skip to main content
10.1145/1314436.1314446acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections

Weaving rewrite-based access control policies

Published: 02 November 2007 Publication History


Access control is a central issue among the overall security goals of information systems. Despite the existence of a vast literature on the subject, it is still very hard to assure the compliance of a large system to a given dynamic access control policy. Based on our previous work on formal islands, we provide in this paper a systematic methodology to weave dynamic, formally specified policies on existing applications using aspect-oriented programming. To that end, access control policies are formalized using term rewriting systems, allowing us to have an agile, modular, and precise way to specify and to ensure their formal properties. These high-level descriptions are then weaved into the existing code, such that the resulting program implements a safe reference monitor for the specified policy. For developers, this provides a systematic process to enforce dynamic policies in a modular and flexible way. Since policies are independently specified and checked to be later weaved into various different applications, the level of reuse is improved. We implemented the approach on test cases with quite encouraging results.


P. Avgustinov, A. S. Christensen, L. Hendren, S. Kuzins, J. Lhoták, O. Lhoták, Ode Moor, D. Sereni, G. Sittampalam, and J. Tibble. Optimising aspectj. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 117--128, New York, NY, USA, 2005. ACM Press.
E. Balland, P. Brauner, R. Kopetz, P.-E. Moreau, and A. Reilles. Tom: Piggybacking rewriting on java. In Proceedings of the 18th Conference on Rewriting Techniques and Applications, volume 4533 of Lecture Notes in Computer Science, pages 36--47. Springer-Verlag, 2007.
E. Balland, C. Kirchner, and P.-E. Moreau. Formal Islands. In M. Johnson and V. Vene, editors, AMAST, Kuressaare (Estonia), volume 4019 of Lecture Notes in Computer Science, pages 51--65. Springer-Verlag, July 2006.
E. Balland and P.-E. Moreau. Optimizing pattern matching compilation by program transformation. In J.-M. Favre, R. Heckel, and T. Mens, editors, 3rd Workshop on Software Evolution through Transformations (SeTra'06). Electronic Communications of EASST, 2006. To appear.
S. Barker and M. Fernández. Term rewriting for access control. In E. Damiani and P. Liu, editors, DBSec, volume 4127 of Lecture Notes in Computer Science, pages 179--193. Springer, 2006.
L. Bauer, J. Ligatti, and D. Walker. Composing security policies with polymer. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 305--314, New York, NY, USA, 2005. ACM Press.
P. A. Bonatti, N. Shahmehri, C. Duma, DOlmedilla, W. Nejdl, M. Baldoni, C. Baroglio, A. Martelli, V. Patti, P. Coraggio, G. Antoniou, J. Peer, and N. E. Fuchs. Rule-based policy specification: State of the art and future work. Deliverable I2/D1, REWERSE, 2004.
F. Cuppens, N. Cuppens-Boulahia, and T. Ramard. Availability enforcement by obligations and aspects identification. In ARES, pages 229--239. IEEE Computer Society, 2006.
SDC. di Vimercati, P. Samarati, and S. Jajodia. Policies, models, and languages for access control. In S. Bhalla, editor, DNIS, volume 3433 of Lecture Notes in Computer Science, pages 225--237. Springer, 2005.
D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In U. Furbach and N. Shankar, editors, IJCAR, volume 4130 of Lecture Notes in Computer Science, pages 632--646. Springer, 2006.
D. J. Dougherty, C. Kirchner, H. Kirchner, and A. Santana de Oliveira. Modular access control via strategic rewriting. ESORICS, volume 4734 of Lecture Notes in Computer Science, pages 578--593. Springer, 2007.
U. Erlingsson and F. B. Schneider. Sasi enforcement of security policies: a retrospective. In NSPW '99: Proceedings of the 1999 workshop on New security paradigms, pages 87--95, New York, NY, USA, 2000. ACM Press.
D. Evans and A. Twyman, editors. Flexible Policy-Directed Code Safety, IEEE Symposium on Security and Privacy, 1999. IEEE Computer Society, 1999.
J. Giesl, R. Thiemann, P. Schneider-Kamp, and S. Falke. Automated termination proofs with AProVE. In V. van Oostrom, editor, RTA, volume 3091 of Lecture Notes in Computer Science, pages 210--220. Springer, 2004.
K. Hamlen. Security Policy Enforcement By automated Program-Rewriting. Phd thesis, Cornell University, 2006.
S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214--260, 2001.
A. Kalam, R. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miege, C. Saurel, and G. Trouessin. Organization based access control. Policies for Distributed Systems and Networks, 2003. Proceedings. POLICY 2003. IEEE 4th International Workshop on, pages 120--131, 2003.
G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm, and W. G. Griswold. An overview of aspectj. In J. L. Knudsen, editor, ECOOP, volume 2072 of Lecture Notes in Computer Science, pages 327--353. Springer, 2001.
G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-oriented programming. In ECOOP, pages 220--242, 1997.
C. Kirchner, P.-E. Moreau, and A. Reilles. Formal validation of pattern matching code. In P. Barahona and A. P. Felty, editors, PPDP, pages 187--197. ACM, 2005.
B. Lampson. Protection. ACM Operating Systems Review. Vol, 8:18--24, 1974.
J. Ligatti, L. Bauer, and D. Walker. Enforcing non-safety security policies with program monitors. In SDC. di Vimercati, P. F. Syverson, and D. Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages 355--373. Springer, 2005.
C. Morisset and A. Santana de Oliveira. Automated detection of information leakage in access control. In M. Nesi and R. Treinen, editors, Preliminary Proceedings of the 2nd International Workshop on Security and Rewriting Techniques (SecReT'07), Paris, France, July 2007.
A. Reilles. Canonical abstract syntax trees. Electr. Notes Theor. Comput. Sci., 176:165--179, 2007.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.
A. Santana de Oliveira. Rewriting-based access control policies. Electr. Notes Theor. Comput. Sci., 171:59--72, 2007.
F. B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3(1):30--50, 2000.
E. Song, R. Reddy, R. B. France, I. Ray, G. Georg, and R. Alexander. Verifiable composition of access control and application features. In E. Ferrari and G.-J. Ahn, editors, SACMAT, pages 120--129. ACM, 2005.

Cited By

View all



Information & Contributors


Published In

cover image ACM Conferences
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering
November 2007
88 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]



Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007


Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. aspect-oriented programming
  3. execution monitoring
  4. strategic rewriting
  5. term rewriting


  • Article



Upcoming Conference

CCS '25


Other Metrics

Bibliometrics & Citations


Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 04 Feb 2025

Other Metrics


Cited By

View all

View Options

Login options

View options


View or Download as a PDF file.



View online with eReader.







Share this Publication link

Share on social media