ABSTRACT
This paper focuses on policy languages for (role-based) access control [14, 32], especially in their modern incarnations in the form of trust-management systems [9] and usage control [30, 31]. Any (declarative) approach to access control and trust management has to address the following issues:
Explicit denial, inheritance, and overriding, and
History-sensitive access control
- M. Abadi and C. Fournet. Access control based on execution history. In Proc. Network and Distributed System Security Symp., 2003.Google Scholar
- M. Backes, M. Dürmuth, and R. Steinwandt. An algebra for composing enterprise privacy policies. In P. Samarati, D. Gollmann, and R. Molva, editors, ESORICS, volume 3193 of Lecture Notes in Computer Science, pages 33--52. Springer, 2004.Google Scholar
- L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical domain and type enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66--77, May 1995. Google ScholarDigital Library
- S. Barker, M. Leuschel, and M. Varea. Efficient and flexible access control via logic program specialisation. In PEPM '04: Proceedings of the 2004 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, pages 190--199. ACM Press, 2004. Google ScholarDigital Library
- S. Barker and P. J. Stuckey. Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur., 6(4):501--546, 2003. Google ScholarDigital Library
- A. Barth, J. C. Mitchell, and J. Rosenstein. Conflict and combination in privacy policy languages. In WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pages 45--46. ACM Press, 2004. Google ScholarDigital Library
- G. Berry. Real-time programming: General purpose or special-purpose languages. In G. Ritter, editor, Information Processing 89, pages 11--17. Elsevier Science Publishers B.V. (North Holland), 1989.Google Scholar
- E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001. Google ScholarDigital Library
- M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proc. IEEE Conf. Security and Privacy. IEEE Press, 1996. Google ScholarDigital Library
- W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the Eighth National Computer Security Conference, 1985.Google Scholar
- P. Bonatti, S. D. C. di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur., 5(1):1--35, 2002. Google ScholarDigital Library
- D. Brewer and M. Nash. The Chinese Wall security policy. In Proceedings of 1989 IEEE Symposium on Security and Privacy, pages 206--214. IEEE Computer Society Press, 1989.Google ScholarCross Ref
- A. Chander, D. Dean, and J. C. Mitchell. Reconstructing trust management. Journal of Computer Security, 12(1):131--164, 2004. Google ScholarDigital Library
- D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Information System Security, 4(3):224--274, 2001. Google ScholarDigital Library
- N. Halbwachs. Synchronous programming of reactive systems. The Kluwer international series in Engineering and Computer Science. Kluwer Academic publishers, 1993. Google ScholarDigital Library
- J. Y. Halpern and V. Weissman. Using first-order logic to reason about policies. In CSFW '03: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'03), pages 118--130. IEEE Computer Society, 2003.Google ScholarCross Ref
- J. Y. Halpern and V. Weissman. A formal foundation for XrML. In CSFW '04: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), pages 251--263. IEEE Computer Society, 2004. Google ScholarDigital Library
- D. Harel and A. Pnueli. Logics and Models of Concurrent Systems, volume 13, chapter On the development of reactive systems, pages 471--498. NATO Advanced Study Institute, 1985. Google ScholarDigital Library
- P. V. Hentenryck, V. A. Saraswat, and Y. Deville. Constraint processing in cc(fd). Technical report, Computer Science Department, Brown University, 1992.Google Scholar
- J. Jaffar and M. J. Maher. Constraint logic programming: A survey. J. Log. Program., 19/20:503--581, 1994.Google ScholarCross Ref
- S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214--260, 2001. Google ScholarDigital Library
- N. Li, B. N. Grosof, and J. Feigenbaum. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur., 6(1):128--171, 2003. Google ScholarDigital Library
- N. Li and J. C. Mitchell. Datalog with constraints: A foundation for trust management languages. In PADL '03: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages, pages 58--73. Springer-Verlag, 2003. Google ScholarDigital Library
- N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust-management framework. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 114. IEEE Computer Society, 2002. Google ScholarDigital Library
- N. Li, W. H. Winsborough, and J. C. Mitchell. Beyond proof-of-compliance: Safety and availability analysis in trust management. In IEEE Symposium on Security and Privacy, pages 123--139. IEEE Computer Society, 2003. Google ScholarDigital Library
- P. A. Loscocco and S. D. Smalley. Meeting critical security objectives with Security-Enhanced Linux. In Proceedings of the 2001 Ottawa Linux Symposium, 2001.Google Scholar
- P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303--314, 1998.Google Scholar
- M. McDougall, R. Alur, and C. A. Gunter. A model-based approach to integrating security policies for embedded devices. In EMSOFT '04: Proceedings of the fourth ACM international conference on Embedded software, pages 211--219. ACM Press, 2004. Google ScholarDigital Library
- M. Nielsen, C. Palamidessi, and F. D. Valencia. Temporal concurrent constraint programming: Denotation, logic and applications. Nord. J. Comput., 9(1):145--188, 2002. Google ScholarDigital Library
- J. Park. Usage control: a unified framework for next generation access control. PhD thesis, 2003. Google ScholarDigital Library
- J. Park and R. S. Sandhu. The UCONABC usage control model. ACM Trans. Information System Security, 7(1):128--174, February 2004. Google ScholarDigital Library
- R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2), 1996. Google ScholarDigital Library
- V. A. Saraswat. The Category of Constraint Systems is Cartesian-closed. In Proc. 7th IEEE Symp. on Logic in Computer Science, Santa Cruz, 1992.Google ScholarCross Ref
- V. A. Saraswat, R. Jagadeesan, and V. Gupta. Timed Default Concurrent Constraint Programming. Journal of Symbolic Computation, 22(5-6):475--520, November/December 1996. Google ScholarDigital Library
- V. A. Saraswat, R. Jagadeesan, and V. Gupta. jcc: Integrating timed default concurrent constraint programming into Java. In F. Moura-Pires and S. Abreu, editors, EPIA, volume 2902 of Lecture Notes in Computer Science, pages 156--170. Springer, 2003.Google Scholar
- V. A. Saraswat, M. Rinard, and P. Panangaden. Semantic foundations of concurrent constraint programming. In Proceedings of Eighteenth ACM Symposium on Principles of Programming Languages, Orlando, pages 333--352, January 1991. Google ScholarDigital Library
- F. Siewe, A. Cau, and H. Zedan. A compositional framework for access control policies enforcement. In FMSE '03: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 32--42. ACM Press, 2003. Google ScholarDigital Library
- E. G. Sirer and K. Wang. An access control language for web services. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 23--30. ACM Press, 2002. Google ScholarDigital Library
- M. M. Swift, P. Brundrett, C. Van Dyke, P. Garg, A. Hopkins, S. Chan, M. Goertzel, and G. Jensenworth. Improving the granularity of access control for windows 2000. ACM Transactions on Information and System Security, 5(4), Nov 2002. Google ScholarDigital Library
- V. N. Venkatakrishnan, R. Peri, and R. Sekar. Empowering mobile code using expressive security policies. In NSPW '02: Proceedings of the 2002 Workshop on New Security Paradigms, pages 61--68. ACM Press, 2002. Google ScholarDigital Library
- L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55. ACM Press, 2004. Google ScholarDigital Library
- D. Wijesekera and S. Jajodia. Policy algebras for access control --- the predicate case. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 171--180. ACM Press, 2002. Google ScholarDigital Library
- D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur., 6(2):286--325, 2003. Google ScholarDigital Library
- X. Zhang, J. Park, F. Parisi-Presicce, and R. Sandhu. A logical specification for usage control. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 1--10. ACM Press, 2004. Google ScholarDigital Library
Index Terms
Timed constraint programming: a declarative approach to usage control
Recommendations
On mutually-exclusive roles and separation of duty
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securitySeparation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
On mutually exclusive roles and separation-of-duty
Separation-of-duty (SoD) is widely considered to be a fundamental principle in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
Constraint-Based Object-Oriented Programming
Constraint programming (CP) is a young but rapidly developing technology that supports the modeling and solution of a wide range of planning, scheduling, search, and optimization problems. The integration of CP concepts into languages from other ...
Comments