Skip to main content
SpringerLink
Log in

Foundations of Dynamic Access Control

  • Conference paper
Information Systems Security (ICISS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7671))

Included in the following conference series:

  • 976 Accesses

Abstract

New commercial operating systems e.g., Windows 7 and 8, and research operating systems such as Asbestos and Flume, include labels for integrity/confidentiality protection. Unlike the strict Bell-LaPadula mandatory access controls, these labels are allowed to change in controlled ways by users and applications. The implications of these dynamic changes need to be examined carefully, and existing formalisms cannot express or help us understand their impact on access control safety. We present a logic-programming framework to specify, analyze and automatically verify such dynamic access control models. We study the problem of reachability (equivalently safety) in these models and show that they are undecidable in the general case. We also identify an expressive fragment of this formalism that has a sound and complete decision procedure. We build a theory (and tools) for reasoning about information-flow in the general context, and show its application on real-world use-cases. We are able to highlight several important vulnerabilities in these models, as well as suggest design changes that can be provably validated.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: On protection in operating systems. In: SOSP 1975: Proceedings of the Fifth ACM Symposium on Operating Systems Principles, pp. 14–24 (1975)

    Google Scholar 

  2. Denning, D.: Cryptography and Data Security. Addison Wesley (1982)

    Google Scholar 

  3. Lampson, B.W.: Protection. In: Proc. Fifth Princeton Symposium on Information Sciences and Systems (1971)

    Google Scholar 

  4. Jones, A.K., Lipton, R.J., Snyder, L.: A linear time algorithm for deciding security. In: Symposium on Foundations of Computer Science, pp. 33–41 (1976)

    Google Scholar 

  5. Bishop, M.: Theft of information in the take-grant protection model. In: CSFW, pp. 194–218 (1988)

    Google Scholar 

  6. Hicks, B., Rueda, S., St. Clair, L., Jaeger, T., McDaniel, P.: A logical specification and analysis for selinux mls policy. ACM Trans. Inf. Syst. Secur. 13, 26:1–26:31 (2010)

    Google Scholar 

  7. Mao, Z., Li, N., Chen, H., Jiang, X.: Trojan horse resistant discretionary access control. In: SACMAT, pp. 237–246 (2009)

    Google Scholar 

  8. Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., Mazières, D.: Labels and event processes in the asbestos operating system. ACM Trans. Comput. Syst. 25(4), 11 (2007)

    Article  Google Scholar 

  9. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in histar. In: OSDI 2006: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p. 19. USENIX Association, Berkeley (2006)

    Google Scholar 

  10. Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corp. (1975)

    Google Scholar 

  11. Biba, K.J.: Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corp. (1977)

    Google Scholar 

  12. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  13. Loscocco, P., Smalley, S., Muckelbauer, P., Taylor, R., Turner, J., Farrell, J.: The inevitability of failure: The flawed assumption of security in modern computing environments. Technical report, United Stated National Security Agency, NSA (1995)

    Google Scholar 

  14. Naldurg, P., Schwoon, S., Rajamani, S., Lambert, J.: Netra: seeing through access control. In: FMSE 2006: Proceedings of the Fourth ACM Workshop on Formal Methods in Security, pp. 55–66 (2006)

    Google Scholar 

  15. Ramakrishnan, R., Gehrke, J.: Database Management Systems. McGraw-Hill Science/Engineering/Math. (2002)

    Google Scholar 

  16. Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security, WITS, pp. 1–12 (April 2004), http://www.cs.sunysb.edu/~stoller/WITS2004.html

  17. Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and Reasoning About Dynamic Access-Control Policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Guttman, J., Herzog, A.: Rigorous automated network security management (2004)

    Google Scholar 

  19. Lampson, B.W.: Protection. ACM Operating Systems Rev. 8(1), 18–24 (1974)

    Article  Google Scholar 

  20. Chaudhuri, A., Naldurg, P., Rajamani, S.K., Ramalingam, G., Velaga, L.: Eon: modeling and analyzing dynamic access control systems with logic programs. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 381–390 (2008)

    Google Scholar 

  21. Levy, A., Mumick, I.S., Sagiv, Y., Shmueli, O.: Equivalence, query-reachability and satisfiability in Datalog extensions. In: PODS 1993: Proc. Principles of Database Systems, pp. 109–122. ACM Press (1993)

    Google Scholar 

  22. Halevy, A.Y., Mumick, I.S., Sagiv, Y., Shmueli, O.: Static analysis in datalog extensions. J. ACM 48(5), 971–1012 (2001)

    Article  MathSciNet  Google Scholar 

  23. Naldurg, P., Raghavendra, K.R.: Seal: a logic programming framework for specifying and verifying access control models. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 83–92 (2011)

    Google Scholar 

  24. Paveza, R.: User-prompted elevation of unintended code in windows vista. World Wide Web Electronic Publication (2009)

    Google Scholar 

  25. Barker, S., Leuschel, M., Varea, M.: Efficient and flexible access control via jones-optimal logic program specialisation. Higher Order Symbol. Comput. 21, 5–35 (2008)

    Article  MATH  Google Scholar 

  26. Barker, S., Stuckey, P.J.: Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur. 6, 501–546 (2003)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research India, Bangalore, 560001, India

    Prasad Naldurg

Authors
  1. Prasad Naldurg
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, 60607-7053, Chicago, IL, USA

    Venkat Venkatakrishnan

  2. Department of Computer Science and Engineering, Indian Institute of Technology, 781039, Guwahati, Assam, India

    Diganta Goswami

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Naldurg, P. (2012). Foundations of Dynamic Access Control. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35130-3_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35129-7

  • Online ISBN: 978-3-642-35130-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation