Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

Bruns, Glenn; Huth, Michael

doi:10.1109/csf.2008.10

Cited by 33 publications

(47 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From a technical perspective, it is important to establish whether our language can accommodate a fourth decision value to represent conflicting decisions from sub-policies [6]. Equally important is to establish what set of binary operators would be sufficient to articulate any desired policy.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

An Authorization Framework Resilient to Policy Evaluation Failures

Crampton

Huth

2010

Computer Security – ESORICS 2010

Self Cite

View full text Add to dashboard Cite

Abstract. In distributed computer systems, it is possible that the evaluation of an authorization policy may suffer unexpected failures, perhaps because a sub-policy cannot be evaluated or a sub-policy cannot be retrieved from some remote repository. Ideally, policy evaluation should be resilient to such failures and, at the very least, fail "gracefully" if no decision can be computed. We define syntax and semantics for an XACML-like policy language. The semantics are incremental and reflect different assumptions about the manner in which failures can occur. Unlike XACML, our language uses simple binary operators to combine sub-policy decisions. This enables us to characterize those few binary operators likely to be used in practice, and hence to identify a number of strategies for optimizing policy evaluation and policy representation.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Informally, when evaluating a request q with respect to some policy p, we first determine whether p is applicable to q. The role of π in our policy language is similar to that of <Target> and <Condition> elements in XACML rules and policies [12], or of access predicates in [6]. We refer to π as the applicability predicate.…”

Section: A Simple Policy Languagementioning

confidence: 99%

An Authorization Framework Resilient to Policy Evaluation Failures

Crampton

Huth

2010

Computer Security – ESORICS 2010

Self Cite

View full text Add to dashboard Cite

show abstract

“…Although there is a substantial body of work on policy specification [1,4,5,13,17], this prior work assumes a very restricted format for access requests and targets. To the best of our knowledge, there is no previous work on a formal language for target specification and evaluation, let alone the consideration of missing attributes names.…”

Section: Related Workmentioning

confidence: 99%

“…Our main objective is to define a policy language that addresses the same problem space as XACML 3.0 [15] while retaining the formality of recent work on policy algebras [1,4,5,6,17]. XACML (eXtensible access control markup language) is a standardized language: XACML 2.0 was ratified in 2005; XACML 3.0 will add support for attribute-based access control and policy administration.…”

Section: Introductionmentioning

confidence: 99%

PTaCL: A Language for Attribute-Based Access Control in Open Systems

Crampton

Morisset

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many languages and algebras have been proposed in recent years for the specification of authorization policies. For some proposals, such as XACML, the main motivation is to address real-world requirements, typically by providing a complex policy language with somewhat informal evaluation methods; others try to provide a greater degree of formality -particularly with respect to policy evaluation -but support far fewer features. In short, there are very few proposals that combine a rich set of language features with a well-defined semantics, and even fewer that do this for authorization policies for attribute-based access control in open environments. In this paper, we decompose the problem of policy specification into two distinct sub-languages: the policy target language (PTL) for target specification, which determines when a policy should be evaluated; and the policy composition language (PCL) for building more complex policies from existing ones. We define syntax and semantics for two such languages and demonstrate that they can be both simple and expressive. PTaCL, the language obtained by combining the features of these two sub-languages, supports the specification of a wide range of policies. However, the power of PTaCL means that it is possible to define policies that could produce unexpected results. We provide an analysis of how PTL should be restricted and how policies written in PCL should be evaluated to minimize the likelihood of undesirable results.

show abstract

“…Finally, in [9,10] the authors define a simple but powerful framework for representing and reasoning about accesscontrol policy composition. The semantics for access requests is four-valued: permit, deny, undefined, and conflict.…”

Section: Related Workmentioning

confidence: 99%

Expressive policy analysis with enhanced system dynamicity

Craven

Lobo²,

et al. 2009

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

View full text Add to dashboard Cite

Despite several research studies, the effective analysis of policy based systems remains a significant challenge. Policy analysis should at least (i) be expressive (ii) take account of obligations and authorizations, (iii) include a dynamic system model, and (iv) give useful diagnostic information. We present a logic-based policy analysis framework which satisfies these requirements, showing how many significant policy-related properties can be analysed, and we give details of a prototype implementation.

show abstract

Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

Cited by 33 publications

References 19 publications

An Authorization Framework Resilient to Policy Evaluation Failures

An Authorization Framework Resilient to Policy Evaluation Failures

PTaCL: A Language for Attribute-Based Access Control in Open Systems

Expressive policy analysis with enhanced system dynamicity

Contact Info

Product

Resources

About