Abstract
Role-based access control (RBAC) is one of the most promising techniques for the design and implementation of security policies and its diffusion may be enhanced by the development of formal and automated method of analysis.
This paper presents a logic for practical reasoning about role based access control which simplifies and adapts to RBAC the calculus developed at Digital SRC. Beside a language and a formal semantics, a decision method based on analytic tableaux is also given. Analytic tableaux make it possible to reason about logical consequence, model generation and consistency of a formalised role-based security policy.
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Trans. on Programming Languages and Systems, 15(4):706–734, 1993.
R. Anderson. A security policy model for clinical information systems. In Proc. of the Symp. on Security and Privacy. IEEE Press, 1996.
B. Beckert and R. Goré. Free variable tableaux for propositional modal logics. In Proc. of TABLEAUX-97, LNAI. Springer-Verlag, 1997. To appear.
D. Bell and L. La Padula. Secure computer systems: unified exposition and MULTICS. Report ESD-TR-75-306, The MITRE Corporation, March 1976.
E. Bertino, S. Jajodia, and P. Samarati. Supporting multiple access control policies in database systems. In Proc. of the Symp. on Security and Privacy, pp. 94–109. IEEE Press, 1996.
M. Burrows, M. Abadi, and R. Needham. A logic for authentication. ACM Trans. on Comp. Sys., 8(1):18–36, 1990. Also as research report SRC-39, DEC — System Research Center, 1989.
D. Clark and D. Wilson. A comparison of commercial and military computer security policies. In Proc. of the Symp. on Security and Privacy, pp. 184–194. IEEE Press, 1987.
F. Cuppens and R. Demolombe. A deontic logic for reasoning about confidentiality. In 3rd Int. Workshop on Deontic Logic in Computer Science, Portugal, 1996.
G. De Giacomo and F. Massacci. Tableaux and algorithms for propositional dynamic logic with converse. In Proc. of the 13th Int. Conf. on Automated Deduction (CADE-96), LNAI 1104, pp. 613–628. Springer-Verlag, 1996.
R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about Knowledge. The MIT Press, 1995.
D. Ferraiolo, J. Cugini, and K. Richard. Role-based access control (RBAC): Features and motivations. In Proc. of the Annual Computer Security Applications Conf.. IEEE Press, 1995.
D. Ferraiolo and R. Kuhn. Role based access control. In Proc. of the NIST-NCSC Nat. (U.S.) Comp. Security Conf., pp. 554–563, 1992.
D. Ferraiolo, D. Gilbert, and N. Lynch. An examination of federal and commercial access control policy needs. In Proc. of the NIST-NCSC Nat. (U.S.) Comp. Security Conf., pp. 107–116, 1993.
M. Fitting. Proof Methods for Modal and Intuitionistic Logics. Reidel, 1983.
L. Giuri and P. Iglio. A formal model for role based access control with constraints. In Proc. of the Computer Security Foundations Workshop, pp. 136–145. IEEE Press, 1996.
J. Glasgow, J. MacEwen, and P. Panangaden. A logic for reasoning about security. In Proc. of the Symp. on Security and Privacy, pp. 2–13. IEEE Press, 1990.
J. Halpern and Y. Moses. A guide to completeness and complexity for modal logics of knowledge and belief. Artificial Intelligence, 54:319–379, 1992.
M. Harrison, W. Ruzzo, and J. Ullman. Protection in operating systems. Comm. of the ACM, 19(8):461–471, 1976.
S. Kanger. Law and logic. Theoria, 38(3):105–132, 1972.
C. Krogh. Obligations in multiagent systems. In Scandinavian Conf. on Artificial Intelligence (SCAI-95), pp. 29–31. ISO Press, 1995.
B. Lampson. Protection. ACM Operating Sys. Reviews, 8(1):18–24, 1974.
B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: Theory and practice. ACM Trans. on Computer Systems, 10(4):265–310, 1992.
F. Massacci. Strongly analytic tableaux for normal modal logics. In Proc. of the Int. Conf. on Automated Deduction (CADE-94), LNAI 814, pp. 723–737. Springer Verlag, 1994.
F. Massacci. Tableaux methods for access control in distributed systems. In Proc. of TABLEAUX-97, LNAI. Springer-Verlag, 1997. To appear.
C. McCollum, J. Messing, and L. Notargiacomo. Beyond the pale of MAC and DAC — defining new forms of access control. In Proc. of the Symp. on Security and Privacy, pp. 190–200, IEEE Press, 1990.
R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access controls models. IEEE Computer, 29(2), February 1996.
R. Sandhu. The typed access matrix model. In Proc. of the Symp. on Security and Privacy, pp. 122–136. IEEE Press, 1992.
R. Sandhu and P. Samarati. Access control: Principles and practice. IEEE Communications Magazine, pp. 40–48, September 1994.
P. Syverson. The use of logic in the analysis of cryptographic protocols. In Proc. of the Symp. on Security and Privacy, pp. 156–170. IEEE Press, 1991.
P. Syverson and P. van Oorschot. On unifying some cryptographic protocols logics. In Proc. of the Symp. on Security and Privacy. IEEE Press, 1994.
Author information
Authors and Affiliations
Corresponding author
Editor information
Rights and permissions
Copyright information
© 1997 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Massacci, F. (1997). Reasoning about security: A logic and a decision method for role-based access control. In: Gabbay, D.M., Kruse, R., Nonnengart, A., Ohlbach, H.J. (eds) Qualitative and Quantitative Practical Reasoning. FAPR ECSQARU 1997 1997. Lecture Notes in Computer Science, vol 1244. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0035639
Download citation
DOI: https://doi.org/10.1007/BFb0035639
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-63095-1
Online ISBN: 978-3-540-69129-7
eBook Packages: Springer Book Archive