ABSTRACT
Access policies specify what are the actions that different actors can perform on the available resources. Access policies are a core notion in multiuser environments, such as operating systems and distributed databases. Currently, most of these systems use general data specification languages, such as JSON, XML and YAML to describe access policies. Yet, domain-specific languages are also available for this task. One of such languages is Legalease, from Microsoft. This paper presents a new version of Legalease, called Hapi. Hapi replaces Legalease’s notion of a lattice with a partially ordered set (poset). We demonstrate that posets already give all the expressivity of Legalease, while simplifying its specification and the implementation of verification algorithms. Hapi is currently publicly available. The language is distributed with tools for translating programs to YAML and for visualizing access rights. Hapi provides developers with an Intermediary Representation of policies that allows this language to be easily embedded in any project. Said representation generalizes the notion of actors, actions and resources to user-defined entities; hence, being more flexible than typical data-access description languages.
- Moritz Y. Becker, Cédric Fournet, and Andrew D. Gordon. 2010. SecPAL: Design and Semantics of a Decentralized Authorization Language. J. Comput. Secur. 18, 4 (2010), 619–665.Google ScholarDigital Library
- Richard J. Dudley and Nathan Duchene. 2010. Microsoft Azure: Enterprise Application Development. Packt Publishing, USA.Google Scholar
- Armin Gerl. 2019. Modelling of a Privacy Language and Efficient Policy-based De-identification. Ph.D. Dissertation. U. Passau and INSA Lyon.Google Scholar
- Saffija Kasem-Madani and Michael Meier. 2015. Security and Privacy Policy Languages: A Survey, Categorization and Gap Identification. CoRR abs/1512.00201(2015), 1–18. arxiv:1512.00201http://arxiv.org/abs/1512.00201Google Scholar
- Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura, and Sumit Shah. 2003. First Experiences Using XACML for Access Control in Distributed Systems. In XMLSEC. Association for Computing Machinery, New York, NY, USA, 25–37. https://doi.org/10.1145/968559.968563Google Scholar
- T. J. Parr and R. W. Quong. 1995. ANTLR: A Predicated-LL(k) Parser Generator. Softw. Pract. Exper. 25, 7 (1995), 789–810. https://doi.org/10.1002/spe.4380250705Google ScholarDigital Library
- Samir Saklikar and Subir Saha. 2007. Next Steps for Security Assertion Markup Language (Saml). In SWS. ACM, New York, NY, USA, 52–65. https://doi.org/10.1145/1314418.1314427Google Scholar
- Shayak Sen, Saikat Guha, Anupam Datta, Sriram K. Rajamani, Janice Tsai, and Jeannette M. Wing. 2014. Bootstrapping Privacy Compliance in Big Data Systems. In S&P. IEEE Computer Society, USA, 327–342. https://doi.org/10.1109/SP.2014.28Google ScholarDigital Library
- Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne. 2008. Operating System Concepts(8th ed.). Wiley Publishing, USA.Google Scholar
- Ha Xuan Son and Nguyen Minh Hoang. 2019. A Novel Attribute-Based Access Control System for Fine-Grained Privacy Protection. In ICCSP. Association for Computing Machinery, New York, NY, USA, 76–80. https://doi.org/10.1145/3309074.3309091Google Scholar
- Bill Stonehem. 2016. Google Android Firebase: Learning the Basics. First Rank, USA.Google Scholar
- William H. Stufflebeam, Annie I. Antón, Qingfeng He, and Neha Jain. 2004. Specifying Privacy Policies with P3P and EPAL: Lessons Learned. In WPES. Association for Computing Machinery, New York, NY, USA, 35. https://doi.org/10.1145/1029179.1029190Google Scholar
- Jinesh Varia and Sajee Mathew. 2014. Overview of Amazon Web Services.Google Scholar
Recommendations
Declaratively defining domain-specific language debuggers
GCPE '11Tool support is vital to the effectiveness of domain-specific languages. With language workbenches, domain-specific languages and their tool support can be generated from a combined, high-level specification. This paper shows how such a specification ...
Fine-Grained Disclosure of Access Policies
Information and Communications SecurityAbstractIn open scenarios, where servers may receive requests to access their services from possibly unknown clients, access control is typically based on the evaluation of (certified or uncertified) properties, that clients can present. Since assuming ...
Declaratively defining domain-specific language debuggers
GPCE '11: Proceedings of the 10th ACM international conference on Generative programming and component engineeringTool support is vital to the effectiveness of domain-specific languages. With language workbenches, domain-specific languages and their tool support can be generated from a combined, high-level specification. This paper shows how such a specification ...
Comments