Skip to main content
SpringerLink
Log in

EXAM: a comprehensive environment for the analysis of access control policies

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Policy integration and inter-operation is often a crucial requirement when parties with different access control policies need to participate in collaborative applications and coalitions. Such requirement is even more difficult to address for dynamic large-scale collaborations, in which the number of access control policies to analyze and compare can be quite large. An important step in policy integration and inter-operation is to analyze the similarity of policies. Policy similarity can sometimes also be a pre-condition for establishing a collaboration, in that a party may enter a collaboration with another party only if the policies enforced by the other party match or are very close to its own policies. Existing approaches to the problem of analyzing and comparing access control policies are very limited, in that they only deal with some special cases. By recognizing that a suitable approach to the policy analysis and comparison requires combining different approaches, we propose in this paper a comprehensive environment—EXAM. The environment supports various types of analysis query, which we categorize in the paper. A key component of such environment, on which we focus in the paper, is the policy analyzer able to perform several types of analysis. Specifically, our policy analyzer combines the advantages of existing MTBDD-based and SAT-solver-based techniques. Our experimental results, also reported in the paper, demonstrate the efficiency of our analyzer.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrawal, D., Giles, J., Lee, K.W., Lobo, J.: Policy ratification. In: Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 223–232 (2005)

  2. Ahmed, T., Tripathi, A.R.: Static verification of security requirements in role based cscw systems. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 196–203 (2003)

  3. Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy policies. In: Proceedings of the 2004 ACM Symposium on Applied Computing (SAC), pp. 375–382 (2004)

  4. Baker, M., Kimberly, K., Sean, M.: Why traditional storage systems do not help us save stuff forever. HPL-2005-120. HP Labs 2005 Technical Reports (2005)

  5. Bertino, E., Martino, L.: A service-oriented approach to security—concepts and issues. In: Proceedings of the International Symposium on Autonomous Decentralized Systems (ISADS) and of the IEEE International Workshop on Future Trends of Distributed Computing Systems, pp. 21–23 (2007)

  6. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote trust-management system, version 2. IETF RFC 2704 (1999). http://www.ietf.org/rfc/rfc2704.txt

  7. Blaze, M., Feigenbaum, J., Strauss, M.: Compliance checking in the policymaker trust management system. In: Proceedings of the International Conference on Financial Cryptography, pp. 254–274 (1998)

  8. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of International Conference on Software Engineering (ICSE), pp. 196–205 (2005)

  9. Fujita M., McGeer P.C., Yang J.C.Y.: Multi-terminal binary decision diagrams: an efficient datastructure for matrix representation. Form. Methods Syst. Des. 10(2–3), 149–169 (1997)

    Article  Google Scholar 

  10. Guelev, D.P., Ryan, M., Schobbens, P.: Model-checking access control policies. In: Proceedings of the Information Security Conference (ISC), pp. 219–230 (2004)

  11. Hopcroft J.E., Ullman J.D.: Introduction to Automata Theory, Languages and Computation. Addison Wesley, Reading, MA (1979)

    MATH  Google Scholar 

  12. Iso 10181-3 access control framework

  13. Koch, M., Mancini, L.V., Presicce, P.F.: On the specification and evolution of access control policies. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 121–130 (2001)

  14. Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the International World Wide Web Conference, p. 677 (2007)

  15. Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 1–10 (2007)

  16. Lupu E., Sloman M.: Conflicts in policy-based distributed systems management. IEEE Trans Softw Eng (TSE) 25(6), 852–869 (1999)

    Article  Google Scholar 

  17. Mazzoleni, P., Bertino, E., Crispo, B.: XACML policy integration algorithms. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 223–232 (2006)

  18. McDaniel P., Prakash A.: Methods and limitations of security policy reconciliation. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(3), 259–291 (2006)

    Article  Google Scholar 

  19. Moffett, J.D., Sloman, M.S.: Policy conflict analysis in distributed system management. J. Org. Comput. (1993)

  20. Morr, D.: Lionshare: A federated p2p app. In: Internet2 members meeting (2007)

  21. Parthenon XACML evaluation engine

  22. Rao, P., Ghinita, G., Bertino, E., Lobo, J.: Visualization for access control policy analysis results using multi-level grids (2009)

  23. Rao, P., Lin, D., Bertino, E.: XACML function annotations. In: IEEE Workshop on Policies for Distributed Systems and Networks (2007)

  24. Rao, P., Lin, D., Bertino, E., Li, N., Lobo, J.: An algebra for fine-grained integration of xacml policies. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT) (2009)

  25. Sun’s XACML open source implementation

  26. United State Department of Health: Health insurance portability and accountability act of 1996. Available at http://www.hhs.gov/ocr/hipaa/

  27. Extensible access control markup language (XACML) version 2.0 (2005)

  28. Zhang, N., Ryan, M., Guelev, D.P.: Evaluating access control policies through model checking. In: Proceedings of the Information Security Conference (ISC), pp. 446–460 (2005)

Download references

Author information

Authors and Affiliations

  1. Missouri University of Science & Technology, Rolla, MO, USA

    Dan Lin

  2. Purdue University, West Lafayette, IN, USA

    Prathima Rao, Elisa Bertino & Ninghui Li

  3. IBM T.J. Watson Research Center, Yorktown, NY, USA

    Jorge Lobo

Authors
  1. Dan Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prathima Rao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ninghui Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jorge Lobo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prathima Rao.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lin, D., Rao, P., Bertino, E. et al. EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9, 253–273 (2010). https://doi.org/10.1007/s10207-010-0106-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-010-0106-1

Keywords

Search

Navigation