skip to main content
10.1145/1242572.1242664acmconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
Article

Analyzing web access control policies

Published: 08 May 2007 Publication History

Abstract

XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved difficult to analyze in an automated fashion. In this paper, we present a formalization of XACML using description logics (DL), which are a decidable fragment of First-Order logic. This formalization allows us to cover a more expressive subset of XACML than propositional logic-based analysis tools, and in addition we provide a new analysis service (policy redundancy). Also, mapping XACML to description logics allows us to use off-the-shelf DL reasoners for analysis tasks such as policy comparison, verification and querying. We provide empirical evaluation of a policy analysis tool that was implemented on top of open source DL reasoner Pellet.

References

[1]
Continue access control policy example., 2005. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.
[2]
Xacml references, v1.65. http://docs.oasisopen.org/xacml/references/xacmlrefsv1.65.html, 2006.
[3]
A. Anderson. Core and hierarchical role based access control (rbac) profile of xacml v2.0, February 2005.
[4]
J. Bryans. Reasoning about xacml policies using csp. In SWS '05: Proceedings of the 2005 workshop on Secure web services, pages 28--35, New York, NY, USA, 2005. ACM Press.
[5]
M. Dean and G. Schreiber. Owl web ontology language reference w3c recommendation., feb 2004.
[6]
K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 196--205, 2005.
[7]
S. Godik and T. Moses. Oasis extensible access control markup language (xacml) version 1.1. oasis committee specification, July 2003.
[8]
B. C. Grau, I. Horrocks, B. Parsia, P. Patel-Schneider, and U. Sattler. Next steps for owl. In OWL Experienced and Directions, 2006.
[9]
D. P. Guelev, M. Ryan, and P. -Y. Schobbens. Model-checking access control policies. In ISC, pages 219--230, 2004.
[10]
I. Horrocks and U. Sattler. A tableaux decision procedure for SHOIQ. In Proc. of the 19th Int. Joint Conf. on Artificial Intelligence (IJCAI 2005). Morgan Kaufman, 2005.
[11]
G. Hughes and T. Bultan. Automated verification of access control policies (technical report). Technical Report 2004-22, Department of Computer Science, University of California, Santa Barbara, September 2004.
[12]
D. Jackson. Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol., 11(2):256--290, 2002.
[13]
V. Kolovski. Formalizing XACML Using Defeasible Description Logics. Technical Report TR-233-11, University of Maryland - College Park, 2006.
[14]
F. Massacci. Reasoning about security: A logic and a decision method for role-based access control. In ECSQARU-FAPR, pages 421--435, 1997.
[15]
B. Parsia and E. Sirin. Pellet: An OWL DL reasoner. In Third International Semantic Web Conference - Poster, 2004.
[16]
K. Wang, D. Billington, J. Blee, and G. Antoniou. Combining description logic and defeasible logic for the semantic web. In RuleML, pages 170--181, 2004.
[17]
WS-Policy. Web services policy framework (ws-policy). http://www-106.ibm.com/developerworks/library/specification/wspolfram/.
[18]
N. Zhang, M. D. Ryan, and D. Guelev. Evaluating access control policies through model checking. In Eighth Information Security Conference (ISC05), 2005.
[19]
C. Zhao, N. Heilili, S. Liu, and Z. Lin. Representation and reasoning on rbac: A description logic approach. In ICTAC, pages 381--393, 2005.

Cited By

View all
  • (2024)Static and Dynamic Analysis of a Usage Control SystemProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657038(59-70)Online publication date: 24-Jun-2024
  • (2024)Addressing Privacy Concerns in Joint Communication and Sensing for 6G Networks: Challenges and ProspectsPrivacy Technologies and Policy10.1007/978-3-031-68024-3_5(87-111)Online publication date: 1-Aug-2024
  • (2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WWW '07: Proceedings of the 16th international conference on World Wide Web
May 2007
1382 pages
ISBN:9781595936547
DOI:10.1145/1242572
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. XACML
  2. access control
  3. description logics
  4. policy analysis

Qualifiers

  • Article

Conference

WWW'07
Sponsor:
WWW'07: 16th International World Wide Web Conference
May 8 - 12, 2007
Alberta, Banff, Canada

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)3
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Static and Dynamic Analysis of a Usage Control SystemProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657038(59-70)Online publication date: 24-Jun-2024
  • (2024)Addressing Privacy Concerns in Joint Communication and Sensing for 6G Networks: Challenges and ProspectsPrivacy Technologies and Policy10.1007/978-3-031-68024-3_5(87-111)Online publication date: 1-Aug-2024
  • (2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
  • (2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
  • (2022)A Formal Validation Approach for XACML 3.0 Access Control PolicySensors10.3390/s2208298422:8(2984)Online publication date: 13-Apr-2022
  • (2022)A Formal Approach for the Identification of Authorization Policy Conflicts within Multi-Cloud EnvironmentsJournal of Grid Computing10.1007/s10723-022-09606-120:2Online publication date: 1-Jun-2022
  • (2022)A Logic Programming Approach to Incorporate Access Control in the Internet of ThingsInternet of Things. IoT through a Multi-disciplinary Perspective10.1007/978-3-031-18872-5_7(106-124)Online publication date: 19-Oct-2022
  • (2022)Process Algebra Can Save Lives: Static Analysis of XACML Access Control Policies Using mCRL2Formal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-08679-3_2(11-30)Online publication date: 12-Jun-2022
  • (2022)Policy Modeling and Anomaly Detection in ABAC PoliciesRisks and Security of Internet and Systems10.1007/978-3-031-02067-4_9(137-152)Online publication date: 9-Apr-2022
  • (2022)Temporal Authorization Graphs: Pros, Cons and LimitsSmart Objects and Technologies for Social Good10.1007/978-3-030-91421-9_9(105-120)Online publication date: 1-Jan-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media