article

Delegation logic: A logic-based approach to distributed authorization

Authors:

Benjamin N. Grosof, and

Joan FeigenbaumAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 6, Issue 1

Pages 128 - 171

https://doi.org/10.1145/605434.605438

Published: 01 February 2003 Publication History

Abstract

We address the problem of authorization in large-scale, open, distributed systems. Authorization decisions are needed in electronic commerce, mobile-code execution, remote resource sharing, privacy protection, and many other applications. We adopt the trust-management approach, in which "authorization" is viewed as a "proof-of-compliance" problem: Does a set of credentials prove that a request complies with a policy?We develop a logic-based language, called Delegation Logic (DL), to represent policies, credentials, and requests in distributed authorization. In this paper, we describe D1LP, the monotonic version of DL. D1LP extends the logic-programming (LP) language Datalog with expressive delegation constructs that feature delegation depth and a wide variety of complex principals (including, but not limited to, k-out-of-n thresholds). Our approach to defining and implementing D1LP is based on tractably compiling D1LP programs into ordinary logic programs (OLPs). This compilation approach enables D1LP to be implemented modularly on top of existing technologies for OLP, for example, Prolog.As a trust-management language, D1LP provides a concept of proof-of-compliance that is founded on well-understood principles of logic programming and knowledge representation. D1LP also provides a logical framework for studying delegation.

References

[1]

Abadi. M. 1998. On SDSI's linked local name spaces. J. Comput. Secu. 6, 1/2 (Jan./Feb.), 3--21.]]

[2]

Abadi, M., Burrows, M., Lampson, B., and Plotkin, G. 1993. A calculus for access control in distributed systems. ACM Trans. Prog. Lang. and Systems. 15, 4 (Oct.), 706--734.]]

[3]

Aura, T. 1998. On the structure of delegation networks. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW-11) (June). IEEE Computer Society Press, Los Alamitos, Calif., pp. 14--26.]]

[4]

Baral C. and Gelfond, M. 1994. Logic programming and knowledge representation. J. Logic Prog. 19/20 (May/July), 73--148.]]

[5]

Bertino E., Buccafurri F., Ferrari, E., and Rullo, P. 1999. A logical framework for reasoning on data access control policies. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW-12), (July). IEEE Computer Society Press, Los Alamitos, Calif., pp. 175--189.]]

[6]

Blaze, M., Feigenbaum J., Ioannidis J., and Keromytis, A. D. 1999a. The KeyNote trust-management system, version 2. IETF RFC 2704, September 1999.]]

[7]

Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. 1999b. The role of trust management in distributed systems. In Secure Internet Programming, Lecture Notes in Computer Science, 1603. Springer, Berlin, pp. 185--210.]]

[8]

Blaze M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp 164--173.]]

[9]

Blaze, M., Feigenbaum, J., and Strauss, M. 1998. Compliance-checking in the PolicyMaker trust management system. In Proceedings of Second International Conference on Financial Cryptography (FC'98), (Feb.). Lecture Notes in Computer Science, 1465. Springer, Berlin, pp. 254--274.]]

[10]

CCITT. 1989. Recommendation X.509: The Directory-Authentication Framework. Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva.]]

[11]

Chen W. and Warren, D. S. 1996. Tabled evaluation with delaying for general logic programs. J. ACM 43, 1 (Jan.), 20--74.]]

[12]

Chu, Y.-H., Feigenbaum, J., Lamacchia, B., Resnick, P., and Strauss, M. 1997. REFEREE: Trust management for web applications. World Wide Web Journal. 2, 706--734.]]

[13]

Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secu. 9, 4 (Nov.), 285--322.]]

[14]

DeTreville, J. 2002. Binder, a logic-based security language. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 105--113.]]

[15]

Ellison, C., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B., and Ylonen, T. 1999a. SPKI certificate theory. IETF RFC 2693, September 1999.]]

[16]

Ellison, C., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B., and Ylonen, T. 1999b. Simple public key certificates. Internet Draft (work in progress), July 1999. http://world.std.com&sim;cme/spki.txt.]]

[17]

Finney, H. 1996. Transitive trust and MLM. Post to cypherpunks mailing list, archived at http://www.inet-one.com/cypherpunks/dir.1996.05.02-1996.05.08/msg00415.html. May 1996.]]

[18]

Halpern J. and van der Meyden, R. 2001. A logic for SDSI's linked local named spaces. J. Comput. Secu. 9, 1/2 (Feb./May), 47--74.]]

[19]

Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., and Ravid, Y. 2000. Access control meets public key infrastructure, or: Assigning roles to strangers. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 2--14.]]

[20]

Howell, J. R. 2000. Naming and sharing resources acroos administrative boundaries. PhD thesis, Dartmouth College, May 2000.]]

[21]

Jajodia, S., Samarati, P., and Subrahmanian, V. S. 1997a. A logical language for expressing authorizations. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 31--42.]]

[22]

Jajodia, S., Samarati, P., Subrahmanian, V. S., and Bertino, E. 1997b. A unified framework for enforcing multiple access control policies. In Proceedings of ACM SIGMOD International Conference on Management of Data. ACM Press, New York, NY, pp. 474--485.]]

[23]

Jim, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 106--115.]]

[24]

Kent, S. T. 1993. Internet privacy enhanced mail. Comm. ACM. 36, 8 (Aug.), 48--60.]]

[25]

Lampson, B., Abadi, M., Burrows, M., and Wobber, E. 1992. Authentication in distributed systems: theory and practice. ACM Trans. Comput. Systems 10, 4 (Nov.), 265--310.]]

[26]

Langheinrich, M. 2002. A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft, April 2002.]]

[27]

Li, N. 2000a. Local names in SPKI/SDSI. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW-13), (July). IEEE Computer Society Press, Los Alamitos, Calif., pp. 2--15.]]

[28]

Li, N. 2000b. Delegation Logic: A Logic-based Approach to Distributed Authorization. PhD thesis, New York University, September 2000.]]

[29]

Li, N. 2000c. XD1LP: An implementation of D1LP in XSB. http://cs.nyu.edu/ninghui/xd1lp/.]]

[30]

Li, N., Feigenbaum, J., and Grosof, B. N. 1999. A logic-based knowledge representation for authorization with delegation (extended abstract). In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW-12) (June). IEEE Computer Society Press, Los Alamitos, Calif., pp. 162--174.]]

[31]

Li, N., Grosof, B. N., and Feigenbaum, J. 2000. A practically implementable and tractable Delegation Logic. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 27--42.]]

[32]

Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust management framework. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp. 114--130.]]

[33]

Li, N., Winsborough, W. H., and Mitchell, J. C. 2003. Distributed credential chain discovery in trust management. J. Comput. Secu. To appear. Extended abstract appeared in Proceedings of the ACM Conference on Computer and Communications Security (Nov, 2001). ACM Press, New York, NY, pp. 156--165.]]

[34]

Lloyd, J. W. 1987. Foundations of Logic Programming, 2nd Edition. Springer, Berlin.]]

[35]

Marchiori, M. 2002. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation. April.]]

[36]

Maurer, U. 1997. Modelling a public-key infrastructure. In Proceedings of the European Symposium on Research in Computer Security. Lecture Notes in Computer Science, 1146. Springer, Berlin, pp. 325--350.]]

[37]

Naish, L. 1992. Types and the intended meaning of logic programs. In F. Pfenning, editor, Types in Logic Programming. The MIT Press, Cambridge, Mass., pp. 189--216.]]

[38]

Padawitz, P. 1998. Computing in Horn Clause Theories. EATCS monographs on Theoretical Computer Science, vol. 16. Springer Berlin.]]

[39]

Pfenning, F. ed. 1992. Types in Logic Programming. Logic Programming Series. The MIT Press, Cambridge, Mass.]]

[40]

Rivest, R. L. and Lampson, B. 1996. SDSI: a simple distributed security infrastructure. http://theory.lcs.mit.edu/&sim;rivest/sdsi11.html. October 1996.]]

[41]

Weeks, S. 2001. Understanding trust management systems. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif., pp 94--105.]]

[42]

The XSB Research Group. 2002. The XSB programming system. http://xsb.sourceforge.net/.]]

Cited By

Esterhuyse CMüller Tvan Binsbergen L(2024)JustAct: Actions Universally Justified by Partial Dynamic PoliciesFormal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-62645-6_4(60-81)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-62645-6_4
Larisch JAqeel WChung TKohler ELevin DMaggs BParno BWilson C(2023)No Root Store Left BehindProceedings of the 22nd ACM Workshop on Hot Topics in Networks10.1145/3626111.3630268(295-301)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3626111.3630268
Jin ZXing LFang YJia YYuan BLiu QYin HStavrou ACremers CShi E(2022)P-VerifierProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560680(1647-1661)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560680
Show More Cited By

Index Terms

Delegation logic: A logic-based approach to distributed authorization

Recommendations

A rule-based framework for role-based delegation and revocation

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...
Read More
Design of a Role-Based Trust-Management Framework
SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy

We introduce the RT framework, a family of Role-based Trust-managementlanguages for representing policies and credentials in distributedauthorization. RT combines the strengths of role-based access controland trust-management systems and is especially ...
Read More
A Virtual Enterprise Oriented Access Control Mechanism
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01

Virtual enterprise is a temporary alliance of enterprises that come together to share skills, core competencies or resources. The members in virtual enterprise need to collaborate in a distributed, dynamic, open and heterogeneous environment. ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 6, Issue 1

February 2003

171 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/605434

Issue’s Table of Contents

Copyright © 2003 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 February 2003

Published in TISSEC Volume 6, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

279
Total Citations
View Citations
2,527
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Esterhuyse CMüller Tvan Binsbergen L(2024)JustAct: Actions Universally Justified by Partial Dynamic PoliciesFormal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-62645-6_4(60-81)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-62645-6_4
Larisch JAqeel WChung TKohler ELevin DMaggs BParno BWilson C(2023)No Root Store Left BehindProceedings of the 22nd ACM Workshop on Hot Topics in Networks10.1145/3626111.3630268(295-301)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3626111.3630268
Jin ZXing LFang YJia YYuan BLiu QYin HStavrou ACremers CShi E(2022)P-VerifierProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560680(1647-1661)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560680
Nichols KCarofiglio GOran DOtt JWang L(2021)Trust schemas and ICNProceedings of the 8th ACM Conference on Information-Centric Networking10.1145/3460417.3482972(95-106)Online publication date: 22-Sep-2021
https://dl.acm.org/doi/10.1145/3460417.3482972
Chase JBaldin I(2021)Federated Authorization for Managed Data Sharing: Experiences from the ImPACT Project2021 International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN52240.2021.9522208(1-10)Online publication date: Jul-2021
https://doi.org/10.1109/ICCCN52240.2021.9522208
Zave PRexford J(2020)Patterns and Interactions in Network SecurityACM Computing Surveys10.1145/341798853:6(1-37)Online publication date: 6-Dec-2020
https://dl.acm.org/doi/10.1145/3417988
Bouchet MCook BCutler BDruzkina AGacek AHadarean LJhala RMarshall BPeebles DRungta NSchlesinger CStephens CVarming CWarfield ADevanbu PCohen MZimmermann T(2020)Block public access: trust safety verification of access control policiesProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3409728(281-291)Online publication date: 8-Nov-2020
https://dl.acm.org/doi/10.1145/3368089.3409728
Dunne PHarrenstein PKraus SWooldridge M(2020)Delegating Decisions in Strategic SettingsIEEE Transactions on Artificial Intelligence10.1109/TAI.2020.30315451:1(19-33)Online publication date: Aug-2020
https://doi.org/10.1109/TAI.2020.3031545
Backes JBolignano PCook BDodge CGacek ALuckow KRungta NTkachuk OVarming C(2018)Semantic-based Automated Reasoning for AWS Access Policies using SMT2018 Formal Methods in Computer Aided Design (FMCAD)10.23919/FMCAD.2018.8602994(1-9)Online publication date: Oct-2018
https://doi.org/10.23919/FMCAD.2018.8602994
Tandon LFong PSafavi-Naini RBertino ELin DLobo J(2018)HCAPProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205978(247-258)Online publication date: 7-Jun-2018
https://dl.acm.org/doi/10.1145/3205977.3205978
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents