research-article

Expressive policy analysis with enhanced system dynamicity

Authors:

Alessandra Russo,

Arosha BandaraAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 239 - 250

https://doi.org/10.1145/1533057.1533091

Published: 10 March 2009 Publication History

Abstract

Despite several research studies, the effective analysis of policy based systems remains a significant challenge. Policy analysis should at least (i) be expressive (ii) take account of obligations and authorizations, (iii) include a dynamic system model, and (iv) give useful diagnostic information. We present a logic-based policy analysis framework which satisfies these requirements, showing how many significant policy-related properties can be analysed, and we give details of a prototype implementation.

References

[1]

D. Alrajeh, O. Ray, A. Russo, and S. Uchitel. Extracting requirements from scenarios with ilp. In S. Muggleton, R. P. Otero, and A. Tamaddoni-Nezhad, editors, ILP, volume 4455 of LNCS, pages 64--78. Springer, 2006.

Digital Library

[2]

A. Bandara, S. Calo, R. Craven, J. Lobo, E. Lupu, J. Ma, A. Russo, and M. Sloman. An expressive policy analysis framework with enhanced system dynamicity. Technical Report, Department of Computing, Imperial College London, 2008.

[3]

A. K. Bandara, E. C. Lupu, A. Russo, N. Dulay, M. Sloman, P. Flegkas, M. Charalambides, and G. Pavlou. Policy refinement for diffserv quality of service management. In Integrated Network Management, pages 469--482. IEEE, 2005.

[4]

S. Barker. Security policy specification in logic. In Proc. of Int. Conf. on AI, pages 143--148, June 2000.

[5]

M. Y. Becker and S. Nanz. A logic for state-modifying authorization policies. In ESORICS, pages 203--218, 2007.

Digital Library

[6]

M. Y. Becker and S. Nanz. The role of abduction in declarative authorization policies. In P. Hudak and D. S. Warren, editors, PADL, volume 4902 of LNCS, pages 84--99. Springer, 2008.

Digital Library

[7]

M. Y. Becker and P. Sewell. Cassandra: Flexible trust management, applied to electronic health records. In CSFW, pages 139--154. IEEE Computer Society, 2004.

Digital Library

[8]

D. F. C. Brewer and M. J. Nash. The chinese wall security policy. In IEEE Symposium on S & P, pages 206--214, 1989.

[9]

G. Bruns, D. S. Dantas, and M. Huth. A simple and expressive semantic framework for policy composition in access control. In P. Ning, V. Atluri, V. D. Gligor, and H. Mantel, editors, FMSE, pages 12--21. ACM, 2007.

Digital Library

[10]

G. Bruns and M. Huth. Access-control policies via belnap logic: Effective and efficient composition and analysis. In CSF, pages 163--176. IEEE Computer Society, 2008.

Digital Library

[11]

S. Chen, D. Wijesekera, and S. Jajodia. Incorporating dynamic constraints in the flexible authorization framework. In ESORICS, pages 1--16, 2004.

[12]

J. Chomicki. Efficient checking of temporal integrity constraints using bounded history encoding. ACM Trans. Database Syst., 20(2):149--186, 1995.

Digital Library

[13]

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In M. Sloman, J. Lobo, and E. Lupu, editors, POLICY, volume 1995 of LNCS, pages 18--38. Springer, 2001.

Digital Library

[14]

D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In U. Furbach and N. Shankar, editors, IJCAR, volume 4130 of LNCS, pages 632--646. Springer, 2006.

Digital Library

[15]

D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In ESORICS, pages 375--389, 2007.

Digital Library

[16]

D. Ferraiolo and D. Kuhn. Role based access control. In 15th National Computer Security Conference, pages 554--563, 1992.

[17]

K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In G.-C. Roman, W. G. Griswold, and B. Nuseibeh, editors, ICSE, pages 196--205. ACM, 2005.

Digital Library

[18]

M. Gelfond and V. Lifschitz. The stable model semantics for logic programming. In R. Kowalski and K. Bowen, editors, Proc. 5^th International Conference and Symposium on Logic Programming, pages 1070--1080, Seattle, Washington, August 15--19 1988.

[19]

R. Goldblatt. Logics of time and computation. Center for the Study of Language and Information, Stanford, CA, USA, 2nd edition, 1992.

Digital Library

[20]

J. Y. Halpern and V. Weissman. Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur., 11(4), 2008.

Digital Library

[21]

K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In Proc. of ACM CCS, pages 134--143, 2006.

Digital Library

[22]

S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214--260, 2001.

Digital Library

[23]

S. Jajodia, P. Samarati, and V. Subrahmanian. A logical language for expressing authorizations. In Proc. of the IEEE Symposium on S & P, pages 31--42, 1997.

Digital Library

[24]

S. Jajodia, P. Samarati, V. Subrahmanian, and E. Bertino. A unified framework for enforcing multiple access control policies. In Proc. of the ACM SIGMOD Conf., May 1997.

Digital Library

[25]

R. Kowalski and M. Sergot. A logic-based calculus of events. New Generation Computing, 4:67--95, 1986.

Digital Library

[26]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 29--42, Berkeley, CA, USA, 2001. USENIX Association.

Digital Library

[27]

J. McCarthy. Elaboration tolerance. In Proc. Common Sense 98, 1998.

[28]

R. Miller and M. Shanahan. Some alternative formulations of the event calculus. In A. C. Kakas and F. Sadri, editors, Computational Logic: Logic Programming and Beyond, volume 2408 of LNCS, pages 452--490. Springer, 2002.

Digital Library

[29]

C. Nomikos, P. Rondogiannis, and M. Gergatsoulis. Temporal stratification tests for linear and branching-time deductive databases. Theor. Comput. Sci., 342(2--3):382--415, 2005.

Digital Library

[30]

OASIS XACML TC. extensible access control markup language (XACML) v2.0, 2005.

[31]

G. Rusello, C. Dong, and N. Dulay. Authorisation and conflict resolution for hierarchical domains. In Proc. of IEEE Policy Workshop, June 2007.

Digital Library

[32]

R. Sandhu, V. Bhamidipati, and Q. Munawer. The arbac97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur., 2(1):105--135, 1999.

Digital Library

[33]

R. Simon and M. E. Zurko. Separation of duty in role-based environments. In CSFW, pages 183--194. IEEE Computer Society, 1997.

Digital Library

[34]

B. Van Nuffelen. Abductive constraint logic programming: implementation and applications. PhD thesis, K. U. Leuven, Belgium, June 2004.

Cited By

Kwashie SKang WSanthosh Kumar SJarrad GCamtepe SNepal S(2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51482-1_21
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
INCLEZAN D(2023)An ASP Framework for the Refinement of Authorization and Obligation PoliciesTheory and Practice of Logic Programming10.1017/S147106842300011X(1-16)Online publication date: 11-Jul-2023
https://doi.org/10.1017/S147106842300011X
Show More Cited By

Index Terms

Expressive policy analysis with enhanced system dynamicity
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems

Recommendations

Security policy refinement using data integration: a position paper
SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration

In spite of the wide adoption of policy-based approaches for security management, and many existing treatments of policy verification and analysis, relatively little attention has been paid to policy refinement: the problem of deriving lower-level, ...
Automated Policy Analysis
POLICY '12: Proceedings of the 2012 IEEE International Symposium on Policies for Distributed Systems and Networks

Static analysis of access-control policies is becoming increasingly important. Such analysis can reveal errors and vulnerabilities in the policies, as well as logical inconsistencies, unintended effects, and discrepancies between different policies or ...
Don't make excuses! Discouraging neutralization to reduce IT policy violation

Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

U.K. Ministry of Defence

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
533
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kwashie SKang WSanthosh Kumar SJarrad GCamtepe SNepal S(2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51482-1_21
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
INCLEZAN D(2023)An ASP Framework for the Refinement of Authorization and Obligation PoliciesTheory and Practice of Logic Programming10.1017/S147106842300011X(1-16)Online publication date: 11-Jul-2023
https://doi.org/10.1017/S147106842300011X
Harders CInclezan D(2023)Plan Selection Framework for Policy-Aware Autonomous AgentsLogics in Artificial Intelligence10.1007/978-3-031-43619-2_43(638-646)Online publication date: 24-Sep-2023
https://doi.org/10.1007/978-3-031-43619-2_43
Tanoli IAmin IJunejo FYusoff N(2022)Systematic Machine Translation of Social Network Data Privacy PoliciesApplied Sciences10.3390/app12201049912:20(10499)Online publication date: 18-Oct-2022
https://doi.org/10.3390/app122010499
Opara AJohng HHill TChung LHong JBures MPark JCerny T(2022)A framework for representing internet of things security and privacy policies and detecting potential problemsProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3508385(198-201)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3508385
Abu Jabal ADavari MBertino EMakaya CCalo SVerma DWilliams C(2021)ProFact: A Provenance-Based Analytics Framework for Access Control PoliciesIEEE Transactions on Services Computing10.1109/TSC.2019.290064114:6(1914-1928)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TSC.2019.2900641
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Karafili ESpanaki KLupu E(2019)Access Control and Quality Attributes of Open Data: Applications and TechniquesBusiness Information Systems Workshops10.1007/978-3-030-04849-5_52(603-614)Online publication date: 3-Jan-2019
https://doi.org/10.1007/978-3-030-04849-5_52
Tanoli IPetrocchi MDe Nicola R(2018)Towards automatic translation of social network policies into controlled natural language2018 12th International Conference on Research Challenges in Information Science (RCIS)10.1109/RCIS.2018.8406683(1-12)Online publication date: May-2018
https://doi.org/10.1109/RCIS.2018.8406683
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents