An algebra for composing access control policies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

An algebra for composing access control policies

Full text

Pdf (384 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 5 , Issue 1 (February 2002) table of contents

Pages: 1 - 35

Year of Publication: 2002

ISSN:1094-9224

Authors

Piero Bonatti	Università di Milano, Crema, Italy
Sabrina De Capitani di Vimercati	Università di Brescia, Brescia, Italy
Pierangela Samarati	Università di Milano, Crema, Italy

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 145, Citation Count: 21

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/504909.504910 What is a DOI?

ABSTRACT

Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This assumption is too restrictive when access control restrictions to be enforced come from the combination of different policy specifications, each possibly under the control of independent authorities, and where the specifics of some component policies may not even be known apriori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This article addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebra's expressiveness is analyzed through a comparison with first-order logic.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi , Leslie Lamport, Composing specifications, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.1, p.73-132, Jan. 1993 [doi>10.1145/151646.151649]
	2	BANISAR, D. AND DAVIES, S. 1999. Privacy & Human Rights-An International Survey of Privacy Laws and Developments. EPIC.
	3	Elisa Bertino , Sushil Jajodia , Pierangela Samarati, A flexible authorization mechanism for relational data management systems, ACM Transactions on Information Systems (TOIS), v.17 n.2, p.101-140, April 1999 [doi>10.1145/306686.306687]
	4	Piero Bonatti , Sabrina de Capitani di Vimercati , Pierangela Samarati, A modular approach to composing access control policies, Proceedings of the 7th ACM conference on Computer and communications security, p.164-173, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352623]
	5	Ernesto Damiani , Sabrina de Capitani di Vimercati , Stefano Paraboschi , Pierangela Samarati, Design and implementation of an access control processor for XML documents, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.59-75, June 2000, Amsterdam, The Netherlands
	6	GELFOND, M. AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Proceedings of the International Conference on Logic Programming (ICLP'88), MITPress, Cambridge, Mass., 1070-1080.
	7	HOSMER, H. 1992. The multipolicy paradigm. In Proceedings of the Fifteenth National Computer Security Conference (Baltimore, Oct.), 409-422.
	8	Trent Jaeger, Access control in configurable systems, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
	9	Sushil Jajodia , Pierangela Samarati , Maria Luisa Sapino , V. S. Subrahmanian, Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), v.26 n.2, p.214-260, June 2001 [doi>10.1145/383891.383894]
	10	Paris C. Kanellakis, Elements of relational database theory, Handbook of theoretical computer science (vol. B): formal models and semantics, MIT Press, Cambridge, MA, 1991
	11	Carl E. Landwehr, Formal Models for Computer Security, ACM Computing Surveys (CSUR), v.13 n.3, p.247-278, Sept. 1981 [doi>10.1145/356850.356852]
	12	Ninghui Li , Joan Feigenbaum , Benjamin N. Grosof, A Logic-based Knowledge Representation for Authorization with Delegation, Proceedings of the 1999 IEEE Computer Security Foundations Workshop, p.162, June 28-30, 1999
	13	Vladimir Lifschitz , Hudson Turner, Splitting a logic program, Proceedings of the eleventh international conference on Logic programming, p.23-37, August 1994
	14	J. W. Lloyd, Foundations of logic programming, Springer-Verlag New York, Inc., New York, NY, 1984
	15	LUNT, T. 1989. Access control policies for database systems. In Database Security II: Status and Prospects, C. Landwehr, Ed., North-Holland, Amsterdam, The Netherlands, 41-52.
	16	Fausto Rabitti , Elisa Bertino , Won Kim , Darrell Woelk, A model of authorization for next-generation database systems, ACM Transactions on Database Systems (TODS), v.16 n.1, p.88-131, March 1991 [doi>10.1145/103140.103144]
	17	SAGONAS, K., SWIFT, T., WARREN, D., FREIRE, J., AND RAO, P. 2000. The XSB programmer's manual, version 2.2. http://xsb.sourceforge.net.
	18	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993 [doi>10.1109/2.241422]
	19	HongHai Shen , Prasun Dewan, Access control for collaborative environments, Proceedings of the 1992 ACM conference on Computer-supported cooperative work, p.51-58, November 01-04, 1992, Toronto, Ontario, Canada [doi>10.1145/143457.143461]
	20	STERLING, L. AND SHAPIRO, E. 1997. The Art of Prolog. MIT Press, Cambridge, Mass.
	21	SUBRAHMANIAN, V., ADALI, S., BRINK, A., EMERY, R., LU, J., RAJPUT, A., ROGERS, T., ROSS, R., AND WARD, C. 1997. Hermes: Heterogeneous reasoning and mediator system. http://www.cs.umd.edu/projects/ hermes/publications/abstracts/hermes.html.
	22	WOO, T. AND LAM, S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Sec. 2, 2,3, 107-136.

CITED BY 22

	Basit Shafiq , James B. D. Joshi , Elisa Bertino , Arif Ghafoor, Secure Interoperation in a Multidomain Environment Employing RBAC Policies, IEEE Transactions on Knowledge and Data Engineering, v.17 n.11, p.1557-1577, November 2005
	Ninghui Li , Qihua Wang, Beyond separation of duty: an algebra for specifying high-level security policies, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	François Siewe , Antonio Cau , Hussein Zedan, A compositional framework for access control policies enforcement, Proceedings of the 2003 ACM workshop on Formal methods in security engineering, p.32-42, October 30, 2003, Washington, D.C.
	Joachim Biskup , Sandra Wortmann, Towards a credential-based implementation of compound access control policies, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal
	Rafae Bhatti , Basit Shafiq , Elisa Bertino , Arif Ghafoor , James B. D. Joshi, X-gtrbac admin: A decentralized administration model for enterprise-wide access control, ACM Transactions on Information and System Security (TISSEC), v.8 n.4, p.388-423, November 2005
	M. Coetzee , Jan H. P. Eloff, Virtual enterprise access control requirements, Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology, p.285-294, September 17-19, 2003
	Audun Jøsang , Dieter Gollmann , Richard Au, A method for access authorisation through delegation networks, Proceedings of the 2006 Australasian workshops on Grid computing and e-research, p.165-174, January 16-19, 2006, Hobart, Tasmania, Australia
	Ninghui Li , Qihua Wang, Beyond separation of duty: An algebra for specifying high-level security policies, Journal of the ACM (JACM), v.55 n.3, p.1-46, July 2008
	Jong P. Yoon, Presto Authorization: A Bitmap Indexing Scheme for High-Speed Access Control to XML Documents, IEEE Transactions on Knowledge and Data Engineering, v.18 n.7, p.971-987, July 2006
	Clara Bertolissi , Maribel Fernández, A rewriting framework for the composition of access control policies, Proceedings of the 10th international ACM SIGPLAN conference on Principles and practice of declarative programming, July 15-17, 2008, Valencia, Spain
	Glenn Bruns , Daniel S Dantas , Michael Huth, A simple and expressive semantic framework for policy composition in access control, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.12-21, November 02-02, 2007, Fairfax, Virginia, USA
	Abhilasha Bhargav-Spantzel , Jan Camenisch , Thomas Gross , Dieter Sommer, User centricity: A taxonomy and open issues, Journal of Computer Security, v.15 n.5, p.493-527, October 2007
	Steve Barker , Marek J. Sergot , Duminda Wijesekera, Status-Based Access Control, ACM Transactions on Information and System Security (TISSEC), v.12 n.1, p.1-47, October 2008
	David W. Marsh , Rusty O. Baldwin , Barry E. Mullins , Robert F. Mills , Michael R. Grimaila, A security policy language for wireless sensor networks, Journal of Systems and Software, v.82 n.1, p.101-111, January, 2009
	Qun Ni , Elisa Bertino , Jorge Lobo, D-algebra for composing access control policy decisions, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
	Jay Ligatti , Lujo Bauer , David Walker, Run-Time Enforcement of Nonsafety Policies, ACM Transactions on Information and System Security (TISSEC), v.12 n.3, p.1-41, January 2009
	Prathima Rao , Dan Lin , Elisa Bertino , Ninghui Li , Jorge Lobo, An algebra for fine-grained integration of XACML policies, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
	Xinyu Wang , Jianling Sun , Xiaohu Yang , Chao Huang , Di Wu, Security Violation Detection for RBAC Based Interoperation in Distributed Environment, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1447-1456, May 2008
	Vikhyath Rao , Trent Jaeger, Dynamic mandatory access control for multiple stakeholders, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
	Ninghui Li , Qihua Wang , Wahbeh Qardaji , Elisa Bertino , Prathima Rao , Jorge Lobo , Dan Lin, Access control policy combining: theory meets practice, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
	Hejiao Huang , Helene Kirchner , Songyun Liu , Weili Wu, Handling inheritance violation for secure interoperation of heterogeneous systems, International Journal of Security and Networks, v.4 n.4, p.223-233, September 2009