Abstract
Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subject's attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fitting's bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic langauge, and as such, is strictly more expressive than current many-valued logic programming languages.
- R. J. Anderson. 1996. A security policy model for clinical information systems. Proceedings of the IEEE Symposium on Security and Privacy. 30--43. Google ScholarDigital Library
- Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Sara Foresti, Tyrone W. Grandison, Sushil Jajodia, and Pierangela Samarati. 2010. Access control for smarter healthcare using policy spaces. Comput. Secu. 29 (2010), 848--858. Google ScholarDigital Library
- Claudio Agostino Ardagna, Sabrina De Capitani di Vimercati, Tyrone Grandison, Sushil Jajodia, and Pierangela Samarati. 2008. Regulating exceptions in healthcare using policy spaces. In Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Application Security (DBSec). 254--267. Google ScholarDigital Library
- Ofer Arieli and Arnon Avron. 1998. The value of the four values. Artif. Intell. 102 (1998), 97--141. Google ScholarDigital Library
- A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- N. D. Belnap. 1977. A useful four-valued logic. In Modern Uses of Multiple-Valued Logics, Springer, 8--37.Google Scholar
- Claudio Bettini, Sushil Jajodia, X. Sean Wang, and Duminda Wijesekera. 2002. Provisions and obligations in policy management and security applications. In Proceedings of the 28th International Conference on Very Large Data Bases. 502--513. Google ScholarDigital Library
- Achim D. Brucker and Helmut Petritsch. 2009. Extending access control models with break-glass. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. 197--206. Google ScholarDigital Library
- Glenn Bruns and Michael Huth. 2008. Access-control policies via Belnap logic: Effective and efficient composition and analysis. In Proceedings of the IEEE Computer Security Foundations Symposium. 163--176. Google ScholarDigital Library
- J. G. Cederquist, Ricardo Corin, M. A. C. Dekker, Sandro Etalle, J. I. den Hartog, and Gabriele Lenzini. 2007. Audit-based compliance control. Int. J. Inf. Sec. 6, 2--3 (2007), 133--151. Google ScholarDigital Library
- S. Ceri, G. Gottlob, and L. Tanca. 1989. What you always wanted to know about Datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1 (1989), 146--166. Google ScholarDigital Library
- Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H. Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. 3--14. Google ScholarDigital Library
- Jason Crampton and Charles Morisset. 2012. PTaCL: A language for attribute-based access control in open systems. In Proceedings of the Conference on Principles of Security and Trust (POST). 390--409. Google ScholarDigital Library
- Evgeny Dantsin, Thomas Eiter, Georg Gottlob, and Andrei Voronkov. 2001. Complexity and expressive power of logic programming. ACM Comput. Surv. 33 (2001), 374--425. Google ScholarDigital Library
- Sandro Etalle and William H. Winsborough. 2007. A posteriori compliance control. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT). 11--20. Google ScholarDigital Library
- A. Ferreira, D. Chadwick, P. Farinha, R. Correia, Gansen Zao, R. Chilro, and L. Antunes. 2009. How to securely break into RBAC: The BTG-RBAC model. In Proceedings of the Computer Security Applications Conference. Google ScholarDigital Library
- Melvin Fitting. 1990. Bilattices in logic programming. In Proceedings of the 20th International Symposium on Multiple-Valued Logic. 238--246.Google ScholarCross Ref
- Melvin Fitting. 1991. Bilattices and the semantics of logic programming. J. Log. Program. 11 (1991), 91--116. Google ScholarDigital Library
- Matthew Ginsberg. 1988. Multivalued logics: A uniform approach to inference in artificial intelligence. Comput. Intel. 4 (1988), 265--316.Google ScholarCross Ref
- S. K. S. Gupta, T. Mukherjee, and K. Venkatasubramanian. 2006. Criticality aware access control model for pervasive applications. In Proceedings of the 4th IEEE International Conference on Pervasive Computing and Communications (PERCOM'06). IEEE Computer Society, 251--257. Google ScholarDigital Library
- Ragib Hasan and Marianne Winslett. 2011. Efficient audit-based compliance for relational data retention. In Proceedings of the 6th ACM Symposium Information, Computer and Communication Security (ASIACCS). 238--248. Google ScholarDigital Library
- HHS. 2003. Summary of the HIPAA Privacy Rule. United States Department of Health & Human Services (2003). http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary.Google Scholar
- Keith Irwin, Ting Yu, and William H. Winsborough. 2006. On the modeling and analysis of obligations. In Proceedings of the 13th ACM Conference on Computer and Communications Security. 134--143. Google ScholarDigital Library
- Yann Le Gall, Adam J. Lee, and Apu Kapadia. 2012. PlexC: A policy language for exposure control. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT'12). 219--228. Google ScholarDigital Library
- Adam J. Lee, Jodie P. Boyer, Lars E. Olson, and Carl A. Gunter. 2006. Defeasible security policy composition for Web services. In Proceedings of the 4th ACM Workshop on Formal Methods in Security. 45--54. Google ScholarDigital Library
- Ninghui Li, Qihua Wang, Wahbeh Qardaji, Elisa Bertino, Prathima Rao, Jorge Lobo, and Dan Lin. 2009. Access control policy combining: Theory meets practice. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT'09). ACM, 135--144. Google ScholarDigital Library
- Jim J. Longstaff, Mike A. Lockyer, and M. G. Thick. 2000. A model of accountability, confidentiality and override for healthcare and other applications. In Proceedings of the ACM Workshop on Role-Based Access Control. 71--76. Google ScholarDigital Library
- Srdjan Marinovic, Robert Craven, Jiefei Ma, and Naranker Dulay. 2011. Rumpole: A flexible break-glass access control model. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT). 73--82. Google ScholarDigital Library
- NEMA. 2004. Break-Glass: An Approach to Granting Emergency Access to Healthcare Systems. White Paper, Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC).Google Scholar
- Qun Ni, Elisa Bertino, and Jorge Lobo. 2008. An obligation model bridging access control policies and privacy policies. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT'08). ACM, New York, NY, 133--142. Google ScholarDigital Library
- Jaehong Park and Ravi Sandhu. 2004. The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7, 1 (2004), 128--174. Google ScholarDigital Library
- Dean Povey. 2000. Optimistic security: A new access control paradigm. In Proceedings of the Workshop on New Security Paradigms (NSPW'09). ACM, New York, NY, 40--45. Google ScholarDigital Library
- Teodor C. Przymusinski. 1988a. On the relationship between logic programming and nonmonotonic reasoning. In Proceedings of the 7th National Conference on Artifical Intelligence (AAAI). 444--448.Google Scholar
- Teodor C. Przymusinski. 1988b. Perfect model semantics. In Proceedings of the 5th International Conference and Symposium on Logic Programming (ICLP/SLP). 1081--1096.Google Scholar
- R. Reiter. 1977. On closed world data bases. Technical Report. University of British Columbia, Vancouver, BC, Canada. Google ScholarDigital Library
- Erik Rissanen, Babak Sadighi Firozabadi, and Marek J. Sergot. 2004. Discretionary overriding of access control in the privilege calculus. In Formal Aspects in Security and Trust, 219--232.Google Scholar
- Paul Ruet and François Fages. 1997. Combining explicit negation and negation by failure via Belnap's logic. Theor. Comput. Sci. 171 (1997), 61--75. Google ScholarDigital Library
- John S. Schlipf. 1995. Complexity and undecidability results for logic programming. Ann. Math. Artif. Intell. 15 (1995), 257--288.Google ScholarCross Ref
- V. S. Subrahmanian. 1999. Nonmonotonic logic programming. IEEE Trans. Knowl. Data Eng. 11, 1 (1999), 143--152. Google ScholarDigital Library
- Alfred Tarski. 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. 5, 2 (1955).Google ScholarCross Ref
- K. Twidle, E. Lupu, N. Dulay, and M. Sloman. 2008. Ponder2 - A policy environment for autonomous pervasive systems. In Proceedings of the IEEE Workshop on Policies for Distributed Systems and Networks (POLICY'08). 245--246. Google ScholarDigital Library
- Allen Van Gelder, Kenneth A. Ross, and John S. Schlipf. 1991. The well-founded semantics for general logic programs. J. ACM 38, 3 (1991), 620--650. Google ScholarDigital Library
Recommendations
Rumpole: a flexible break-glass access control model
SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologiesAccess control operates under the assumption that it is possible to correctly encode and predict all subjects' needs and rights. However, in human-centric pervasive domains, such as health care, it is hard if not impossible to encode all emergencies and ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
DW-RBAC: A formal security model of delegation and revocation in workflow systems
One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...
Comments