|
 ABSTRACT
Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a specific policy (usually the closed policy). As a consequence, although different policy choices are possible in theory, in practice only a specific policy can actually be applied within a given system. In this paper, we present a unified framework that can enforce multiple access control policies within a single system. The framework is based on a language through which users can specify security policies to be enforced on specific accesses. The language allows the specification of both positive and negative authorizations and incorporates notions of authorization derivation, conflict resolution, and decision strategies. Different strategies may be applied to different users, groups, objects, or roles, based on the needs of the security policy. The overall result is a flexible and powerful, yet simple, framework that can easily capture many of the traditional access control policies as well as protection requirements that exist in real-world applications, but are seldom supported by existing systems. The major advantage of our approach is that it can be used to specify different access control policies that can all coexist in the same system and be enforced by the same security server.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
|
| |
2
|
|
| |
3
|
|
| |
4
|
|
| |
5
|
|
 |
6
|
|
| |
7
|
Elisa Bertino , Pierangela Samarati , Sushil Jajodia, Authorizations in relational database management systems, Proceedings of the 1st ACM conference on Computer and communications security, p.130-139, November 03-05, 1993, Fairfax, Virginia, United States
[doi> 10.1145/168588.168605]
|
| |
8
|
BRANSTAD, M., TAJALLI, H., MAYER,F.,AND DALVA, D. 1989. Access mediation in a message passing kernel. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif.). IEEE Computer Society Press, Los Alamitos, Calif., pp. 66-72.
|
| |
9
|
BREWER,D.F.C.AND NASH, M. J. 1989. The chinese wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif.). IEEE Computer Society Press, Los Alamitos, Calif., pp. 215-228.
|
| |
10
|
|
| |
11
|
|
| |
12
|
DENNING, D. E., LUNT, T., SCHELL, R., HECKMAN, M., AND SHOCKLEY, S. 1987. Secure distributed data view (Sea View) -the Sea View formal security policy model. Tech. rep. SRI International, Menlo Park, Calif.
|
| |
13
|
|
| |
14
|
GELFOND,M.AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Proceedings of the 5th International Conference and Symposium on Logic Programming (Seattle, Wash.). pp. 1070-1080.
|
| |
15
|
GOTTLOB, G. 1992. Complexity results for nonmonotonic logics. J. Logic Comput. 2, 3, 397-425.
|
| |
16
|
|
| |
17
|
Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian , Eliza Bertino, A unified framework for enforcing multiple access control policies, Proceedings of the 1997 ACM SIGMOD international conference on Management of data, p.474-485, May 11-15, 1997, Tucson, Arizona, United States
|
| |
18
|
|
| |
19
|
|
| |
20
|
LUNT, T. F. 1989. Access control policies for database systems. In Database Security II: Status and Prospects, C. E. Landwehr, Ed., North-Holland, Amsterdam, The Netherlands, pp. 41-52.
|
| |
21
|
|
| |
22
|
|
| |
23
|
|
| |
24
|
|
| |
25
|
REITER, R. 1980. A logic for default reasoning. Artif. Int. 13, 81-132.
|
| |
26
|
SAYDJARI,O.S.,TURNER,S.J.,PEELE, D. E., FARRELL,J.F.,LOSCOCCO, P. A., KUTZ,W.,AND BOCK,G.L. 1993. Synergy: A distributed, microkernel-based security architecture, version 1.0. Tech. rep. National Security Agency, Ft. George G. Meade, Md.
|
| |
27
|
|
| |
28
|
TARSKI, A. 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. 5, 285-309.
|
| |
29
|
|
| |
30
|
WOO,T.Y.C.AND LAM, S. S. 1993. Authorizations in distributed systems: A new approach. Journal of Computer Security 2, 2,3.
|
CITED BY 81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sylvia Osborn , Bhavani Thuraisingham , Pierangela Samarati, Panel on XML and security, Proceedings of the fifteenth annual working conference on Database and application security, p.317-323, July 15-18, 2001, Niagara, Ontario, Canada
|
|
|
|
|
|
|
|
|
|
|
|
Xinwen Zhang , Jaehong Park , Francesco Parisi-Presicce , Ravi Sandhu, A logical specification for usage control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Jacqueline Yang , Duminda Wijesekera , Sushil Jajodia, Subject switching algorithms for access control in federated databases, Proceedings of the fifteenth annual working conference on Database and application security, p.61-74, July 15-18, 2001, Niagara, Ontario, Canada
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal
|
|
|
|
|
|
Nicola Zannone , Sushil Jajodia , Fabio Massacci , Duminda Wijesekera, Maintaining privacy on derived objects, Proceedings of the 2005 ACM workshop on Privacy in the electronic society, November 07-07, 2005, Alexandria, VA, USA
|
|
|
Paul Ashley , Satoshi Hada , Günter Karjoth , Matthias Schunter, E-P3P privacy policies and privacy authorization, Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, p.103-109, November 21-21, 2002, Washington, DC
|
|
|
|
|
|
Arjun Dasgupta , Nan Zhang , Gautam Das , Surajit Chaudhuri, Privacy preservation of aggregates in hidden databases: why and how?, Proceedings of the 35th SIGMOD international conference on Management of data, June 29-July 02, 2009, Providence, Rhode Island, USA
|
|
|
Ernesto Damiani , Sabrina De Capitani di Vimercati , Cristiano Fugazza , Pierangela Samarati, Modality conflicts in semantics aware access control, Proceedings of the 6th international conference on Web engineering, July 11-14, 2006, Palo Alto, California, USA
|
|
|
|
|
|
|
|
|
Diala Abi Haidar , Nora Cuppens-Boulahia , Frederic Cuppens , Herve Debar, An extended RBAC profile of XACML, Proceedings of the 3rd ACM workshop on Secure web services, November 03-03, 2006, Alexandria, Virginia, USA
|
|
|
|
|
|
Claudio A. Ardagna , Marco Cremonini , Ernesto Damiani , Sabrina De Capitani di Vimercati , Pierangela Samarati, Supporting location-based conditions in access control policies, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Meenakshi Balasubramanian , Abhishek Bhatnagar , Namit Chaturvedi , Atish Datta Chowdhury , Arul Ganesh, A framework for decentralized access control, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
|
|
|
|
|
|
Sabrina De Capitani di Vimercati , Sara Foresti , Sushil Jajodia , Stefano Paraboschi , Pierangela Samarati, Over-encryption: management of access control evolution on outsourced data, Proceedings of the 33rd international conference on Very large data bases, September 23-27, 2007, Vienna, Austria
|
|
|
|
|
|
Lin Qiao , Basuki Soetarman , Gene Fuh , Adarsh Pannu , Baoqiu Cui , Thomas Beavin , William Kyu, A framework for enforcing application policies in database systems, Proceedings of the 2007 ACM SIGMOD international conference on Management of data, June 11-14, 2007, Beijing, China
|
|
|
|
|
|
Rakesh Agrawal , Jerry Kiernan , Ramakrishnan Srikant , Yirong Xu, Hippocratic databases, Proceedings of the 28th international conference on Very Large Data Bases, p.143-154, August 20-23, 2002, Hong Kong, China
|
|
|
Claudio Bettini , Sushil Jajodia , X. Sean Wang , Duminda Wijesekera, Provisions and obligations in policy management and security applications, Proceedings of the 28th international conference on Very Large Data Bases, p.502-513, August 20-23, 2002, Hong Kong, China
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Glenn Bruns , Daniel S Dantas , Michael Huth, A simple and expressive semantic framework for policy composition in access control, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.12-21, November 02-02, 2007, Fairfax, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Anderson Santana de Oliveira , Eric Ke Wang , Claude Kirchner , Helene Kirchner, Weaving rewrite-based access control policies, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.71-80, November 02-02, 2007, Fairfax, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Robert Craven , Jorge Lobo , Jiefei Ma , Alessandra Russo , Emil Lupu , Arosha Bandara, Expressive policy analysis with enhanced system dynamicity, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
H.2