skip to main content
10.1145/1755688.1755711acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Toward practical authorization-dependent user obligation systems

Published: 13 April 2010 Publication History

Abstract

Many authorization system models include some notion of obligation. Little attention has been given to user obligations that depend on and affect authorizations. However, to be usable, the system must ensure users have the authorizations they need when their obligations must be performed. Prior work in this area introduced accountability properties that ensure failure to fulfill obligations is not due to lack of required authorizations. That work presented inconclusive and purely theoretical results concerning the feasibility of maintaining accountability in practice. The results of the current paper include algorithms and performance analysis that support the thesis that maintaining accountability in a reference monitor is reasonable in many applications.

References

[1]
Enterprise privacy authorization language (EPAL) version 1.2, Nov. 2003. http://www.zurich.ibm.com/pri/projects/epal.html.
[2]
Cadence SMV, 2009. http://www.kenmcmil.com/.
[3]
Description of the policies used in the experiments, 2009. https://galadriel.cs.utsa.edu/policies/.
[4]
Technical report: Toward practical authorization-dependent user obligation systems, 2009. http://venom.cs.utsa.edu/dmz/techrep/2009/CS-TR-2009-011.pdf.
[5]
A. Bandara, J. Lobo, S. Calo, E. Lupu, A. Russo, and M. Sloman. Toward a Formal Characterization of Policy Specification Analysis. In Annual Conference of ITA (ACITA), University of Maryland, USA, September 2007.
[6]
A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. Security and Privacy, IEEE Symposium on, 0:184--198, 2006.
[7]
C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Netw. Syst. Manage., 11(3):351--372, 2003.
[8]
J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Inf. Comput., 98(2):142--170, 1992.
[9]
D. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In 2nd International Workshop on Policies for Distributed Systems and Networks, Bristol, UK, Jan. 2001. Springer-Verlag.
[10]
D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In CESORICS '07: Proceedings of the 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24--26, 2007, Proceedings, pages 375--389, 2007.
[11]
P. Gama and P. Ferreira. Obligation policies: An enforcement platform. In 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden, June 2005. IEEE Computer Society.
[12]
Health Resources and Services Administration. Health insurance portability and accountability act, 1996. Public Law 104--191.
[13]
K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 134--143, New York, NY, USA, 2006. ACM.
[14]
K. Irwin, T. Yu, and W. H. Winsborough. Assigning responsibilities for failed obligations. In iTrust '08: IFIPTM Joined iTrust and PST Conference on Privacy, Trust Management and Security, pages 327--342. Springer Boston, 2008.
[15]
A. J. I. Jones. On the relationship between permission and obligation. In ICAIL '87: Proceedings of the 1st international conference on Artificial intelligence and law, pages 164--169, New York, NY, USA, 1987. ACM.
[16]
M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In CSFW '06: Proceedings of the 19th IEEE workshop on Computer Security Foundations, pages 85--97, Washington, DC, USA, 2006. IEEE Computer Society.
[17]
L. McCarty. Pemissions and obligations. In Proceedings IJCAI-83, 1983.
[18]
N. H. Minsky and A. D. Lockman. Ensuring integrity by adding obligations to privileges. In ICSE '85: Proceedings of the 8th international conference on Software engineering, pages 92--102, Los Alamitos, CA, USA, 1985. IEEE Computer Society Press.
[19]
Q. Ni, E. Bertino, and J. Lobo. An obligation model bridging access control policies and privacy policies. In SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pages 133--142, New York, NY, USA, 2008. ACM.
[20]
Q. Ni, D. Lin, E. Bertino, and J. Lobo. Conditional Privacy-Aware Role Based Access Control. Lecture Notes in Computer Science. Springer Berlin/Heidelberg, 2007.
[21]
Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies, pages 41--50, New York, NY, USA, 2007. ACM.
[22]
R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.
[23]
R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security, 2(1):105--135, Feb. 1999.
[24]
A. Sasturkar, A. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. volume 0, pages 124--138, Los Alamitos, CA, USA, 2006. IEEE Computer Society.
[25]
V. Swarup, L. Seligman, and A. Rosenthal. A data sharing agreement framework. In Information Systems Security, Second International Conference, ICISS 2006, Kolkata, India, December 19--21, 2006, Proceedings, pages 22--36, 2006.
[26]
A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, and J. Lott. Kaos policy and domain services: Toward a description-logic approach to policy representation, deconfliction, and enforcement. In POLICY '03: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, page 93, Washington, DC, USA, 2003. IEEE Computer Society.
[27]
XACML TC. Oasis extensible access control markup language (xacml). http://www.oasis-open.org/committees/xacml/.

Cited By

View all

Index Terms

  1. Toward practical authorization-dependent user obligation systems

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
      April 2010
      363 pages
      ISBN:9781605589367
      DOI:10.1145/1755688
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 13 April 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. RBAC
      2. accountability
      3. authorization systems
      4. obligations
      5. policy

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ASIA CCS '10
      Sponsor:

      Acceptance Rates

      ASIACCS '10 Paper Acceptance Rate 25 of 166 submissions, 15%;
      Overall Acceptance Rate 418 of 2,322 submissions, 18%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)3
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Managing Obligation DelegationSecurity and Privacy10.1002/spy2.4898:1Online publication date: 12-Jan-2025
      • (2023)An Incentive Mechanism for Managing Obligation DelegationRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_15(191-206)Online publication date: 14-May-2023
      • (2016)POSTERProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989068(1802-1804)Online publication date: 24-Oct-2016
      • (2016)Toward an off-line analysis of obligation with deadline policies2016 14th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2016.7906924(178-186)Online publication date: Dec-2016
      • (2012)Ensuring authorization privileges for cascading user obligationsProceedings of the 17th ACM symposium on Access Control Models and Technologies10.1145/2295136.2295144(33-44)Online publication date: 20-Jun-2012
      • (2012)On practical specification and enforcement of obligationsProceedings of the second ACM conference on Data and Application Security and Privacy10.1145/2133601.2133611(71-82)Online publication date: 7-Feb-2012
      • (2012)Modeling and Automating Analysis of Server Duty and Client Obligation for High AssuranceProceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops10.1109/ICDCSW.2012.60(409-416)Online publication date: 18-Jun-2012
      • (2011)On the management of user obligationsProceedings of the 16th ACM symposium on Access control models and technologies10.1145/1998441.1998473(175-184)Online publication date: 15-Jun-2011
      • (2010)Failure Feedback for User Obligation SystemsProceedings of the 2010 IEEE Second International Conference on Social Computing10.1109/SocialCom.2010.111(713-720)Online publication date: 20-Aug-2010

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media