Skip to main content
SpringerLink
Log in
Book cover

International Conference on Logic Programming

ICLP 2003: Logic Programming pp 20–46Cite as

A Logic Programming View of Authorization in Distributed Systems

  • Conference paper

  • 408 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2916))

Abstract

An approach to authorization that is based on attributes of the resource requester provides flexibility and scalability that is essential in the context of large distributed systems. Logic programming provides an elegant, expressive, and well-understood framework in which to work with attribute-based authorization policy. We summarize one specific attribute-based authorization framework built on logic programming: RT, a family of Role-based Trust-management languages. RT’s logic programming foundation has facilitated the conception and specification of several extensions that greatly enhance its expressivity with respect to important security concepts such as parameterized roles, thresholds, and separation of duties. After examining language design issues, we consider the problem of assessing authorization policies with respect to vulnerability of resource owners to a variety of security risks due to delegations to other principals, risks such as undesired authorizations and unavailability of critical resources. We summarize analysis techniques for assessing such vulnerabilities.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   99.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Apt, K.R., Blair, H.A., Walker, A.: Towards a theory of declarative knowledge. In: Minker, J. (ed.) Foundations of Deductive Databases and Logic Programming, pp. 89–148. Morgan Kaufmann, Los Altos (1988)

    Google Scholar 

  2. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote trust-management system, version 2. IETF RFC 2704 (September 1999)

    Google Scholar 

  3. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996, pp. 164–173. IEEE Computer Society Press, Los Alamitos (1996)

    Chapter  Google Scholar 

  4. Bonatti, P., Samarati, P.: A uniform framework for regulating service access and information release on the web. Journal of Computer Security 10(3), 241–274 (2002); Extended abstract appeared in Proceedings of the 7th ACM Conference on Computer and Communications Security (November 2000)

    Google Scholar 

  5. Bray, T., Hollander, D., Layman, A.: Namespaces in XML. W3C Recommendation (January 1999)

    Google Scholar 

  6. Clark, D.D., Wilson, D.R.: A comparision of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, May 1987, pp. 184–194. IEEE Computer Society Press, Los Alamitos (1987)

    Google Scholar 

  7. Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)

    Google Scholar 

  8. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. IETF RFC 2693 (September 1999)

    Google Scholar 

  9. Farrell, S., Housley, R.: An Internet attribute certificate profile for authorization (2001)

    Google Scholar 

  10. Scott Graham, G., Denning, P.J.: Protection – principles and practice. In: Proceedings of the AFIPS Spring Joint Computer Conference, May 16-18, vol. 40, pp. 417–429. AFIPS Press (1972)

    Google Scholar 

  11. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  12. Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., Ravid, Y.: Access control meets public key infrastructure, or: Assigning roles to strangers. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000, pp. 2–14. IEEE Computer Society Press, Los Alamitos (2000)

    Chapter  Google Scholar 

  13. Jim, T.: SD3: A trust management system with certified evaluation. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001, pp. 106–115. IEEE Computer Society Press, Los Alamitos (2001)

    Chapter  Google Scholar 

  14. Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems (1971); Reprinted in ACM Operating Systems Review 8(1), 18–24 (1974)

    Google Scholar 

  15. Li, N.: Delegation Logic: A Logic-based Approach to Distributed Authorization. PhD thesis, NewYork University (September 2000)

    Google Scholar 

  16. Li, N., Grosof, B.N., Feigenbaum, J.: A practically implementable and tractable Delegation Logic. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000, pp. 27–42. IEEE Computer Society Press, Los Alamitos (2000)

    Google Scholar 

  17. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation Logic: A logic-based approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC) 6(1), 128–171 (2003)

    Article  Google Scholar 

  18. Li, N., Mitchell, J.C.: Datalog with constraints:Afoundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Li, N., Mitchell, J.C.: Understanding spki/sdsi using first-order logic. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop, June 2003, pp. 89–103. IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  20. Li, N., Mitchell, J.C., Qiu, Y., Winsborough, W.H., Seamons, K.E., Halcrow, M., Jacobson, J.: RTML: A Role-based Trust-management Markup Language (August 2002) (unpublished manuscript), Available at http://crypto.stanford.edu/~ninghui/papers/rtml.pdf

  21. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  22. Li, N., Winsborough, W.H., Mitchell, J.C.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: Proceedings of IEEE Symposium on Security and Privacy, May 2003, pp. 123–139. IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  23. Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003); Extended abstract appeared in Proceedings of the Eighth ACM Conference on Computer and Communications Security (November 2001)

    Google Scholar 

  24. Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. Journal of ACM 24(3), 455–464 (1977)

    Article  MATH  MathSciNet  Google Scholar 

  25. ITU-T Rec. X.509 (revised). The Directory – Authentication Framework. International Telecommunication Union (1993)

    Google Scholar 

  26. Rivest, R.L., Lampson, B.: SDSI — a simple distributed security infrastructure (October 1996), Available at http://theory.lcs.mit.edu/~rivest/sdsi11.html

  27. Sandhu, R.S.: The Schematic Protection Model: Its definition and analysis for acyclic attenuating systems. Journal of ACM 35(2), 404–432 (1988)

    Article  Google Scholar 

  28. Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, May 1992, pp. 122–136. IEEE Computer Society Press, Los Alamitos (1992)

    Chapter  Google Scholar 

  29. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Google Scholar 

  30. Seamons, K.E., Winsborough, W.H., Winslet, M.: Internet credential acceptance policies. In: Proceedings of the 2nd Internationaln Workshop on on Logic Programming Tools for Internet Applications (July 1997), http://clip.dia.fi.upm.es/lpnet/proceedings97/proceedings.html

  31. Simon, T.T., Zurko, M.E.: Separation of duty in role-based environments. In: Proceedings of The 10th Computer Security Foundations Workshop, June 1997, pp. 183–194. IEEE Computer Society Press, Los Alamitos (1997)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Secure Information Systems, George Mason University,  

    William H. Winsborough

Authors
  1. William H. Winsborough
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ecole Polytechnique, Rue de Saclay, 91128, Palaiseau Cedex, France

    Catuscia Palamidessi

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Winsborough, W.H. (2003). A Logic Programming View of Authorization in Distributed Systems. In: Palamidessi, C. (eds) Logic Programming. ICLP 2003. Lecture Notes in Computer Science, vol 2916. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24599-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-24599-5_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-20642-2

  • Online ISBN: 978-3-540-24599-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation