A logic-based framework for attribute based access control

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A logic-based framework for attribute based access control

Full text

Pdf (212 KB)

Source

Workshop on Formal Methods in Security Engineering archive
Proceedings of the 2004 ACM workshop on Formal methods in security engineering table of contents

Washington DC, USA

SESSION: Security & analysis I table of contents

Pages: 45 - 55

Year of Publication: 2004

ISBN:1-58113-971-3

Authors

Lingyu Wang	George Mason University, Fairfax, VA
Duminda Wijesekera	George Mason University, Fairfax, VA
Sushil Jajodia	George Mason University, Fairfax, VA

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 27, Downloads (12 Months): 197, Citation Count: 19

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1029133.1029140 What is a DOI?

ABSTRACT

Attribute based access control (ABAC) grants accesses to services based on the attributes possessed by the requester. Thus, ABAC differs from the traditional discretionary access control model by replacing the <i>subject</i> by a set of attributes and the <i>object</i> by a set of services in the access control matrix. The former is appropriate in an identity-less system like the Internet where subjects are identified by their characteristics, such as those substantiated by certificates. These can be modeled as attribute sets. The latter is appropriate because most Internet users are not privy to method names residing on remote servers. These can be modeled as sets of service options. We present a framework that models this aspect of access control using logic programming with set constraints of a computable set theory [DPPR00]. Our framework specifies policies as stratified constraint flounder-free logic programs that admit primitive recursion. The design of the policy specification framework ensures that they are consistent and complete. Our ABAC policies can be transformed to ensure faster runtimes.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Elisa Bertino , Barbara Catania , Elena Ferrari , Paolo Perlasca, A logical framework for reasoning about access control models, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.71-127, February 2003 [doi>10.1145/605434.605437]
	2	R. M. Burstall , John Darlington, A Transformation System for Developing Recursive Programs, Journal of the ACM (JACM), v.24 n.1, p.44-67, Jan. 1977 [doi>10.1145/321992.321996]
	3	Piero Bonatti , Pierangela Samarati, Regulating service access and information release on the Web, Proceedings of the 7th ACM conference on Computer and communications security, p.134-143, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352620]
	4	Piero A. Bonatti , Pierangela Samarati, A uniform framework for regulating service access and information release on the web, Journal of Computer Security, v.10 n.3, p.241-271, 2002
	5	Steve Barker , Peter J. Stuckey, Flexible access control policy specification with constraint logic programming, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.501-546, November 2003 [doi>10.1145/950191.950194]
	6	David Chan. Constructive negation based on the completed databases. In R. A. Kowalski and K. A. Bowen, editors, Proc. International Conference on Logic Programming (ICLP), pages 111--125. The MIT Press, 1988.
	7	David Chan. An extension of constructive negation and its application in coroutining. In E. Lusk and R. Overbeek, editors, Proc. North-American Conference on Logic Programming, pages 477--489. The MIT Press, 1989.
	8	Agostino Dovier , Carla Piazza , Enrico Pontelli , Gianfranco Rossi, Sets and constraint logic programming, ACM Transactions on Programming Languages and Systems (TOPLAS), v.22 n.5, p.861-931, Sept. 2000 [doi>10.1145/365151.365169]
	9	Agostino Dovier , Alberto Policriti , Gianfranco Rossi, A uniform axiomatic view of lists, multisets, and sets, and the relevant unification algorithms, Fundamenta Informaticae, v.36 n.2-3, p.201-234, Nov. 1998
	10	Agostino Dovier, Carla Piazza, and Gianfranco Rossi. A uniform approach to constraint-solving for lists, multisets, compact lists, and sets. Technical Report Quaderno 235, Department of Mathematics, University of Parma, Italy, 2000.
	11	Agostino Dovier, Enrico Pontelli, and Gianfranco Rossi. Constructive negation and constraint logic programming with sets. New Generation Comput, 19(3):209--256, May 2001.
	12	Sandro Etalle , Maurizio Gabbrielli, Transformations of CLP modules, Theoretical Computer Science, v.166 n.1-2, p.101-146, Oct. 20, 1996 [doi>10.1016/0304-3975(95)00148-4]
	13	Francois Fages. Constructive negation by pruning. Journal of Logic Programming, 32(2):85--118, 1997.
	14	M. Fitting , M. Ben-Jacob, Stratified, weak stratified and three-valued semantics, Fundamenta Informaticae, v.13 n.1, p.19-33, Mar. 1990
	15	François Fages , Roberta Gori, A Hierarchy of Semantics for Normal Constraint Logic Programs, Proceedings of the 5th International Conference on Algebraic and Logic Programming, p.77-91, September 25-27, 1996
	16	Melvin C. Fitting. A kripke-kleene semantics for logic programs. Journal of Logic Programming, 2(4):295--312, 1985.
	17	Fixpoint semantics for logic programming a survey, Theoretical Computer Science, v.278 n.1-2, p.25-51, May 6, 2002 [doi>10.1016/S0304-3975(00)00330-3]
	18	J. Jaffar , J.-L. Lassez, Constraint logic programming, Proceedings of the 14th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, p.111-119, January 21-23, 1987, Munich, West Germany [doi>10.1145/41625.41635]
	19	Sushil Jajodia , Pierangela Samarati , Maria Luisa Sapino , V. S. Subrahmanian, Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), v.26 n.2, p.214-260, June 2001 [doi>10.1145/383891.383894]
	20	Dexter Kozen, Set constraints and logic programming, Information and Computation, v.142 n.1, p.2-25, April 1998 [doi>10.1006/inco.1997.2694]
	21	Kenneth J. Kunen. Set theory: an introduction to independence proofs. Elsevier North-Holland, 1980.
	22	Kenneth Kunen, Negation in logic programming, Journal of Logic Programming, v.4 n.4, p.289-308, December 1, 1987 [doi>10.1016/0743-1066(87)90007-0]
	23	Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
	24	Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
	25	Michael J. Maher, A transformation system for deductive database modules with perfect model semantics, Theoretical Computer Science, v.110 n.2, p.377-403, March 29, 1993 [doi>10.1016/0304-3975(93)90013-J]
	26	Alberto Petterossi and Maurizio Proietti. Transformation of Logic Programs, volume 5, chapter Handbook of Logic in Artificial Intelligence and Logic Programming, pages 697--787. Oxford University Press, 1998.
	27	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	28	Peter J. Stuckey. Constructive negation for constraint logic programming. In Logic in Computer Science, pages 328--339, 1991.
	29	Peter J. Stuckey, Negation and constraint logic programming, Information and Computation, v.118 n.1, p.12-33, April 1995 [doi>10.1006/inco.1995.1048]
	30	H. Tamaki and T. Sato. Unfold/fold transformation of logic programs. In Proceedings of the Second International Logic Programming Conference, pages 127--138, 1984.
	31	Duminda Wijesekera , Sushil Jajodia , Francesco Parisi-Presicce , Åsa Hagström, Removing permissions in the flexible authorization framework, ACM Transactions on Database Systems (TODS), v.28 n.3, p.209-229, September 2003 [doi>10.1145/937598.937599]
	32	Ting Yu , Xiaosong Ma , Marianne Winslett, PRUNES: an efficient and complete strategy for automated trust negotiation over the Internet, Proceedings of the 7th ACM conference on Computer and communications security, p.210-219, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352633]
	33	Ting Yu , Marianne Winslett , Kent E. Seamons, Interoperable strategies in automated trust negotiation, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA [doi>10.1145/501983.502004]
	34	Ting Yu , Marianne Winslett , Kent E. Seamons, Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.1-42, February 2003 [doi>10.1145/605434.605435]

CITED BY 19

	Saket Kaushik , Duminda Wijesekera , Paul Ammann, Policy-based dissemination of partial web-ontologies, Proceedings of the 2005 workshop on Secure web services, November 11-11, 2005, Fairfax, VA, USA
	Marianne Winslett , Charles C. Zhang , Piero A. Bonatti, PeerAccess: a logic for distributed authorization, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal
	Basit Shafiq , Elisa Bertino , Arif Ghafoor, Access control management in a distributed environment supporting dynamic collaboration, Proceedings of the 2005 workshop on Digital identity management, November 11-11, 2005, Fairfax, VA, USA
	Adam J. Lee , Marianne Winslett , Jim Basney , Von Welch, Traust: a trust negotiation-based authorization service for open systems, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Janice Warner , Vijayalakshmi Atluri , Ravi Mukkamala , Jaideep Vaidya, Using semantics for automatic enforcement of access control policies among dynamic coalitions, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	Sabrina De Capitani di Vimercati , Sushil Jajodia , Stefano Paraboschi , Pierangela Samarati, Trust management services in relational databases, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Michael LeMay , Omid Fatemieh , Carl A. Gunter, PolicyMorph: interactive policy transformations for a logical attribute-based access control framework, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	Agostino Dovier , Enrico Pontelli , Gianfranco Rossi, Set unification, Theory and Practice of Logic Programming, v.6 n.6, p.645-701, November 2006
	T. Finin , A. Joshi , L. Kagal , J. Niu , R. Sandhu , W. Winsborough , B. Thuraisingham, ROWLBAC: representing role based access control in OWL, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
	Adam J. Lee , Marianne Winslett , Jim Basney , Von Welch, The Traust Authorization Service, ACM Transactions on Information and System Security (TISSEC), v.11 n.1, p.1-33, February 2008
	Joachim Biskup , Julia Hielscher , Sandra Wortmann, A Trust- and Property-based Access Control Model, Electronic Notes in Theoretical Computer Science (ENTCS), v.197 n.2, p.169-177, February, 2008
	Sabrina De Capitani Di Vimercati , Sara Foresti , Pierangela Samarati , Sushil Jajodia, Access control policies and languages, International Journal of Computational Science and Engineering, v.3 n.2, p.94-102, November 2007
	Steve Barker , Marek J. Sergot , Duminda Wijesekera, Status-Based Access Control, ACM Transactions on Information and System Security (TISSEC), v.12 n.1, p.1-47, October 2008
	Leon Pan , Chang N. Zhang, A criterion-based multilayer access control approach for multimedia applications and the implementation considerations, ACM Transactions on Multimedia Computing, Communications, and Applications (TOMCCAP), v.5 n.2, p.1-29, November 2008
	Christian Wolter , Michael Menzel , Andreas Schaad , Philip Miseldine , Christoph Meinel, Model-driven business process security requirement specification, Journal of Systems Architecture: the EUROMICRO Journal, v.55 n.4, p.211-223, April, 2009
	Romain Laborde , Michel Kamel , Samer Wazan , Francois Barrere , Abdelmalek Benzekri, A secure collaborative web-based environment for virtual organisations, International Journal of Web Based Communities, v.5 n.2, p.273-292, March 2009
	Yuqing Sun , Bin Gong , Xiangxu Meng , Zongkai Lin , Elisa Bertino, Specification and enforcement of flexible security policy for active cooperation, Information Sciences: an International Journal, v.179 n.15, p.2629-2642, July, 2009
	Adam J. Lee , Ting Yu, Towards a dynamic and composable model of trust, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy