Article

Efficient trust management policy analysis from rules

Authors:

Katia Hristova,

K. Tuncay Tekle,

Yanhong A. LiuAuthors Info & Claims

PPDP '07: Proceedings of the 9th ACM SIGPLAN international conference on Principles and practice of declarative programming

Pages 211 - 220

https://doi.org/10.1145/1273920.1273950

Published: 14 July 2007 Publication History

Abstract

This paper describes a systematic method for deriving efficient algorithms and precise time complexities from extended Datalog rules as it is applied to the analysis of trust management policies specified in SPKI/SDSI, a well-known trust management framework designed to facilitate the development of secure and scalable distributed computing systems. The approach of expressing policy analysis problems as extended Datalog rules is much simpler than previous techniques for analysis of SPKI/SDSI policies. Our method also derives better, more precise time complexities than before in addition to generating complete algorithms and data structures. The method is general, with many applications beyond policy analysis. It extends our previous method for Datalog to handle list constructors, external functions, and queries.

References

[1]

M. Abadi. On SDSI's linked local name spaces. Journal of Computer Security, 6(1-2):3--21, 1998.

Digital Library

[2]

S. Abiteboul, R. Hull, and V. Vianu. Foundations of Databases. Addison-Wesley, 1995.

Digital Library

[3]

S. Ajmani, D. E. Clarke, C. -H. Moh, and S. Richman. ConChord: Cooperative SDSI certificate storage and name resolution. In IPTPS '01: Revised Papers from the First International Workshop on Peerto-Peer Systems, pages 141--154, London, UK, 2002. Springer-Verlag.

Digital Library

[4]

C. Beeri and R. Ramakrishnan. On the power of magic. Journal of Logic Programming, 10(3-4):255--299, 1991.

Digital Library

[5]

P. A. Bonatti and P. Samarati. Logics for authorization and security. In Logics for Emerging Applications of Databases, pages 277--323, 2003.

Digital Library

[6]

J. Cai and R. Paige. Program derivation by fixed point computation. Science of Computer Programming, 11(3):197--261, 1989.

Digital Library

[7]

S. Ceri, G. Gottlob, and L. Tanca. Logic Programming and Databases. Springer-Verlag New York, Inc., New York, NY, USA, 1990.

Digital Library

[8]

D. E. Clarke, J.-E. Elien, C. M. Ellison, M. Fredette, A. Morcos, and R. L. Rivest. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 9(4):285--322, 2001.

Digital Library

[9]

A. K. Eamani and A. P. Sistla. Language based policy analysis in a SPKI trust management system. In 4th Annual PKI Research and Development Workshop: Multiple Paths to Trust, NIST, pages 162--176, Gaithersburg, MD, 2005.

[10]

C. Ellison, B. Frantz, B. Lampson, R. L. Rivest, B. Thomas, and T. Ylonen. RFC 2693: SPKI certificate theory, Sept. 1999.

Digital Library

[11]

T. Grandison and M. Sloman. A survey of trust in internet applications. IEEE Communications Surveys and Tutorials, 3(4), 2000.

Digital Library

[12]

J. Y. Halpern and R. van der Meyden. A logic for SDSI's linked local name spaces. Journal of Computer Security, 9(1-2):105--142, 2001.

Digital Library

[13]

J. Y. Halpern and R. van der Meyden. A logical reconstruction of SPKI. Journal of Computer Security, 11(4):581--614, 2003.

Digital Library

[14]

K. Hristova and Y. A. Liu. Improved algorithm complexities for linear temporal logic model checking of push down systems. In Proceedings of the 7th International Conference on Verification, Model Checking and Abstract Interpretation, volume 3855, pages 190--206, 2006.

Digital Library

[15]

K. Hristova, T. Rothamel, Y. A. Liu, and S. D. Stoller. Efficient type inference for secure information flow. Technical Report DAR 07-35, Computer Science Department, SUNY Stony Brook, May 2007. A preliminary version of this work appeared in PLAS'06: Proceedings of the 2006 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security.

Digital Library

[16]

S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 31--42, 1997.

Digital Library

[17]

S. Jha and T. W. Reps. Model checking SPKI/SDSI. Journal of Computer Security, 12(3-4):317--353, 2004.

Digital Library

[18]

N. Li. Local names in SPKI/SDSI. In Proceedings of the 13th IEEE Computer Security Foundations Workshop (SCFW), page 2, Washington, DC, USA, 2000. IEEE Computer Society.

Digital Library

[19]

N. Li and J. C. Mitchell. Datalog with constraints: A foundation for trust management languages. In Proceedings of Practical Aspects of Declarative Languages (PADL), pages 58--73, 2003.

Digital Library

[20]

N. Li and J. C. Mitchell. Understanding SPKI/SDSI using firstorder logic. In Proceedings of IEEE Computer Security Foundations Workshop (CSFW), pages 48--64, 2003.

[21]

N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management: extended abstract. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS '01), pages 156--165, New York, NY, USA, 2001. ACM Press.

Digital Library

[22]

N. Li, W. H. Winsborough, and J. C. Mitchell. Beyond proof -ofcompliance: Safety and availability analysis in trust management. In Proceedings of IEEE Symposium on Security and Privacy, pages 123--139, 2003.

Digital Library

[23]

Y. A. Liu and S. D. Stoller. From datalog rules to efficient programs with time and space guarantees. In Proceedings of the 5th ACM SIGPLAN International Conference on Principles and Practice of Declaritive Programming, pages 172--183. ACM Press, 2003.

Digital Library

[24]

R. Paige. Real-time simulation of a set machine on a ram. In Proceedings of the International Conference on Computing and Information, volume 2, pages 68--73, 1989.

[25]

R. Paige and S. Koenig. Finite differencing of computable expressions. ACM Transactions on Programming Languages and Systems (TOPLAS), 4(3):402--454, 1982.

Digital Library

[26]

R. Ramakrishnan. Magic templates: A spellbinding approach to logic programs. Journal of Logic Programming, 11(3 and 4):189--216, 1991.

Digital Library

[27]

R. L. Rivest and B. Lampson. SDSI - A simple distributed security infrastructure. Presented at the Sixteenth Annual Crypto Conference (CRYPTO '96) Rumpsession, 1996.

Cited By

Liu Y(2018)Logic programming applicationsDeclarative Logic Programming10.1145/3191315.3191326(519-548)Online publication date: 1-Sep-2018
(2018)Declarative Logic ProgrammingundefinedOnline publication date: 1-Sep-2018
Liu YStoller S(2009)From datalog rules to efficient programs with time and space guaranteesACM Transactions on Programming Languages and Systems10.1145/1552309.155231131:6(1-38)Online publication date: 26-Aug-2009
Show More Cited By

Index Terms

Efficient trust management policy analysis from rules

Recommendations

Automated Policy Analysis
POLICY '12: Proceedings of the 2012 IEEE International Symposium on Policies for Distributed Systems and Networks

Static analysis of access-control policies is becoming increasingly important. Such analysis can reveal errors and vulnerabilities in the policies, as well as logical inconsistencies, unintended effects, and discrepancies between different policies or ...
A logical specification and analysis for SELinux MLS policy
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

The SELinux mandatory access control (MAC) policy has recently added a multi-level security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of this policy makes it ...
Language based policy analysis in a SPKI Trust Management System

SPKI/SDSI is a standard for issuing authorization and name certificates. SPKI/SDSI can be used to implement a Trust Management System, where the policy for resource access is distributively specified by multiple trusted entities. Agents in the system ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PPDP '07: Proceedings of the 9th ACM SIGPLAN international conference on Principles and practice of declarative programming

July 2007

240 pages

ISBN:9781595937698

DOI:10.1145/1273920

General Chair:
Michael Leuschel
University of Düsseldorf, Germany
,
Program Chair:
Andreas Podelski
University of Freiburg, Germany

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

PPDP07

Sponsor:

PPDP07: Principles and Practice of Declarative Programming

July 14 - 16, 2007

Wroclaw, Poland

Acceptance Rates

Overall Acceptance Rate 230 of 486 submissions, 47%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
195
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu Y(2018)Logic programming applicationsDeclarative Logic Programming10.1145/3191315.3191326(519-548)Online publication date: 1-Sep-2018
(2018)Declarative Logic ProgrammingundefinedOnline publication date: 1-Sep-2018
Liu YStoller S(2009)From datalog rules to efficient programs with time and space guaranteesACM Transactions on Programming Languages and Systems10.1145/1552309.155231131:6(1-38)Online publication date: 26-Aug-2009
Tekle KHristova KLiu Y(2008)Generating Specialized Rules and Programs for Demand-Driven AnalysisProceedings of the 12th international conference on Algebraic Methodology and Software Technology10.1007/978-3-540-79980-1_26(346-361)Online publication date: 28-Jul-2008

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten