Analysis of Rewrite-Based Access Control Policies

Kirchner, Claude; Kirchner, Hélène; Oliveira, Anderson Santana de

doi:10.1016/j.entcs.2009.02.072

Cited by 18 publications

(27 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our approach combines the use of a visual graph formalism to represent a concrete state of the system, and the use of rewrite rules to model the dynamics of the system. In [37], it is shown how narrowing can be used to solve administrator queries of the form "what if a request is made under these conditions? ", by representing a query as a pair of a term and a firstorder equational constraint.…”

Section: Related Workmentioning

confidence: 99%

“…Another related approach uses term rewrite rules to model particular access control models, relying on the power of term rewriting systems to express general dynamic access control policies [10,49,37,20,19]. Properties of policies are then checked using techniques to check confluence and termination of sets of rewrite rules.…”

Section: Related Workmentioning

confidence: 99%

“…Formal specifications of access control models and policies (see, for instance, [22,50]) have used theorem provers, purpose-built logics, and, more recently, functional and rewriting-based approaches (see, for example, [49,20]). Using standard rewriting tools, rewrite-based policies can be verified to ensure, for example, that each access request has a unique answer [19,37,21]. A rewrite-based operational semantics for CBAC policies is described in [17], where their expressive power is also demonstrated.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A graph-based framework for the analysis of access control policies

Alves¹,

Fernández²

2017

Theoretical Computer Science

View full text Add to dashboard Cite

We design a graph-based framework for the analysis of access control policies that aims at easing the specification and verification tasks for security administrators. We consider policies in the category-based access control model, which has been shown to subsume many of the most well known access control models (e.g., MAC, DAC, RBAC). Using a graphical representation of category-based policies, we show how answers to usual administrator queries can be automatically computed, and properties of access control policies checked. We show applications in the context of emergency situations, where our framework can be used to analyse the interaction between access control and emergency management.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A graph-based framework for the analysis of access control policies

Alves¹,

Fernández²

2017

Theoretical Computer Science

View full text Add to dashboard Cite

show abstract

“…In comparison, we allow a different class of constraints that we keep decidable by restricting to safe theories, and we use constraints in a rewriting context. Note that it is also possible to apply constraint narrowing to get analysis power as in [20].…”

Section: Related Workmentioning

confidence: 99%

Formal Specification and Validation of Security Policies

Bourdier

Cirstea

Jaume

et al. 2012

Foundations and Practice of Security

Self Cite

View full text Add to dashboard Cite

Abstract. We propose a formal framework for the specification and validation of security policies. To model a secured system, the evolution of security information in the system is described by transitions triggered by authorization requests and the policy is given by a set of rules describing the way the corresponding decisions are taken. Policy rules are constrained rewrite rules whose constraints are first-order formulas on finite domains, which provides enhanced expressive power compared to classical security policy specification approaches like the ones using Datalog, for example. Our specifications have an operational semantics based on transition and rewriting systems and are thus executable. This framework also provides a common formalism to define, compare and compose security systems and policies. We define transformations over secured systems in order to perform validation of classical security properties.

show abstract

“…• Verification of security policies [Kirchner et al, 2008] and cryptographic protocols . Narrowing is used to perform automated reasoning over suitable definitions, by means of rewriting rules, of 2 1.…”

Section: Resummentioning

confidence: 99%

Termination of Narrowing: Automated Proofs and Modularity Properties

López¹

View full text Add to dashboard Cite

In 1936, Alan Turing proved that the halting problem, that is, deciding whether a program terminates, is an undecidable problem for most practical programming languages. Even so, termination is so relevant that a vast number of techniques for proving the termination of programs have been researched in the recent decades. Term rewriting systems provide an abstract theoretical framework ideally suited for the study of termination. In term rewriting systems, evaluation of a term corresponds to the left-to-right, non-deterministic application of rewriting rules.Narrowing is a generalization of term rewriting that provides a mechanism for automated reasoning. For instance, given a set of rules defining addition and multiplication with natural numbers, rewriting allows to perform evaluation of arithmetic expressions, whereas narrowing allows to solve equations with variables over arithmetic expressions. This thesis constitutes an in-depth study of the termination properties of narrowing. The contributions are as follows.First, we identify classes of systems where narrowing behaves well, in the sense that it always terminates for any system belonging to these classes. Many methods of analysis, such as the semantics-based analysis of program properties by means of narrowing, benefit from this characterization.Second, we develop an automatic method to prove termination of narrowing for a given system, based on the abstract framework of dependency pairs. For the first time, such an automatic method is not restricted to specific classes of TRSs and hence is universally applicable.Third, we propose another automatic method to prove termination of narrowing from a given term, also on top of the framework of dependency pairs. Termination from a given term is relevant for many applications, including the termination analysis of programming languages. Our method generalizes the current state-of-the-art, enabling the study of termination of logic programs in terms of the termination of narrowing, something which was not possible previously.Fourth and last, the modularity properties of the termination of narrowing are considered in detail. That is, given two systems A and B where narrowing is terminating, determine whether it is still terminating in the union system. This notion of modularity has implications in many of the applications of narrowing. We develop the case of combining systems for equational unification.Furthermore, the automated approaches of the second and third contributions above have been implemented in Narradar, our tool for automatic proofs of termination of narrowing. ResumenEn 1936 Alan Turing demostró que el halting problem, esto es, el problema de decidir si un programa termina o no, es un problema indecidible para la inmensa mayoría de los lenguajes de programación. A pesar de ello, la terminación es un problema tan relevante que en lasúltimas décadas un gran número de técnicas han sido desarrolladas para demostrar la terminación de forma automática de la máxima cantidad posible de programas. Los...

show abstract

Analysis of Rewrite-Based Access Control Policies

Cited by 18 publications

References 17 publications

A graph-based framework for the analysis of access control policies

A graph-based framework for the analysis of access control policies

Formal Specification and Validation of Security Policies

Termination of Narrowing: Automated Proofs and Modularity Properties

Contact Info

Product

Resources

About