|
 ABSTRACT
XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved difficult to analyze in an automated fashion. In this paper, we present a formalization of XACML using description logics (DL), which are a decidable fragment of First-Order logic. This formalization allows us to cover a more expressive subset of XACML than propositional logic-based analysis tools, and in addition we provide a new analysis service (policy redundancy). Also, mapping XACML to description logics allows us to use off-the-shelf DL reasoners for analysis tasks such as policy comparison, verification and querying. We provide empirical evaluation of a policy analysis tool that was implemented on top of open source DL reasoner Pellet.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Continue access control policy example., 2005. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.
|
| |
2
|
Xacml references, v1.65. http://docs.oasisopen.org/xacml/references/xacmlrefsv1.65.html, 2006.
|
| |
3
|
A. Anderson. Core and hierarchical role based access control (rbac) profile of xacml v2.0, February 2005.
|
 |
4
|
|
| |
5
|
M. Dean and G. Schreiber. Owl web ontology language reference w3c recommendation., feb 2004.
|
| |
6
|
Kathi Fisler , Shriram Krishnamurthi , Leo A. Meyerovich , Michael Carl Tschantz, Verification and change-impact analysis of access-control policies, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA
[doi> 10.1145/1062455.1062502]
|
| |
7
|
S. Godik and T. Moses. Oasis extensible access control markup language (xacml) version 1.1. oasis committee specification, July 2003.
|
| |
8
|
B. C. Grau, I. Horrocks, B. Parsia, P. Patel-Schneider, and U. Sattler. Next steps for owl. In OWL Experienced and Directions, 2006.
|
| |
9
|
D. P. Guelev, M. Ryan, and P. -Y. Schobbens. Model-checking access control policies. In ISC, pages 219--230, 2004.
|
| |
10
|
I. Horrocks and U. Sattler. A tableaux decision procedure for SHOIQ. In Proc. of the 19th Int. Joint Conf. on Artificial Intelligence (IJCAI 2005). Morgan Kaufman, 2005.
|
| |
11
|
G. Hughes and T. Bultan. Automated verification of access control policies (technical report). Technical Report 2004-22, Department of Computer Science, University of California, Santa Barbara, September 2004.
|
| |
12
|
|
| |
13
|
V. Kolovski. Formalizing XACML Using Defeasible Description Logics. Technical Report TR-233-11, University of Maryland - College Park, 2006.
|
| |
14
|
|
| |
15
|
B. Parsia and E. Sirin. Pellet: An OWL DL reasoner. In Third International Semantic Web Conference - Poster, 2004.
|
| |
16
|
K. Wang, D. Billington, J. Blee, and G. Antoniou. Combining description logic and defeasible logic for the semantic web. In RuleML, pages 170--181, 2004.
|
| |
17
|
WS-Policy. Web services policy framework (ws-policy). http://www-106.ibm.com/developerworks/library/specification/wspolfram/.
|
| |
18
|
N. Zhang, M. D. Ryan, and D. Guelev. Evaluating access control policies through model checking. In Eighth Information Security Conference (ISC05), 2005.
|
| |
19
|
C. Zhao, N. Heilili, S. Liu, and Z. Lin. Representation and reasoning on rbac: A description logic approach. In ICTAC, pages 381--393, 2005.
|
CITED BY 6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ninghui Li , Qihua Wang , Wahbeh Qardaji , Elisa Bertino , Prathima Rao , Jorge Lobo , Dan Lin, Access control policy combining: theory meets practice, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
I.2