ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Delegation logic: A logic-based approach to distributed authorization
Full text PdfPdf (316 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 6 ,  Issue 1  (February 2003) table of contents
Pages: 128 - 171  
Year of Publication: 2003
ISSN:1094-9224
Authors
Ninghui Li  Stanford University, Stanford, CA
Benjamin N. Grosof  Massachusetts Institute of Technology, Cambridge, MA
Joan Feigenbaum  Yale University, New Haven, CT
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 18,   Downloads (12 Months): 152,   Citation Count: 34
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/605434.605438
What is a DOI?

ABSTRACT

We address the problem of authorization in large-scale, open, distributed systems. Authorization decisions are needed in electronic commerce, mobile-code execution, remote resource sharing, privacy protection, and many other applications. We adopt the trust-management approach, in which "authorization" is viewed as a "proof-of-compliance" problem: Does a set of credentials prove that a request complies with a policy?We develop a logic-based language, called Delegation Logic (DL), to represent policies, credentials, and requests in distributed authorization. In this paper, we describe D1LP, the monotonic version of DL. D1LP extends the logic-programming (LP) language Datalog with expressive delegation constructs that feature delegation depth and a wide variety of complex principals (including, but not limited to, k-out-of-n thresholds). Our approach to defining and implementing D1LP is based on tractably compiling D1LP programs into ordinary logic programs (OLPs). This compilation approach enables D1LP to be implemented modularly on top of existing technologies for OLP, for example, Prolog.As a trust-management language, D1LP provides a concept of proof-of-compliance that is founded on well-understood principles of logic programming and knowledge representation. D1LP also provides a logical framework for studying delegation.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Martín Abadi, On SDSI's linked local name spaces, Journal of Computer Security, v.6 n.1-2, p.3-21, Sept. 1998
2
Martín Abadi , Michael Burrows , Butler Lampson , Gordon Plotkin, A calculus for access control in distributed systems, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.4, p.706-734, Sept. 1993  [doi>10.1145/155183.155225]
 
3
T. Aura, On the Structure of Delegation Networks, Proceedings of the 11th IEEE Computer Security Foundations Workshop, p.14, June 09-11, 1998
 
4
Baral C. and Gelfond, M. 1994. Logic programming and knowledge representation. J. Logic Prog. 19/20 (May/July), 73--148.
 
5
Elisa Bertino , Elena Ferrari , Francesco Buccafurri , Pasquale Rullo, A Logical Framework for Reasoning on Data Access Control Policies, Proceedings of the 1999 IEEE Computer Security Foundations Workshop, p.175, June 28-30, 1999
 
6
Blaze, M., Feigenbaum J., Ioannidis J., and Keromytis, A. D. 1999a. The KeyNote trust-management system, version 2. IETF RFC 2704, September 1999.
 
7
Matt Blaze , Joan Feigenbaum , John Ioannidis , Angelos D. Keromytis, The role of trust management in distributed systems security, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
 
8
Matt Blaze , Joan Feigenbaum , Jack Lacy, Decentralized Trust Management, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.164, May 06-08, 1996
 
9
Matt Blaze , Joan Feigenbaum , Martin Strauss, Compliance Checking in the PolicyMaker Trust Management System, Proceedings of the Second International Conference on Financial Cryptography, p.254-274, February 23-25, 1998
 
10
CCITT. 1989. Recommendation X.509: The Directory-Authentication Framework. Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva.
11
Weidong Chen , David S. Warren, Tabled evaluation with delaying for general logic programs, Journal of the ACM (JACM), v.43 n.1, p.20-74, Jan. 1996  [doi>10.1145/227595.227597]
 
12
Yang-Hua Chu , Joan Feigenbaum , Brian LaMacchia , Paul Resnick , Martin Strauss, Referee: trust management for Web applications, World Wide Web Journal, v.2 n.3, p.127-139, Summer 1997
 
13
Dwaine Clarke , Jean-Emile Elien , Carl Ellison , Matt Fredette , Alexander Morcos , Ronald L. Rivest, Certificate chain discovery in SPKI?SDSI, Journal of Computer Security, v.9 n.4, p.285-322, January 2001
 
14
John DeTreville, Binder, a Logic-Based Security Language, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.105, May 12-15, 2002
 
15
Ellison, C., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B., and Ylonen, T. 1999a. SPKI certificate theory. IETF RFC 2693, September 1999.
 
16
Ellison, C., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B., and Ylonen, T. 1999b. Simple public key certificates. Internet Draft (work in progress), July 1999. http://world.std.com∼cme/spki.txt.
 
17
Finney, H. 1996. Transitive trust and MLM. Post to cypherpunks mailing list, archived at http://www.inet-one.com/cypherpunks/dir.1996.05.02-1996.05.08/msg00415.html. May 1996.
 
18
Joseph Y. Halpern , Ron van der Meyden, A logic for SDSI's linked local name spaces, Journal of Computer Security, v.9 n.1-2, p.105-142, Jan. 1,2001
 
19
Amir Herzberg , Yosi Mass , Joris Michaeli , Yiftach Ravid , Dalit Naor, Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.2, May 14-17, 2000
 
20
Jonathan R. Howell , David Kotz, Naming and sharing resources across administrative boundaries, 2000
 
21
Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian, A Logical Language for Expressing Authorizations, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.31, May 04-07, 1997
22
Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian , Eliza Bertino, A unified framework for enforcing multiple access control policies, Proceedings of the 1997 ACM SIGMOD international conference on Management of data, p.474-485, May 11-15, 1997, Tucson, Arizona, United States
 
23
Trevor Jim, SD3: A Trust Management System with Certified Evaluation, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.106, May 14-16, 2001
24
Stephen T. Kent, Internet Privacy Enhanced Mail, Communications of the ACM, v.36 n.8, p.48-60, Aug. 1993  [doi>10.1145/163381.163390]
25
Butler Lampson , Martín Abadi , Michael Burrows , Edward Wobber, Authentication in distributed systems: theory and practice, ACM Transactions on Computer Systems (TOCS), v.10 n.4, p.265-310, Nov. 1992  [doi>10.1145/138873.138874]
 
26
Langheinrich, M. 2002. A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft, April 2002.
 
27
Ninghui Li, Local Names in SPKI/SDSI, Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW'00), p.2, July 03-05, 2000
 
28
Ninghui Li , Joan Feigenbaum , Alan Siegel, Delegation logic: a logic-based approach to distributed authorization, 2000
 
29
Li, N. 2000c. XD1LP: An implementation of D1LP in XSB. http://cs.nyu.edu/ninghui/xd1lp/.
 
30
Ninghui Li , Joan Feigenbaum , Benjamin N. Grosof, A Logic-based Knowledge Representation for Authorization with Delegation, Proceedings of the 1999 IEEE Computer Security Foundations Workshop, p.162, June 28-30, 1999
 
31
Ninghui Li , Benjamin Grosof , Joan Feigenbaum, A Practically Implementable and Tractable Delegation Logic, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.27, May 14-17, 2000
 
32
Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
33
Ninghui Li , William H. Winsborough , John C. Mitchell, Distributed credential chain discovery in trust management: extended abstract, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA  [doi>10.1145/501983.502005]
 
34
J. W. Lloyd, Foundations of logic programming; (2nd extended ed.), Springer-Verlag New York, Inc., New York, NY, 1987
 
35
Marchiori, M. 2002. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation. April.
 
36
Ueli M. Maurer, Modelling a Public-Key Infrastructure, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.325-350, September 25-27, 1996
 
37
Naish, L. 1992. Types and the intended meaning of logic programs. In F. Pfenning, editor, Types in Logic Programming. The MIT Press, Cambridge, Mass., pp. 189--216.
 
38
Peter Padawitz, Computing in Horn clause theories, Springer-Verlag New York, Inc., New York, NY, 1988
 
39
Frank Pfenning, Types in logic programming, MIT Press, Cambridge, MA, 1992
 
40
Rivest, R. L. and Lampson, B. 1996. SDSI: a simple distributed security infrastructure. http://theory.lcs.mit.edu/∼rivest/sdsi11.html. October 1996.
 
41
Stephen Weeks, Understanding Trust Management Systems, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.94, May 14-16, 2001
 
42
The XSB Research Group. 2002. The XSB programming system. http://xsb.sourceforge.net/.

CITED BY  34
Joseph Y. Halpern , Vicky Weissman, A formal foundation for XrML, Journal of the ACM (JACM), v.55 n.1, p.1-42, February 2008
Trent Jaeger , Xiaolan Zhang , Fidel Cacheda, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003
Hristo Koshutanski , Fabio Massacci, An access control framework for business processes for web services, Proceedings of the 2003 ACM workshop on XML security, October 31-31, 2003, Fairfax, Virginia
Andrzej Uszok , Jeffrey M. Bradshaw , Matthew Johnson , Renia Jeffers , Austin Tate , Jeff Dalton , Stuart Aitken, KAoS Policy Management for Semantic Web Services, IEEE Intelligent Systems, v.19 n.4, p.32-41, July 2004
Ninghui Li , John C. Mitchell , William H. Winsborough, Beyond proof-of-compliance: security analysis in trust management, Journal of the ACM (JACM), v.52 n.3, p.474-514, May 2005
Victoria Ungureanu, Efficient support for enterprise delegation policies, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico
Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal
Wiebe van der Hoek , Michael Wooldridge, On the dynamics of delegation, cooperation, and control: a logical account, Proceedings of the fourth international joint conference on Autonomous agents and multiagent systems, July 25-29, 2005, The Netherlands
Sandro Etalle , William H. Winsborough, Integrity constraints in trust management, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
Gang Yin , Huai-min Wang , Dian-xi Shi , Yan Jia , Meng Teng, A rule-based framework for role-based constrained delegation, Proceedings of the 3rd international conference on Information security, November 14-16, 2004, Shanghai, China
Christian Skalka , X. Sean Wang, Trust but verify: authorization for web services, Proceedings of the 2004 workshop on Secure web service, p.47-55, October 29-29, 2004, Fairfax, Virginia
Martín Abadi , Boon Thau Loo, Towards a declarative language and system for secure networking, Proceedings of the 3rd USENIX international workshop on Networking meets databases, p.1-6, April 10, 2007, Cambridge, MA
Kevin Kane , James C. Browne, On classifying access control implementations for distributed systems, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
Jeff Polakow , Christian Skalka, Specifying distributed trust management in LolliMon, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada
William H. Winsborough , Ninghui Li, Safety in automated trust negotiation, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.352-390, August 2006
Steve Barker, Action-status access control, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Xinming Ou , Sudhakar Govindavajhala , Andrew W. Appel, MulVAL: a logic-based network security analyzer, Proceedings of the 14th conference on USENIX Security Symposium, p.8-8, July 31-August 05, 2005, Baltimore, MD
Sandro Etalle , William H. Winsborough, A posteriori compliance control, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Martín Abadi, Access Control in a Core Calculus of Dependency, Electronic Notes in Theoretical Computer Science (ENTCS), 172, p.5-31, April, 2007
Martín Abadi, Access control in a core calculus of dependency, ACM SIGPLAN Notices, v.41 n.9, September 2006
Erin Cody , Raj Sharman , Raghav H. Rao , Shambhu Upadhyaya, Security in grid computing: A review and synthesis, Decision Support Systems, v.44 n.4, p.749-764, March, 2008
Javier Lopez , Isaac Agudo , Jose A. Montenegro, On the deployment of a real scalable delegation service, Information Security Tech. Report, v.12 n.3, p.139-146, January, 2007
Grigoris Antoniou , Antonis Bikakis, DR-Prolog: A System for Defeasible Reasoning with Rules and Ontologies on the Semantic Web, IEEE Transactions on Knowledge and Data Engineering, v.19 n.2, p.233-245, February 2007
Hristo Koshutanski , Fabio Massacci, Interactive access control for autonomic systems: From theory to implementation, ACM Transactions on Autonomous and Adaptive Systems (TAAS), v.3 n.3, p.1-31, August 2008
Joseph Y. Halpern , Vicky Weissman, Using First-Order Logic to Reason about Policies, ACM Transactions on Information and System Security (TISSEC), v.11 n.4, p.1-41, July 2008
Wiliam H. Winsborough , Anna C. Squicciarini , Elisa Bertino, Information carrying identity proof trees, Proceedings of the 2007 ACM workshop on Privacy in electronic society, October 29-29, 2007, Alexandria, Virginia, USA
Sabrina De Capitani Di Vimercati , Sara Foresti , Pierangela Samarati , Sushil Jajodia, Access control policies and languages, International Journal of Computational Science and Engineering, v.3 n.2, p.94-102, November 2007
Steve Barker , Marek J. Sergot , Duminda Wijesekera, Status-Based Access Control, ACM Transactions on Information and System Security (TISSEC), v.12 n.1, p.1-47, October 2008
Peter C. Chapin , Christian Skalka , X. Sean Wang, Authorization in trust management: Features and foundations, ACM Computing Surveys (CSUR), v.40 n.3, p.1-48, August 2008
Danfeng Yao , Roberto Tamassia, Compact and Anonymous Role-Based Authorization Chain, ACM Transactions on Information and System Security (TISSEC), v.12 n.3, p.1-27, January 2009
Zhengping Wu , Alfred C. Weaver, Requirements of federated trust management for service-oriented architectures, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 30-November 01, 2006, Markham, Ontario, Canada
Andrew G. West , Adam J. Aviv , Jian Chang , Vinayak S. Prabhu , Matt Blaze , Sampath Kannan , Insup Lee , Jonathan M. Smith , Oleg Sokolsky, QuanTM: a quantitative trust management system, Proceedings of the Second European Workshop on System Security, p.28-35, March 31-31, 2009, Nuremburg, Germany
Chunhua Gu , Xueqin Zhang , Guoxin Song, A Delegation Logic Based Authorization Mechanism for Virtual Organizations, Proceeding of the 2005 conference on Applied Public Key Infrastructure: 4th International Workshop: IWAP 2005, p.123-136, May 09, 2005
Lujo Bauer , Limin Jia , Michael K. Reiter , David Swasey, xDomain: cross-border proofs of access, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.4 Distributed Systems

  F. Theory of Computation
  F.4 MATHEMATICAL LOGIC AND FORMAL LANGUAGES
      F.4.1 Mathematical Logic
          Subjects: Logic and constraint programming


General Terms:
Languages, Security


Keywords:
Access control, Delegation Logic, distributed system security, logic programs, trust management

Collaborative Colleagues:
Ninghui Li: colleagues
Benjamin N. Grosof: colleagues
Joan Feigenbaum: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player