., Etalle, S., den Hartog, J.I., Lenzini, G., Staicu, I.: A logic for auditing accountability in decentralized systems. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), vol. 173, pp. 187—202. Springer, Berlin (2004)
DeTreville, J.: Binder, a logic-based security language. In: Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 105–113. IEEE Computer Society Press (2002)
Dowek, G., Jiang, Y.: Eigenvariables, bracketing and the decidability of positive minimal intuitionistic logic. Electr. Notes Theor. Comput. Sci. 85(7) (2003)
Garg, D., Bauer, L., Bowers, K., Pfenning, F., Reiter, M.: A linear logic of authorization and knowledge. In: Proceedings of the European Symposium On Research In Computer Security (ESORICS). Springer, Berlin (2006)
Garg, D., Pfenning, F.: Non-interference in constructive authorization logic. In: Proceedings of the Computer Security Foundations Workshop (CSFW). IEEE Computer Society Press (2006)
Halpern, J.Y., van der Meyden, R.: A logic for SDSI’s linked local name spaces. In: Syverson, P. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 111–122. IEEE Computer Society Press (1999)
Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 187–201. IEEE Computer Society Press (2003)
Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems—NIST interagency report. Technical report, National Institute of Standards and Technology (2006)
Jajodia, S., Gadia, S., Bhargava, G.: Logical design of audit information in relational databases. In: Information Security: An integrated Collection of Essays, pp. 585–595. IEEE Computer Society Press (1995)
Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. Privacy Enhancing Technologies (2002)
Li N., Grosof B.N. and Feigenbaum J. (2003). Delegation logic: a logic-based approach to distributed authorization. ACM Trans. on Inf. Syst. Secur. (TISSEC) 6(1): 128–171
Li, N., Mitchell, J.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) Proceedings of the International Symposium on Practical Aspects of Declarative Languages (PADL) (2003)
Li, N., Mitchell, J., Winsborough, W.: Design of a role-based trust-management framework. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 114–130. IEEE Computer Society Press (2002)
Longstaff, J.J., Lockyer, M.A., Thick, M.G.: A model of accountability, confidentiality and override for healthcare and other applications. In: Proceedings of the Workshop on Role-based Access Control (RBAC)
Necula, G.C.: Compiling with proofs. Ph.D. thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA (1998)
OASIS Access Control TC: eXtensible Access Control Markup Language (XACML) Version 2.0—Oasis Standard, 1 Feb 2005 (2005)
Park, J., Sandhu, R.: Originator control in usage control. In: Lobo, J., Dulay, N. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), p. 60. IEEE Computer Society, Washington, DC, USA (2002)
Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Bertino, E. (ed.) Proceedings of the Symposium on Access Control Models and Technologies (SACMAT), pp. 57–64. ACM Press (2002)
Pfenning, F.: Linear logic course handouts. http://www.cs.cmu. edu/ fp/courses/linear.html (2002)
Pfenning, F., Schürmann, C.: System description: Twelf—a meta-logical framework for deductive systems. In: Ganzinger, H. (ed.) Proceedings of the International Conference on Automated Deduction (CADE), pp. 202–206. Springer, Berlin (1999)
Rissanen, E., Firozabadi, B.S., Sergot, M.J.: Discretionary overriding of access control in the privilege calculus. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the 2nd IFIP Workshop on Formal Aspects in Security and Trust (FAST), pp. 219–232. Springer, Berlin (2004)
Sandhu, R., Park, J.: Usage control: A vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) Proceedings of the International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security MMM-ACNS. LNCS, vol. 2776, pp. 17–31. Springer, Berlin (2003)
Sandhu R. and Samarati P. (1994). Access control: principles and practice. IEEE Commun. Mag. 32(9): 40–48
Sandhu R. and Samarati P. (1996). Authentication, access control and audit. ACM Comput. Surv. 28(1): 241–243
Shmatikov V. and Talcott C.L. (2005). Reputation-based trust management. J. Comput. Secur. 13(1): 167–190
Szabo E.M. ed. (1969). The Collected of Gerhard Gentzen. North Holland, Amsterdam
The European Parliament and the Council of the European Union: UE DIRECTIVE 2002/58/EC on privacy and electronic communications. Official Journal of the European Union. http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/ l_20120020731en 00370047.pdf (2002)
The US Department of Health and Human Services: Summary of the HIPAA Privacy Rule. Available on the website http://www.hhs.gov/ocr/privacysummary.pdf (2002)
Topkara, M., Topkara, U., Atallah, M.J.: Words are not enough: sentence level natural language watermarking. In: Proceedings of the International workshop on Contents Protection and Security (MCPS), pp. 37–46. ACM Press (2006)
U.S. Securities and Exchange Commission: Sarbanes-oxley act (2002)
Wang, X., Lao, G., De Martini, T., Reddy, H., Nguyen, M., Valenzuela, E.: XrML: eXtensible rights markup language. In: Kudo, M. (ed.) Proceedings of the Workshop on XML Security (XMLSEC), pp. 71–79. ACM Press (2002)
Whitehead, N., Abadi, M., Necula, G.C.: By reason and authority: a system for authorization of proof-carrying code. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 236–250. IEEE Computer Society Press (2004)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cederquist, J.G., Corin, R., Dekker, M.A.C. et al. Audit-based compliance control. Int. J. Inf. Secur. 6, 133–151 (2007). https://doi.org/10.1007/s10207-007-0017-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0017-y