Abstract
An approach to authorization that is based on attributes of the resource requester provides flexibility and scalability that is essential in the context of large distributed systems. Logic programming provides an elegant, expressive, and well-understood framework in which to work with attribute-based authorization policy. We summarize one specific attribute-based authorization framework built on logic programming: RT, a family of Role-based Trust-management languages. RT’s logic programming foundation has facilitated the conception and specification of several extensions that greatly enhance its expressivity with respect to important security concepts such as parameterized roles, thresholds, and separation of duties. After examining language design issues, we consider the problem of assessing authorization policies with respect to vulnerability of resource owners to a variety of security risks due to delegations to other principals, risks such as undesired authorizations and unavailability of critical resources. We summarize analysis techniques for assessing such vulnerabilities.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Apt, K.R., Blair, H.A., Walker, A.: Towards a theory of declarative knowledge. In: Minker, J. (ed.) Foundations of Deductive Databases and Logic Programming, pp. 89–148. Morgan Kaufmann, Los Altos (1988)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote trust-management system, version 2. IETF RFC 2704 (September 1999)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996, pp. 164–173. IEEE Computer Society Press, Los Alamitos (1996)
Bonatti, P., Samarati, P.: A uniform framework for regulating service access and information release on the web. Journal of Computer Security 10(3), 241–274 (2002); Extended abstract appeared in Proceedings of the 7th ACM Conference on Computer and Communications Security (November 2000)
Bray, T., Hollander, D., Layman, A.: Namespaces in XML. W3C Recommendation (January 1999)
Clark, D.D., Wilson, D.R.: A comparision of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, May 1987, pp. 184–194. IEEE Computer Society Press, Los Alamitos (1987)
Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. IETF RFC 2693 (September 1999)
Farrell, S., Housley, R.: An Internet attribute certificate profile for authorization (2001)
Scott Graham, G., Denning, P.J.: Protection – principles and practice. In: Proceedings of the AFIPS Spring Joint Computer Conference, May 16-18, vol. 40, pp. 417–429. AFIPS Press (1972)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., Ravid, Y.: Access control meets public key infrastructure, or: Assigning roles to strangers. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000, pp. 2–14. IEEE Computer Society Press, Los Alamitos (2000)
Jim, T.: SD3: A trust management system with certified evaluation. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001, pp. 106–115. IEEE Computer Society Press, Los Alamitos (2001)
Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems (1971); Reprinted in ACM Operating Systems Review 8(1), 18–24 (1974)
Li, N.: Delegation Logic: A Logic-based Approach to Distributed Authorization. PhD thesis, NewYork University (September 2000)
Li, N., Grosof, B.N., Feigenbaum, J.: A practically implementable and tractable Delegation Logic. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000, pp. 27–42. IEEE Computer Society Press, Los Alamitos (2000)
Li, N., Grosof, B.N., Feigenbaum, J.: Delegation Logic: A logic-based approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC) 6(1), 128–171 (2003)
Li, N., Mitchell, J.C.: Datalog with constraints:Afoundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)
Li, N., Mitchell, J.C.: Understanding spki/sdsi using first-order logic. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop, June 2003, pp. 89–103. IEEE Computer Society Press, Los Alamitos (2003)
Li, N., Mitchell, J.C., Qiu, Y., Winsborough, W.H., Seamons, K.E., Halcrow, M., Jacobson, J.: RTML: A Role-based Trust-management Markup Language (August 2002) (unpublished manuscript), Available at http://crypto.stanford.edu/~ninghui/papers/rtml.pdf
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)
Li, N., Winsborough, W.H., Mitchell, J.C.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: Proceedings of IEEE Symposium on Security and Privacy, May 2003, pp. 123–139. IEEE Computer Society Press, Los Alamitos (2003)
Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003); Extended abstract appeared in Proceedings of the Eighth ACM Conference on Computer and Communications Security (November 2001)
Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. Journal of ACM 24(3), 455–464 (1977)
ITU-T Rec. X.509 (revised). The Directory – Authentication Framework. International Telecommunication Union (1993)
Rivest, R.L., Lampson, B.: SDSI — a simple distributed security infrastructure (October 1996), Available at http://theory.lcs.mit.edu/~rivest/sdsi11.html
Sandhu, R.S.: The Schematic Protection Model: Its definition and analysis for acyclic attenuating systems. Journal of ACM 35(2), 404–432 (1988)
Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, May 1992, pp. 122–136. IEEE Computer Society Press, Los Alamitos (1992)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Seamons, K.E., Winsborough, W.H., Winslet, M.: Internet credential acceptance policies. In: Proceedings of the 2nd Internationaln Workshop on on Logic Programming Tools for Internet Applications (July 1997), http://clip.dia.fi.upm.es/lpnet/proceedings97/proceedings.html
Simon, T.T., Zurko, M.E.: Separation of duty in role-based environments. In: Proceedings of The 10th Computer Security Foundations Workshop, June 1997, pp. 183–194. IEEE Computer Society Press, Los Alamitos (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Winsborough, W.H. (2003). A Logic Programming View of Authorization in Distributed Systems. In: Palamidessi, C. (eds) Logic Programming. ICLP 2003. Lecture Notes in Computer Science, vol 2916. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24599-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-24599-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20642-2
Online ISBN: 978-3-540-24599-5
eBook Packages: Springer Book Archive