research-article

Rumpole: An Introspective Break-Glass Access Control Language

Authors:
Srdjan Marinovic

ETH Zurich

ETH Zurich
View Profile

,
Naranker Dulay

Imperial College London

Imperial College London
View Profile

,
Morris Sloman

Imperial College London

Imperial College London
View Profile

ACM Transactions on Information and System Security Volume 17 Issue 1Article No.: 2pp 1–32https://doi.org/10.1145/2629502

Published:15 August 2014Publication History

ACM Transactions on Information and System Security

Abstract

Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subject's attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fitting's bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic langauge, and as such, is strictly more expressive than current many-valued logic programming languages.

References

R. J. Anderson. 1996. A security policy model for clinical information systems. Proceedings of the IEEE Symposium on Security and Privacy. 30--43. Google ScholarDigital Library
Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Sara Foresti, Tyrone W. Grandison, Sushil Jajodia, and Pierangela Samarati. 2010. Access control for smarter healthcare using policy spaces. Comput. Secu. 29 (2010), 848--858. Google ScholarDigital Library
Claudio Agostino Ardagna, Sabrina De Capitani di Vimercati, Tyrone Grandison, Sushil Jajodia, and Pierangela Samarati. 2008. Regulating exceptions in healthcare using policy spaces. In Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Application Security (DBSec). 254--267. Google ScholarDigital Library
Ofer Arieli and Arnon Avron. 1998. The value of the four values. Artif. Intell. 102 (1998), 97--141. Google ScholarDigital Library
A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
N. D. Belnap. 1977. A useful four-valued logic. In Modern Uses of Multiple-Valued Logics, Springer, 8--37.Google Scholar
Claudio Bettini, Sushil Jajodia, X. Sean Wang, and Duminda Wijesekera. 2002. Provisions and obligations in policy management and security applications. In Proceedings of the 28th International Conference on Very Large Data Bases. 502--513. Google ScholarDigital Library
Achim D. Brucker and Helmut Petritsch. 2009. Extending access control models with break-glass. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. 197--206. Google ScholarDigital Library
Glenn Bruns and Michael Huth. 2008. Access-control policies via Belnap logic: Effective and efficient composition and analysis. In Proceedings of the IEEE Computer Security Foundations Symposium. 163--176. Google ScholarDigital Library
J. G. Cederquist, Ricardo Corin, M. A. C. Dekker, Sandro Etalle, J. I. den Hartog, and Gabriele Lenzini. 2007. Audit-based compliance control. Int. J. Inf. Sec. 6, 2--3 (2007), 133--151. Google ScholarDigital Library
S. Ceri, G. Gottlob, and L. Tanca. 1989. What you always wanted to know about Datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1 (1989), 146--166. Google ScholarDigital Library
Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H. Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. 3--14. Google ScholarDigital Library
Jason Crampton and Charles Morisset. 2012. PTaCL: A language for attribute-based access control in open systems. In Proceedings of the Conference on Principles of Security and Trust (POST). 390--409. Google ScholarDigital Library
Evgeny Dantsin, Thomas Eiter, Georg Gottlob, and Andrei Voronkov. 2001. Complexity and expressive power of logic programming. ACM Comput. Surv. 33 (2001), 374--425. Google ScholarDigital Library
Sandro Etalle and William H. Winsborough. 2007. A posteriori compliance control. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT). 11--20. Google ScholarDigital Library
A. Ferreira, D. Chadwick, P. Farinha, R. Correia, Gansen Zao, R. Chilro, and L. Antunes. 2009. How to securely break into RBAC: The BTG-RBAC model. In Proceedings of the Computer Security Applications Conference. Google ScholarDigital Library
Melvin Fitting. 1990. Bilattices in logic programming. In Proceedings of the 20th International Symposium on Multiple-Valued Logic. 238--246.Google ScholarCross Ref
Melvin Fitting. 1991. Bilattices and the semantics of logic programming. J. Log. Program. 11 (1991), 91--116. Google ScholarDigital Library
Matthew Ginsberg. 1988. Multivalued logics: A uniform approach to inference in artificial intelligence. Comput. Intel. 4 (1988), 265--316.Google ScholarCross Ref
S. K. S. Gupta, T. Mukherjee, and K. Venkatasubramanian. 2006. Criticality aware access control model for pervasive applications. In Proceedings of the 4th IEEE International Conference on Pervasive Computing and Communications (PERCOM'06). IEEE Computer Society, 251--257. Google ScholarDigital Library
Ragib Hasan and Marianne Winslett. 2011. Efficient audit-based compliance for relational data retention. In Proceedings of the 6th ACM Symposium Information, Computer and Communication Security (ASIACCS). 238--248. Google ScholarDigital Library
HHS. 2003. Summary of the HIPAA Privacy Rule. United States Department of Health & Human Services (2003). http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary.Google Scholar
Keith Irwin, Ting Yu, and William H. Winsborough. 2006. On the modeling and analysis of obligations. In Proceedings of the 13th ACM Conference on Computer and Communications Security. 134--143. Google ScholarDigital Library
Yann Le Gall, Adam J. Lee, and Apu Kapadia. 2012. PlexC: A policy language for exposure control. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT'12). 219--228. Google ScholarDigital Library
Adam J. Lee, Jodie P. Boyer, Lars E. Olson, and Carl A. Gunter. 2006. Defeasible security policy composition for Web services. In Proceedings of the 4th ACM Workshop on Formal Methods in Security. 45--54. Google ScholarDigital Library
Ninghui Li, Qihua Wang, Wahbeh Qardaji, Elisa Bertino, Prathima Rao, Jorge Lobo, and Dan Lin. 2009. Access control policy combining: Theory meets practice. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT'09). ACM, 135--144. Google ScholarDigital Library
Jim J. Longstaff, Mike A. Lockyer, and M. G. Thick. 2000. A model of accountability, confidentiality and override for healthcare and other applications. In Proceedings of the ACM Workshop on Role-Based Access Control. 71--76. Google ScholarDigital Library
Srdjan Marinovic, Robert Craven, Jiefei Ma, and Naranker Dulay. 2011. Rumpole: A flexible break-glass access control model. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT). 73--82. Google ScholarDigital Library
NEMA. 2004. Break-Glass: An Approach to Granting Emergency Access to Healthcare Systems. White Paper, Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC).Google Scholar
Qun Ni, Elisa Bertino, and Jorge Lobo. 2008. An obligation model bridging access control policies and privacy policies. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT'08). ACM, New York, NY, 133--142. Google ScholarDigital Library
Jaehong Park and Ravi Sandhu. 2004. The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7, 1 (2004), 128--174. Google ScholarDigital Library
Dean Povey. 2000. Optimistic security: A new access control paradigm. In Proceedings of the Workshop on New Security Paradigms (NSPW'09). ACM, New York, NY, 40--45. Google ScholarDigital Library
Teodor C. Przymusinski. 1988a. On the relationship between logic programming and nonmonotonic reasoning. In Proceedings of the 7th National Conference on Artifical Intelligence (AAAI). 444--448.Google Scholar
Teodor C. Przymusinski. 1988b. Perfect model semantics. In Proceedings of the 5th International Conference and Symposium on Logic Programming (ICLP/SLP). 1081--1096.Google Scholar
R. Reiter. 1977. On closed world data bases. Technical Report. University of British Columbia, Vancouver, BC, Canada. Google ScholarDigital Library
Erik Rissanen, Babak Sadighi Firozabadi, and Marek J. Sergot. 2004. Discretionary overriding of access control in the privilege calculus. In Formal Aspects in Security and Trust, 219--232.Google Scholar
Paul Ruet and François Fages. 1997. Combining explicit negation and negation by failure via Belnap's logic. Theor. Comput. Sci. 171 (1997), 61--75. Google ScholarDigital Library
John S. Schlipf. 1995. Complexity and undecidability results for logic programming. Ann. Math. Artif. Intell. 15 (1995), 257--288.Google ScholarCross Ref
V. S. Subrahmanian. 1999. Nonmonotonic logic programming. IEEE Trans. Knowl. Data Eng. 11, 1 (1999), 143--152. Google ScholarDigital Library
Alfred Tarski. 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. 5, 2 (1955).Google ScholarCross Ref
K. Twidle, E. Lupu, N. Dulay, and M. Sloman. 2008. Ponder2 - A policy environment for autonomous pervasive systems. In Proceedings of the IEEE Workshop on Policies for Distributed Systems and Networks (POLICY'08). 245--246. Google ScholarDigital Library
Allen Van Gelder, Kenneth A. Ross, and John S. Schlipf. 1991. The well-founded semantics for general logic programs. J. ACM 38, 3 (1991), 620--650. Google ScholarDigital Library

Recommendations

Rumpole: a flexible break-glass access control model
SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

Access control operates under the assumption that it is possible to correctly encode and predict all subjects' needs and rights. However, in human-centric pervasive domains, such as health care, it is hard if not impossible to encode all emergencies and ...
Read More
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Read More
DW-RBAC: A formal security model of delegation and revocation in workflow systems

One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Information and System Security Volume 17, Issue 1
August 2014
118 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2660572
Editor:
Gene Tsudik
University of California at Irvine, USA
Issue’s Table of Contents
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 August 2014
- Accepted: 1 May 2014
- Revised: 1 February 2014
- Received: 1 July 2013
Published in tissec Volume 17, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Security
access control
break-glass access control
logic programming
many-valued logics
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 18
  Total Citations
  View Citations
- 384
  Total Downloads
- Downloads (Last 12 months)9
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Rumpole: An Introspective Break-Glass Access Control Language

ACM Transactions on Information and System Security

Abstract

References

Cited By

Recommendations

Rumpole: a flexible break-glass access control model

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security

DW-RBAC: A formal security model of delegation and revocation in workflow systems