Abstract
Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.
- Abadi, M., Burrows, M., Lampson, B. W., and Plotkin, G. D. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst., 15, 4, 706--734. Google Scholar
Digital Library
- Antoniou, G. and van Harmelen, F. 2004. A Semantic Web Primer. MIT Press. Google Scholar
Digital Library
- Apt, K. 1997. From Logic Programming to Prolog. Prentice Hall. Google Scholar
Digital Library
- Apt, K. and Bezem, M. 1991. Acyclic programs. New Generation Comput., 9, 3/4, 335--364.Google Scholar
- Apt, K. R. and Blair, H. 1990. Arithmetic classification of perfect models of stratified programs. XIII, 1--17. Google Scholar
Digital Library
- Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS RBAC and its support for active security. ACM Trans. Inf. Syst. Secur., 5, 4, 492--540. Google Scholar
Digital Library
- Baral, C. and Gelfond, M. 1994. Logic programming and knowledge representation. JLP 19/20, 73--148.Google Scholar
Cross Ref
- Barker, S., Leuschel, M., and Varea, M. 2004. Efficient and flexible access control via logic program specialisation. In Proceedings of the ACM/SIGPLAN Workshop on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'04), 190--199. Google Scholar
Digital Library
- Barker, S., Leuschel, M., and Varea, M. 2008. Efficient and flexible access control via Jones optimality logic program specialisation. HOSC, To Appear. Google Scholar
Digital Library
- Barker, S. and Stuckey, P. 2003. Flexible access control policy specification with constraint logic programming. In ACM Trans. Inf. Syst. Secur., 6, 4, 501--546. Google Scholar
Digital Library
- Becker, M. and Sewell, P. 2004. Cassandra: Distributed access control policies with tunable expressiveness. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'04), 159--168. Google Scholar
Digital Library
- Bell, D. E. and LaPadula, L. J. 1976. Secure computer system: Unified exposition and multics interpretation. MITRE-2997.Google Scholar
- Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. 1998. An access control model supporting periodicity constraints and temporal reasoning. In ACM Trans. Database Syst., 23, 3, 231--285. Google Scholar
Digital Library
- Bertino, E., Bonatti, P., and Ferrari, E. 2000. TRBAC: A temporal role-based access control model. In Proceedings of the 5th ACM Workshop on Role-Based Access Control (RBAC'00), 21--30. Google Scholar
Digital Library
- Bertino, E., Catania, B., and Zarri, G. 2001. Intelligent Database Systems. Addison Wesley. Google Scholar
Digital Library
- Bertino, E., Khan, L. R., Sandhu, R. S., and Thuraisingham, B. 2006. Secure knowledge management: Confidentiality, trust, and privacy. IEEE Transactions on Systems, Man, and Cybernetics, Part A 36, 3, 429--438. Google Scholar
Digital Library
- Bonatti, P., Vimercati, S., and Samarati, P. 2002. An algebra for Composing access control policies. In ACM Trans. Inf. Syst. Secur., 5, 1, 1--35. Google Scholar
Digital Library
- Brewer, D. F. C. and Nash, M. J. 1989. The Chinese Wall security policy. In IEEE Symposium on Security and Privacy (SP'89), 206--214.Google Scholar
- Chen, W. and Warren, D. 1996. Tabled evaluation with delaying for general logic programs. Journal of the ACM, 43, 1, 20--74. Google Scholar
Digital Library
- Ciao 2004. The Ciao Prolog System.Google Scholar
- Clark, K. 1978. Negation as failure. In H. Gallaire and J. Minker (Eds.), Logic and Databases, pp. 293--322. Plenum.Google Scholar
- Clarke, D. E., Elien, J.-E., Ellison, C. M., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur., 9, 4, 285--322. Google Scholar
Digital Library
- Clifford, J., Dyreson, C., Isakowitz, T., Jensen, C., and Snodgrass, R. 1997. On the semantics of “now” in databases. In ACM Trans. Database Syst., 22, 2, 171--214. Google Scholar
Digital Library
- Czenko, M., Tran, H., Doumen, J., Etalle, S., Hartel, S., and den Hartog, J. 2005. Nonmonotonic Trust Management for P2P applications. In Proceedings of the 1st International Workshop on Security and Trust Management (STM'05), 101--116.Google Scholar
- Damiani, E., di Vimercati, S. D. C., Paraboschi, S., and Samarati, P. 2003. Managing and sharing servents' reputations in P2P systems. IEEE Trans. Knowl. Data Eng., 15, 4, 840--854. Google Scholar
Digital Library
- Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The Ponder Policy Specification Language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'01), Volume 1995 of LNCS, 18--38. Springer. Google Scholar
Digital Library
- Davidson, D. 2001. Essays on Actions and Events. Oxford University Press.Google Scholar
- DeTreville, J. 2002. Binder, a logic-based security language. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 105--113. Google Scholar
Digital Library
- Dung, P. M. and Thang, P. M. 2004. Trust negotiation with nonmonotonic access policies. In Proceedings of the IFIP Conference on Intelligence in Communication Systems (INTELLCOMM'04), 70--84.Google Scholar
- Etalle, S. and Gabbrielli, M. 1996. Transformations of clp modules. Theor. Comput. Sci., 166, 101--146. Google Scholar
Digital Library
- Ferraiolo, D. F., Sandhu, R. S., Gavrila, S. I., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4, 3, 224--274. Google Scholar
Digital Library
- Fitting, M. C. 1990. Bilattices in logic programming. In G. Epstein (Ed.), 12th International Conference on Multi-Valued Logics, 238--246.Google Scholar
- Fitting, M. C. 2006. Bi-lattices are nice things, Chapter self-reference. University of Chicago Press.Google Scholar
- Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In R. Kowalski and K. Bowen (Eds.) In Proceedings of the 5th International Conference and Symposium on Logic Programming (JICSLP'88), MIT Press. 1070--1080.Google Scholar
- Ginseberg, M. L. 1988. Multi-valued logics. Comput. Intell., 265--316.Google Scholar
- Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., and Ravid, Y. 2000. Access control meets public key infrastructure, or: Assigning roles to strangers. In Proceedings of the IEEE Symposium on Security and Privacy (SP'00), 2--14. Google Scholar
Digital Library
- Horrocks, I., Parsia, B., Patel-Schneider, P. F., and Hendler, J. A. 2005. Semantic Web architecture: Stack or two towers? In Proceedings of the Conference on Principles and Practice of Semantic Web Reasoning (PPSWR'05), 37--41. Google Scholar
Digital Library
- Jajodia, S., Samarati, P., Sapino, M., and Subrahmaninan, V. 2001. Flexible support for multiple access control policies. In ACM Trans. Database Syst., 26, 2, 214--260. Google Scholar
Digital Library
- Jim, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy (SP'01), 106--115. Google Scholar
Digital Library
- Joshi, J., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng., 17, 1, 4--23. Google Scholar
Digital Library
- Kagal, L., Finin, T., and Johshi, A. 2003. A policy language for pervasive computing environment. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'03), 63--78. Google Scholar
Digital Library
- Kowalski, R. and Sergot, M. 1986. A logic-based calculus of events. New Generation Comput., 4, 1, 67--95. Google Scholar
Digital Library
- Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. In ACM Trans. Inf. Syst. Secur., 6, 1, 128--171. Google Scholar
Digital Library
- Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 114--130. Google Scholar
Digital Library
- Lloyd, J. 1987. Foundations of Logic Programming. Springer-Verlag. Google Scholar
Digital Library
- Maher, M. J. 1993. A transformation system for deductive database modules with perfect model semantics. Theor. Comput. Sci., 110, 377--403. Google Scholar
Digital Library
- Mobasher, B., Pigozzi, D., Slutzki, G., and Voutsadakis, G. 2000. A duality theory for bilattices. Algebra Universalis, 43, 109--125.Google Scholar
Cross Ref
- OASIS 2003. eXtensible Access Control Markup language (XACML). Retrieved from http://www.oasis-open.org/xacml/docs/.Google Scholar
- Park, J. and Sandhu, R. 2004. The UCONabc usage control model. In ACM Trans. Inf. Syst. Secur., 7, 1, 128--174. Google Scholar
Digital Library
- Patton, M. and Josang, A. 2004. Technologies for trust in e-commerce. E-Commerce Res., 4, 1--2, 9--21. Google Scholar
Digital Library
- Ruohomaa, S. and Kutvonen, L. 2005. Trust management survey. In Proceedings of the 3rd International Workshop on Trust Management (iTrust'05), pp. 77--92. Google Scholar
Digital Library
- Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Computer, 29, 2, 38--47. Google Scholar
Digital Library
- Tamaki, H. and Sato, T. 1984. Unfold/fold transformation of logic programs. In Proceedings of the Second International Logic Programming Conference (ICLP'84), 127--138.Google Scholar
- Uszok, A., Bradshaw, M., and Jeffers, R. 2004. KAoS semantic policy and domain services. In Proceedings of the 2nd International Workshop on Trust Management (iTrust'04), pp. 16--26.Google Scholar
- van Gelder, A. 1993. The alternating fixpoint of logic programs with negation. J. Comput. Syst. Sci., 47, 1, 185--221. Google Scholar
Digital Library
- Wang, L., Wijesekera, D., and Jajodia, S. 2004. A logic-based framework for attribute based access control. In Proceedings of the ACM Workshop on Formal Methods in Security Engineering (FMSE'04), 45--55. Google Scholar
Digital Library
- Wijesekera, D. and Jajodia, S. 2001. Policy algebras for access control: the propositional case. In ACM Conference on Computer and Communications Security (CCS'01), Philadelphia, PA, 38--47. Google Scholar
Digital Library
- Wijesekera, D. and Jajodia, S. 2002. Policy algebras for access control the predicate case. In IEEE ACM Conference on Computer and Communications Security (CCS'02), Washington, DC, USA, 171--180. Google Scholar
Digital Library
- Woo, T. Y. C. and Lam, S. S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Secur., 2, 2-3, 107--136.Google Scholar
Cross Ref
- Zhang, X., Parisi-Presicce, F., Sandhu, R. S., and Park, J. 2005. Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur., 8, 4, 351--387. Google Scholar
Digital Library
Index Terms
Status-Based Access Control
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Constraining Credential Usage in Logic-Based Access Control
CSF '10: Proceedings of the 2010 23rd IEEE Computer Security Foundations SymposiumAuthorization logics allow concise specification of flexible access-control policies, and are the basis for logic-based access-control systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these ...
Delegation in role-based access control
ESORICS'06: Proceedings of the 11th European conference on Research in Computer SecurityUser delegation is a mechanism for assigning access rights available to a user to another user. A delegation operation can either be a grant or transfer operation. Delegation for role-based access control models have extensively studied grant ...






Comments