Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2014: Security and Trust Management pp 33–48Cite as

Monotonicity and Completeness in Attribute-Based Access Control

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8743))

Abstract

There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.

This work was partially supported by the EPSRC/GCHQ funded project ChAISe (EP/K006568/1) and the project “Data-Driven Model-Based Decision-Making”, part of the NSA funded Centre on Science of Security at University of Illinois at Urbana-Champaign.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bishop, M.: Computer Security: Art and Science. Addison-Wesley (2002)

    Google Scholar 

  2. Crampton, J., Morisset, C.: PTaCL: A language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  3. Griesmayer, A., Morisset, C.: Automated certification of authorisation policy resistance. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 574–591. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  4. Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 153–154. ACM (2008)

    Google Scholar 

  5. eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS, committee Specification 01 (2010)

    Google Scholar 

  6. Ferraiolo, D.F., Kuhn, D.R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)

    Google Scholar 

  7. Barker, S.: The next 700 access control models or a unifying meta-model? In: Carminati, B., Joshi, J. (eds.) SACMAT, pp. 187–196. ACM (2009)

    Google Scholar 

  8. Crampton, J., Morisset, C.: Towards a generic formal framework for access control systems. CoRR, vol. abs/1204.2342 (2012)

    Google Scholar 

  9. Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  10. Rao, P., Lin, D., Bertino, E., Li, N., Lobo, J.: An algebra for fine-grained integration of XACML policies. In: Carminati, B., Joshi, J. (eds.) SACMAT, pp. 63–72. ACM (2009)

    Google Scholar 

  11. Bruns, G., Huth, M.: Access control via Belnap logic: Intuitive, expressive, and analyzable policy composition. ACM Transactions on Information and System Security 14(1), 9 (2011)

    Article  Google Scholar 

  12. Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: Ferraiolo, D.F., Ray, I. (eds.) SACMAT, pp. 160–169. ACM (2006)

    Google Scholar 

  13. Blamey, S.: Partial Logic. In: Handbook of Philosophical Logic, vol. 5, pp. 261–353. Kluwer Academic Publishers (2002)

    Google Scholar 

  14. Crampton, J., Huth, M.: An authorization framework resilient to policy evaluation failures. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 472–487. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Woo, T.Y.C., Lam, S.S.: Authorizations in distributed systems: A new approach. Journal of Computer Security 2(2-3), 107–136 (1993)

    Google Scholar 

  16. Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Transactions on Information and System Security 6(1), 71–127 (2003)

    Article  Google Scholar 

  17. Bonatti, P., De Capitani Di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)

    Article  Google Scholar 

  18. Crampton, J., Huth, M.: A framework for the modular specification and orchestration of authorization policies. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 155–170. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The Ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  20. Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)

    Article  MATH  Google Scholar 

  21. Li, N., Wang, Q., Qardaji, W.H., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Carminati, B., Joshi, J. (eds.) SACMAT, pp. 135–144. ACM (2009)

    Google Scholar 

  22. Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS, pp. 298–309. ACM (2009)

    Google Scholar 

  23. eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS, committee Specification (2005)

    Google Scholar 

  24. Wijesekera, D., Jajodia, S.: A propositional policy algebra for access control. ACM Transactions on Information and System Security 6(2), 235–286 (2003)

    Article  Google Scholar 

  25. Habib, L., Jaume, M., Morisset, C.: A formal comparison of the Bell & LaPadula and RBAC models. In: Rak, M., Abraham, A., Casola, V. (eds.) IAS, pp. 3–8. IEEE Computer Society (2008)

    Google Scholar 

  26. Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3(2), 85–106 (2000)

    Article  Google Scholar 

  27. Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. Journal of Computer Security 15(2), 231–272 (2007)

    Google Scholar 

  28. Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)

    Article  Google Scholar 

  29. Carminati, B., Joshi, J. (eds.): Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, Stresa, Italy, June 3-5. ACM (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Royal Holloway, University of London, UK

    Jason Crampton

  2. Newcastle University, UK

    Charles Morisset

Authors
  1. Jason Crampton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Charles Morisset
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Luxembourg, FSTC, 6, rue Richard Coudenhove-Kalergi, 1359, Luxembourg, Luxembourg

    Sjouke Mauw

  2. Department of Informatics and Mathematical Modelling, Technical University of Denmark, Richard Petersens Plads, 2800, Lyngby, Denmark

    Christian Damsgaard Jensen

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Crampton, J., Morisset, C. (2014). Monotonicity and Completeness in Attribute-Based Access Control. In: Mauw, S., Jensen, C.D. (eds) Security and Trust Management. STM 2014. Lecture Notes in Computer Science, vol 8743. Springer, Cham. https://doi.org/10.1007/978-3-319-11851-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11851-2_3

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11850-5

  • Online ISBN: 978-3-319-11851-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation