research-article

Access control policy combining: theory meets practice

Authors:

Wahbeh Qardaji,

Dan LinAuthors Info & Claims

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

Pages 135 - 144

https://doi.org/10.1145/1542207.1542229

Published: 03 June 2009 Publication History

Abstract

Many access control policy languages, e.g., XACML, allow a policy to contain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs). Existing access control policy languages, however, do not provide a formal language for specifying PCAs. As a result, it is difficult to extend them with new PCAs. While several formal policy combining algebras have been proposed, they did not address important practical issues such as policy evaluation errors and obligations; furthermore, they cannot express PCAs that consider all sub-policies as a whole (e.g., weak majority or strong majority). We propose a policy combining language PCL, which can succinctly and precisely express a variety of PCAs. PCL represents an advancement both in terms of theory and practice. It is based on automata theory and linear constraints, and is more expressive than existing approaches. We have implemented PCL and integrated it with SUN's XACML implementation. With PCL, a policy evaluation engine only needs to understand PCL to evaluate any PCA specified in it.

References

[1]

P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. The enterprise privacy authorization language (EPAL). http://www.w3.org/2003/p3p-ws/pp/ibm3.html.

[2]

M. Backes, M. Durmuth, and R. Steinwandt. An algebra for composing enterprise privacy policies. In ESORICS '04: Proceedings of the 2004 European Symposium on Research in Computer Security, 2004.

[3]

L. Bauer, J. Ligatti, and D. Walker. Composing security policies with polymer. In PLDI '05: ACM Conference on Programming Language Design and Implementation, 2005.

Digital Library

[4]

N. D. Belnap. A useful four-valued logic. In Modern Uses of Multiple-Valued Logic, 1977.

[5]

P. Bonatti, S. de Capitani di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Transactions on Information and System Security (TISSEC), 5(1):1--35, Feb. 2002.

Digital Library

[6]

G. Bruns, D. S. Dantas, and M. Huth. A simple and expressive semantic framework for policy composition in access control. In FMSE '07: Proceedings of the 2007 ACM Workshop on Formal methods in security engineering, pages 12--21, New York, NY, USA, 2007. ACM.

Digital Library

[7]

K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE, pages 196--205, 2005.

Digital Library

[8]

S. Hada and M. Kudo. XML access control language: Provisional authorization for XML documents. http://www.trl.ibm.com/projects/xml/xacl/xacl-spec.html.

[9]

J. Halpern and V. Weissman. Using first-order logic to reason about policies. In CSFW '03: Proceedings of the Computer Security Foundations Workshop, 2003.

[10]

V. Kolovski, J. Hendler, and B. Parsia. Analyzing web access control policies. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 677--686, New York, NY, USA, 2007. ACM.

Digital Library

[11]

J. Ligatti, L. Bauer, and D. Walker. Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Sec., 4(1-2):2--16, 2005.

Digital Library

[12]

A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A fast and scalable XACML policy evaluation engine. In Proc.International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS 2008), pages 265--276, June 2008.

Digital Library

[13]

E. Martin and T. Xie. A fault model and mutation testing of access control policies. In Proc. 16th International Conference on World Wide Web (WWW 2007), pages 667--676, May 2007.

Digital Library

[14]

P. Mazzoleni, E. Bertino, B. Crispo, and S. Sivasubramanian. XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 219--227, New York, NY, USA, 2006. ACM.

Digital Library

[15]

C. Ribeiro, A. Z'laquete, P. Ferreira, and P. Guedes. SPL: An access control language for security policies with complex constraints. In NDSS '01: Network and Distributed System Security Symposium, 2001.

[16]

F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security (TISSEC), 3(1):30--50, 2000.

Digital Library

[17]

Sun Microsystems. Sun's XACML implementation. http://sunxacml.sourceforge.net/.

[18]

D. Wijesekera and S. Jajodia. Policy algebras for access control the predicate case. In Proc. ACM Conference on Computer and Communications Security (CCS), pages 171--180, 2002.

Digital Library

[19]

D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Transactions on Information and Systems Security (TISSEC), 6(2):286--325, May 2003.

Digital Library

[20]

XACML TC. OASIS eXtensible Access Control Markup Language (XACML). http://www.oasis-open.org/committees/xacml/.

[21]

G. Audemard, P. Bertoli, A. Cimatti, A. Kornilowicz, and R. Sebastiani. A sat based approach for solving formulas over boolean and linear mathematical propositions. In CADE, pages 195--210, 2002.

Digital Library

[22]

M. Bozzano, R. Bruttomesso, A. Cimatti, T. A. Junttila, P. van Rossum, S. Schulz, and R. Sebastiani. An incremental and layered procedure for the satisfiability of linear arithmetic logic. In TACAS, pages 317--333, 2005

Digital Library

Cited By

Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Geng XWen YMo ZLiu Y(2023)An Access Control Framework for Multilayer Rail Transit Systems Based on Trust and Sensitivity AttributesApplied Sciences10.3390/app13231290413:23(12904)Online publication date: 1-Dec-2023
https://doi.org/10.3390/app132312904
Vijay MDevika RPriyangha B(2022)Anomaly Detection System and Resolution of Anomalies for Firewall PoliciesSmart Data Intelligence10.1007/978-981-19-3311-0_12(135-144)Online publication date: 18-Aug-2022
https://doi.org/10.1007/978-981-19-3311-0_12
Show More Cited By

Index Terms

Access control policy combining: theory meets practice
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Attribute Expressions, Policy Tables and Attribute-Based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Attribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes ...
Designing Fast and Scalable XACML Policy Evaluation Engines

Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the ...
XACBench: a XACML policy benchmark
Abstract
XACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

June 2009

258 pages

ISBN:9781605585376

DOI:10.1145/1542207

General Chair:
Barbara Carminati
University of Insubria, Italy
,
Program Chair:
James Joshi
University of Pittsburgh, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '09

Sponsor:

SACMAT '09: 14th ACM Symposium on Access Control Models and Technologies

June 3 - 5, 2009

Stresa, Italy

Acceptance Rates

SACMAT '09 Paper Acceptance Rate 24 of 75 submissions, 32%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

64
Total Citations
View Citations
930
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)6

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Geng XWen YMo ZLiu Y(2023)An Access Control Framework for Multilayer Rail Transit Systems Based on Trust and Sensitivity AttributesApplied Sciences10.3390/app13231290413:23(12904)Online publication date: 1-Dec-2023
https://doi.org/10.3390/app132312904
Vijay MDevika RPriyangha B(2022)Anomaly Detection System and Resolution of Anomalies for Firewall PoliciesSmart Data Intelligence10.1007/978-981-19-3311-0_12(135-144)Online publication date: 18-Aug-2022
https://doi.org/10.1007/978-981-19-3311-0_12
Davari MZulkernine M(2022)Policy Modeling and Anomaly Detection in ABAC PoliciesRisks and Security of Internet and Systems10.1007/978-3-031-02067-4_9(137-152)Online publication date: 9-Apr-2022
https://doi.org/10.1007/978-3-031-02067-4_9
Ferguson DAlbright YLomsak DHanks TOrr KLigatti J(2020)PoCoProceedings of the 2020 9th International Conference on Software and Computer Applications10.1145/3384544.3384585(331-338)Online publication date: 18-Feb-2020
https://dl.acm.org/doi/10.1145/3384544.3384585
Chehab MMourad A(2020)LP-SBA-XACML: Lightweight Semantics Based Scheme Enabling Intelligent Behavior-Aware Privacy for IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2999866(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2999866
Qiu JTian ZDu CZuo QSu SFang B(2020)A Survey on Access Control in the Age of Internet of ThingsIEEE Internet of Things Journal10.1109/JIOT.2020.29693267:6(4682-4696)Online publication date: Jun-2020
https://doi.org/10.1109/JIOT.2020.2969326
Anilkumar CSubramanian S(2020)A novel predicate based access control scheme for cloud environment using open stack swift storagePeer-to-Peer Networking and Applications10.1007/s12083-020-00961-yOnline publication date: 26-Jul-2020
https://doi.org/10.1007/s12083-020-00961-y
Cheung KHuth MKirk LLundbæk LMarques RPetsche JKerschbaum FMashatan ANiu JLee A(2019)Owner-Centric Sharing of Physical Resources, Data, and Data-Driven Insights in Digital EcosystemsProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3326326(73-81)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3326326
Margheri AMasi MPugliese RTiezzi F(2019)A Rigorous Framework for Specification, Analysis and Enforcement of Access Control PoliciesIEEE Transactions on Software Engineering10.1109/TSE.2017.276564045:1(2-33)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TSE.2017.2765640
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents