Abstract
Policy-based software architectures are nowadays widely exploited to regulate different aspects of systems’ behavior, such as access control, resource usage, and adaptation. Several languages and technologies have been proposed as, e.g., the standard XACML. However, developing real-world systems using such approaches is still a tricky task, being them complex and error-prone. To overcome such difficulties, we advocate the use of FACPL, a formal policy language inspired to but simpler than XACML. FACPL has an intuitive syntax, a mathematical semantics and easy-to-use software tools supporting policy development and enforcement. We illustrate potentialities and effectiveness of our approach through a case study from the Cloud computing domain.
This work has been partially sponsored by the EU project ASCENS (257414) and by the Italian MIUR project CINA, PRIN 2010–2011.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The algorithm deny-biased states: if the decision is permit and all obligations are successfully discharged, then the PEP grants access, otherwise it forbids access.
- 2.
The algorithm permit-overrides states: if any policy among the considered ones evaluates to permit, then the decision is permit; otherwise, if all policies are found to be not-applicable, then the decision is not-applicable; in the remaining cases, the decision is deny or indeterminate according to specific error situations (see [7]).
References
NIST: a survey of access control models (2009). http://csrc.nist.gov/news_events/privilege-management-workshop/PvM-Model-Survey-Aug26-2009.pdf
OASIS XACML TC: eXtensible Access Control Markup Language (XACML) version 3.0 - Candidate OASIS Standard, September 2012
The epSOS project: a european ehealth project. http://www.epsos.eu
The Nationwide Health Information Network (NHIN): an American eHealth Project (2009). http://healthit.hhs.gov/portal/server.pt
OASIS: Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0 (2009)
OASIS Security Services TC: assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005)
Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: A formal software engineering approach to policy-based access control. Technical report, DiSIA, Univ. Firenze (2013). http://rap.dsi.unifi.it/facpl/research/Facpl-TR.pdf
Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST Special Publication 800–145 (2011)
Verma, D.C.: Service level agreements on IP networks. Proc. IEEE 92(9), 1382–1388 (2004)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: The X-CREATE framework - a comparison of XACML policy testing strategies. In: WEBIST. SciTePress, pp. 155–160 (2012)
Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and implementation of the XACML access control mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)
Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: MDsec. ACM (2012)
Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: On a formal and user-friendly linguistic approach to access control of electronic health data. In: HEALTHINF. SciTePress (2013)
Khakpour, N., Jalili, S., Talcott, C.L., Sirjani, M., Mousavi, M.R.: Formal modeling of evolving self-adaptive systems. Sci. Comput. Program. 78(1), 3–26 (2012)
IBM: autonomic computing policy language - ACPL. http://www.ibm.com/developerworks/tivoli/tutorials/ac-spl/
Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
Sloman, M.: Policy driven management for distributed systems. J. Netw. Syst. Manage. 2(4), 333–360 (1994)
Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)
Bryans, J.: Reasoning about XACML policies using CSP. In: SWS, pp. 28–35. ACM (2005)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)
Proctor, S.: SUN XACML (2011). http://sunxacml.sf.net
The Herasaf consortium \(\rm HERAS^{AF}\). http://www.herasaf.org
Axiomatics: Axiomatics Language for Authorization (ALFA). http://www.axiomatics.com/axiomatics-alfa-plugin-for-eclipse.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
We report in this appendix the complete FACPL policies in force in the Cloud IaaS scenario. Specifically, the policies in Listing 1.1 aim at concentrating the workload on hypervisor HYPER_1, considered as the primary hypervisor, and using hypervisor HYPER_2 only when the other is fully loaded. A rationale underlying this policy can be, e.g., to save energy by keeping the secondary hypervisor in stand-by mode until its use becomes necessary. The policies in Listing 1.2, instead, aim at balancing the workload between the two hypervisors.
Rights and permissions
Copyright information
© 2014 Science and Engineering Faculty
About this paper
Cite this paper
Margheri, A., Masi, M., Pugliese, R., Tiezzi, F. (2014). Developing and Enforcing Policies for Access Control, Resource Usage, and Adaptation. In: Tuosto, E., Ouyang, C. (eds) Web Services and Formal Methods. WS-FM 2013. Lecture Notes in Computer Science(), vol 8379. Springer, Cham. https://doi.org/10.1007/978-3-319-08260-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-08260-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08259-2
Online ISBN: 978-3-319-08260-8
eBook Packages: Computer ScienceComputer Science (R0)