skip to main content
10.1145/1069774.1069790acmconferencesArticle/Chapter ViewAbstractPublication PagesppdpConference Proceedingsconference-collections
Article

Timed constraint programming: a declarative approach to usage control

Published: 11 July 2005 Publication History

Abstract

This paper focuses on policy languages for (role-based) access control [14, 32], especially in their modern incarnations in the form of trust-management systems [9] and usage control [30, 31]. Any (declarative) approach to access control and trust management has to address the following issues:
Explicit denial, inheritance, and overriding, and
History-sensitive access control
.Our main contribution is a policy algebra, in the timed concurrent constraint programming paradigm, that uses a form of default constraint programming to address the first issue, and reactive computing to address the second issue.The policy algebra is declarative --- programs can be viewed as imposing temporal constraints on the evolution of the system --- and supports equational reasoning. The validity of equations is established by coinductive proofs based on an operational semantics.The design of the policy algebra supports reasoning about policies by a systematic combination of constraint reasoning and model checking techniques based on linear time temporal-logic. Our framework permits us to perform security analysis with dynamic state-dependent restrictions.

References

[1]
M. Abadi and C. Fournet. Access control based on execution history. In Proc. Network and Distributed System Security Symp., 2003.
[2]
M. Backes, M. Dürmuth, and R. Steinwandt. An algebra for composing enterprise privacy policies. In P. Samarati, D. Gollmann, and R. Molva, editors, ESORICS, volume 3193 of Lecture Notes in Computer Science, pages 33--52. Springer, 2004.
[3]
L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical domain and type enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66--77, May 1995.
[4]
S. Barker, M. Leuschel, and M. Varea. Efficient and flexible access control via logic program specialisation. In PEPM '04: Proceedings of the 2004 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, pages 190--199. ACM Press, 2004.
[5]
S. Barker and P. J. Stuckey. Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur., 6(4):501--546, 2003.
[6]
A. Barth, J. C. Mitchell, and J. Rosenstein. Conflict and combination in privacy policy languages. In WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pages 45--46. ACM Press, 2004.
[7]
G. Berry. Real-time programming: General purpose or special-purpose languages. In G. Ritter, editor, Information Processing 89, pages 11--17. Elsevier Science Publishers B.V. (North Holland), 1989.
[8]
E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001.
[9]
M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proc. IEEE Conf. Security and Privacy. IEEE Press, 1996.
[10]
W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the Eighth National Computer Security Conference, 1985.
[11]
P. Bonatti, S. D. C. di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur., 5(1):1--35, 2002.
[12]
D. Brewer and M. Nash. The Chinese Wall security policy. In Proceedings of 1989 IEEE Symposium on Security and Privacy, pages 206--214. IEEE Computer Society Press, 1989.
[13]
A. Chander, D. Dean, and J. C. Mitchell. Reconstructing trust management. Journal of Computer Security, 12(1):131--164, 2004.
[14]
D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Information System Security, 4(3):224--274, 2001.
[15]
N. Halbwachs. Synchronous programming of reactive systems. The Kluwer international series in Engineering and Computer Science. Kluwer Academic publishers, 1993.
[16]
J. Y. Halpern and V. Weissman. Using first-order logic to reason about policies. In CSFW '03: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'03), pages 118--130. IEEE Computer Society, 2003.
[17]
J. Y. Halpern and V. Weissman. A formal foundation for XrML. In CSFW '04: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), pages 251--263. IEEE Computer Society, 2004.
[18]
D. Harel and A. Pnueli. Logics and Models of Concurrent Systems, volume 13, chapter On the development of reactive systems, pages 471--498. NATO Advanced Study Institute, 1985.
[19]
P. V. Hentenryck, V. A. Saraswat, and Y. Deville. Constraint processing in cc(fd). Technical report, Computer Science Department, Brown University, 1992.
[20]
J. Jaffar and M. J. Maher. Constraint logic programming: A survey. J. Log. Program., 19/20:503--581, 1994.
[21]
S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214--260, 2001.
[22]
N. Li, B. N. Grosof, and J. Feigenbaum. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur., 6(1):128--171, 2003.
[23]
N. Li and J. C. Mitchell. Datalog with constraints: A foundation for trust management languages. In PADL '03: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages, pages 58--73. Springer-Verlag, 2003.
[24]
N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust-management framework. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 114. IEEE Computer Society, 2002.
[25]
N. Li, W. H. Winsborough, and J. C. Mitchell. Beyond proof-of-compliance: Safety and availability analysis in trust management. In IEEE Symposium on Security and Privacy, pages 123--139. IEEE Computer Society, 2003.
[26]
P. A. Loscocco and S. D. Smalley. Meeting critical security objectives with Security-Enhanced Linux. In Proceedings of the 2001 Ottawa Linux Symposium, 2001.
[27]
P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303--314, 1998.
[28]
M. McDougall, R. Alur, and C. A. Gunter. A model-based approach to integrating security policies for embedded devices. In EMSOFT '04: Proceedings of the fourth ACM international conference on Embedded software, pages 211--219. ACM Press, 2004.
[29]
M. Nielsen, C. Palamidessi, and F. D. Valencia. Temporal concurrent constraint programming: Denotation, logic and applications. Nord. J. Comput., 9(1):145--188, 2002.
[30]
J. Park. Usage control: a unified framework for next generation access control. PhD thesis, 2003.
[31]
J. Park and R. S. Sandhu. The UCONABC usage control model. ACM Trans. Information System Security, 7(1):128--174, February 2004.
[32]
R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2), 1996.
[33]
V. A. Saraswat. The Category of Constraint Systems is Cartesian-closed. In Proc. 7th IEEE Symp. on Logic in Computer Science, Santa Cruz, 1992.
[34]
V. A. Saraswat, R. Jagadeesan, and V. Gupta. Timed Default Concurrent Constraint Programming. Journal of Symbolic Computation, 22(5-6):475--520, November/December 1996.
[35]
V. A. Saraswat, R. Jagadeesan, and V. Gupta. jcc: Integrating timed default concurrent constraint programming into Java. In F. Moura-Pires and S. Abreu, editors, EPIA, volume 2902 of Lecture Notes in Computer Science, pages 156--170. Springer, 2003.
[36]
V. A. Saraswat, M. Rinard, and P. Panangaden. Semantic foundations of concurrent constraint programming. In Proceedings of Eighteenth ACM Symposium on Principles of Programming Languages, Orlando, pages 333--352, January 1991.
[37]
F. Siewe, A. Cau, and H. Zedan. A compositional framework for access control policies enforcement. In FMSE '03: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 32--42. ACM Press, 2003.
[38]
E. G. Sirer and K. Wang. An access control language for web services. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 23--30. ACM Press, 2002.
[39]
M. M. Swift, P. Brundrett, C. Van Dyke, P. Garg, A. Hopkins, S. Chan, M. Goertzel, and G. Jensenworth. Improving the granularity of access control for windows 2000. ACM Transactions on Information and System Security, 5(4), Nov 2002.
[40]
V. N. Venkatakrishnan, R. Peri, and R. Sekar. Empowering mobile code using expressive security policies. In NSPW '02: Proceedings of the 2002 Workshop on New Security Paradigms, pages 61--68. ACM Press, 2002.
[41]
L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55. ACM Press, 2004.
[42]
D. Wijesekera and S. Jajodia. Policy algebras for access control --- the predicate case. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 171--180. ACM Press, 2002.
[43]
D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Trans. Inf. Syst. Secur., 6(2):286--325, 2003.
[44]
X. Zhang, J. Park, F. Parisi-Presicce, and R. Sandhu. A logical specification for usage control. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 1--10. ACM Press, 2004.

Cited By

View all
  • (2022)A domain-specific language for the specification of UCON policiesJournal of Information Security and Applications10.1016/j.jisa.2021.10300664:COnline publication date: 1-Feb-2022
  • (2018)A concurrent constraint programming interpretation of access permissionsTheory and Practice of Logic Programming10.1017/S147106841800001718:2(252-295)Online publication date: 10-Apr-2018
  • (2016)Analysis of access control policy updates through narrowingProceedings of the 18th International Symposium on Principles and Practice of Declarative Programming10.1145/2967973.2968605(62-75)Online publication date: 5-Sep-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PPDP '05: Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming
July 2005
260 pages
ISBN:1595930906
DOI:10.1145/1069774
  • General Chair:
  • Pedro Barahona,
  • Program Chair:
  • Amy Felty
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 July 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. constraints
  2. reactive systems
  3. role-based access control
  4. trust management
  5. usage control

Qualifiers

  • Article

Conference

PPDP05
Sponsor:

Acceptance Rates

Overall Acceptance Rate 230 of 486 submissions, 47%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)A domain-specific language for the specification of UCON policiesJournal of Information Security and Applications10.1016/j.jisa.2021.10300664:COnline publication date: 1-Feb-2022
  • (2018)A concurrent constraint programming interpretation of access permissionsTheory and Practice of Logic Programming10.1017/S147106841800001718:2(252-295)Online publication date: 10-Apr-2018
  • (2016)Analysis of access control policy updates through narrowingProceedings of the 18th International Symposium on Principles and Practice of Declarative Programming10.1145/2967973.2968605(62-75)Online publication date: 5-Sep-2016
  • (2013)Models and emerging trends of concurrent constraint programmingConstraints10.1007/s10601-013-9145-318:4(535-578)Online publication date: 1-Oct-2013
  • (2012)A linear concurrent constraint approach for the automatic verification of access permissionsProceedings of the 14th symposium on Principles and practice of declarative programming10.1145/2370776.2370802(207-216)Online publication date: 19-Sep-2012
  • (2012)On the automated analysis of safety in usage controlProceedings of the 6th international conference on Network and System Security10.1007/978-3-642-34601-9_2(15-28)Online publication date: 21-Nov-2012
  • (2010)Rewrite specifications of access control policies in distributed environmentsProceedings of the 6th international conference on Security and trust management10.5555/2050149.2050153(51-67)Online publication date: 23-Sep-2010
  • (2010)Data protection models for service provisioning in the cloudProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809872(183-192)Online publication date: 9-Jun-2010
  • (2010)A logic for state-modifying authorization policiesACM Transactions on Information and System Security10.1145/1805974.180597613:3(1-28)Online publication date: 30-Jul-2010
  • (2010)A framework for the modular specification and orchestration of authorization policiesProceedings of the 15th Nordic conference on Information Security Technology for Applications10.1007/978-3-642-27937-9_11(155-170)Online publication date: 27-Oct-2010
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media