skip to main content
10.1145/1069774.1069790acmconferencesArticle/Chapter ViewAbstractPublication PagesppdpConference Proceedingsconference-collections
Article

Timed constraint programming: a declarative approach to usage control

Published:11 July 2005Publication History

ABSTRACT

This paper focuses on policy languages for (role-based) access control [14, 32], especially in their modern incarnations in the form of trust-management systems [9] and usage control [30, 31]. Any (declarative) approach to access control and trust management has to address the following issues:

  • Explicit denial, inheritance, and overriding, and

  • History-sensitive access control

.Our main contribution is a policy algebra, in the timed concurrent constraint programming paradigm, that uses a form of default constraint programming to address the first issue, and reactive computing to address the second issue.The policy algebra is declarative --- programs can be viewed as imposing temporal constraints on the evolution of the system --- and supports equational reasoning. The validity of equations is established by coinductive proofs based on an operational semantics.The design of the policy algebra supports reasoning about policies by a systematic combination of constraint reasoning and model checking techniques based on linear time temporal-logic. Our framework permits us to perform security analysis with dynamic state-dependent restrictions.

References

  1. M. Abadi and C. Fournet. Access control based on execution history. In Proc. Network and Distributed System Security Symp., 2003.Google ScholarGoogle Scholar
  2. M. Backes, M. Dürmuth, and R. Steinwandt. An algebra for composing enterprise privacy policies. In P. Samarati, D. Gollmann, and R. Molva, editors, ESORICS, volume 3193 of Lecture Notes in Computer Science, pages 33--52. Springer, 2004.Google ScholarGoogle Scholar
  3. L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical domain and type enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66--77, May 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. S. Barker, M. Leuschel, and M. Varea. Efficient and flexible access control via logic program specialisation. In PEPM '04: Proceedings of the 2004 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, pages 190--199. ACM Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. S. Barker and P. J. Stuckey. Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur., 6(4):501--546, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. A. Barth, J. C. Mitchell, and J. Rosenstein. Conflict and combination in privacy policy languages. In WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pages 45--46. ACM Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. G. Berry. Real-time programming: General purpose or special-purpose languages. In G. Ritter, editor, Information Processing 89, pages 11--17. Elsevier Science Publishers B.V. (North Holland), 1989.Google ScholarGoogle Scholar
  8. E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proc. IEEE Conf. Security and Privacy. IEEE Press, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the Eighth National Computer Security Conference, 1985.Google ScholarGoogle Scholar
  11. P. Bonatti, S. D. C. di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur., 5(1):1--35, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. D. Brewer and M. Nash. The Chinese Wall security policy. In Proceedings of 1989 IEEE Symposium on Security and Privacy, pages 206--214. IEEE Computer Society Press, 1989.Google ScholarGoogle ScholarCross RefCross Ref
  13. A. Chander, D. Dean, and J. C. Mitchell. Reconstructing trust management. Journal of Computer Security, 12(1):131--164, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Information System Security, 4(3):224--274, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. N. Halbwachs. Synchronous programming of reactive systems. The Kluwer international series in Engineering and Computer Science. Kluwer Academic publishers, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. Y. Halpern and V. Weissman. Using first-order logic to reason about policies. In CSFW '03: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'03), pages 118--130. IEEE Computer Society, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  17. J. Y. Halpern and V. Weissman. A formal foundation for XrML. In CSFW '04: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), pages 251--263. IEEE Computer Society, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. D. Harel and A. Pnueli. Logics and Models of Concurrent Systems, volume 13, chapter On the development of reactive systems, pages 471--498. NATO Advanced Study Institute, 1985. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. P. V. Hentenryck, V. A. Saraswat, and Y. Deville. Constraint processing in cc(fd). Technical report, Computer Science Department, Brown University, 1992.Google ScholarGoogle Scholar
  20. J. Jaffar and M. J. Maher. Constraint logic programming: A survey. J. Log. Program., 19/20:503--581, 1994.Google ScholarGoogle ScholarCross RefCross Ref
  21. S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214--260, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. N. Li, B. N. Grosof, and J. Feigenbaum. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur., 6(1):128--171, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. N. Li and J. C. Mitchell. Datalog with constraints: A foundation for trust management languages. In PADL '03: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages, pages 58--73. Springer-Verlag, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust-management framework. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 114. IEEE Computer Society, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. N. Li, W. H. Winsborough, and J. C. Mitchell. Beyond proof-of-compliance: Safety and availability analysis in trust management. In IEEE Symposium on Security and Privacy, pages 123--139. IEEE Computer Society, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. P. A. Loscocco and S. D. Smalley. Meeting critical security objectives with Security-Enhanced Linux. In Proceedings of the 2001 Ottawa Linux Symposium, 2001.Google ScholarGoogle Scholar
  27. P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303--314, 1998.Google ScholarGoogle Scholar
  28. M. McDougall, R. Alur, and C. A. Gunter. A model-based approach to integrating security policies for embedded devices. In EMSOFT '04: Proceedings of the fourth ACM international conference on Embedded software, pages 211--219. ACM Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. Nielsen, C. Palamidessi, and F. D. Valencia. Temporal concurrent constraint programming: Denotation, logic and applications. Nord. J. Comput., 9(1):145--188, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. J. Park. Usage control: a unified framework for next generation access control. PhD thesis, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. Park and R. S. Sandhu. The UCONABC usage control model. ACM Trans. Information System Security, 7(1):128--174, February 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2), 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. V. A. Saraswat. The Category of Constraint Systems is Cartesian-closed. In Proc. 7th IEEE Symp. on Logic in Computer Science, Santa Cruz, 1992.Google ScholarGoogle ScholarCross RefCross Ref
  34. V. A. Saraswat, R. Jagadeesan, and V. Gupta. Timed Default Concurrent Constraint Programming. Journal of Symbolic Computation, 22(5-6):475--520, November/December 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. V. A. Saraswat, R. Jagadeesan, and V. Gupta. jcc: Integrating timed default concurrent constraint programming into Java. In F. Moura-Pires and S. Abreu, editors, EPIA, volume 2902 of Lecture Notes in Computer Science, pages 156--170. Springer, 2003.Google ScholarGoogle Scholar
  36. V. A. Saraswat, M. Rinard, and P. Panangaden. Semantic foundations of concurrent constraint programming. In Proceedings of Eighteenth ACM Symposium on Principles of Programming Languages, Orlando, pages 333--352, January 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. F. Siewe, A. Cau, and H. Zedan. A compositional framework for access control policies enforcement. In FMSE '03: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 32--42. ACM Press, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. E. G. Sirer and K. Wang. An access control language for web services. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 23--30. ACM Press, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. M. M. Swift, P. Brundrett, C. Van Dyke, P. Garg, A. Hopkins, S. Chan, M. Goertzel, and G. Jensenworth. Improving the granularity of access control for windows 2000. ACM Transactions on Information and System Security, 5(4), Nov 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. V. N. Venkatakrishnan, R. Peri, and R. Sekar. Empowering mobile code using expressive security policies. In NSPW '02: Proceedings of the 2002 Workshop on New Security Paradigms, pages 61--68. ACM Press, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55. ACM Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. D. Wijesekera and S. Jajodia. Policy algebras for access control --- the predicate case. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 171--180. ACM Press, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur., 6(2):286--325, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. X. Zhang, J. Park, F. Parisi-Presicce, and R. Sandhu. A logical specification for usage control. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 1--10. ACM Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Timed constraint programming: a declarative approach to usage control

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          PPDP '05: Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming
          July 2005
          260 pages
          ISBN:1595930906
          DOI:10.1145/1069774
          • General Chair:
          • Pedro Barahona,
          • Program Chair:
          • Amy Felty

          Copyright © 2005 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 11 July 2005

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Acceptance Rates

          Overall Acceptance Rate230of486submissions,47%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader