Article

PolicyMorph: interactive policy transformations for a logical attribute-based access control framework

Authors:

Carl A. GunterAuthors Info & Claims

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

Pages 205 - 214

https://doi.org/10.1145/1266840.1266874

Published: 20 June 2007 Publication History

Abstract

Constraint systems provide techniques for automatically analyzing the conformance of low-level access control policies to high-level business rules formalized as logical constraints. However, there are likely to be priorities for solutions that are not easy to encode formally, so administrator input is often important. This paper introduces PolicyMorph, a constraint system that supports interactive development and maintenance of access control policies that respect both formalized and un-formalized business rules and priorities. We provide a mathematical description of the system and an architecture for implementing it. We constructed a prototype that is validated using a case study in which constraints are imposed on a building automation system that controls door locks. PolicyMorph advances the state-of-the-art in constraint systems by suggesting predictable policy model modifications that will resolve specific constraint violations and then allowing policy administrators to select the appropriate modifications using knowledge that is not formally encoded in the constraint system.

References

[1]

A. Antón, J. Earp, D. Bolchini, Q. He, C. Jensen, and W. Stufflebeam. The Lack of Clarity in Financial Privacy Policies and the Need for Standardization. IEEE Security & Privacy, 2(2):36--45, 2004.

Digital Library

[2]

S. Barker and P. J. Stuckey. Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secur., 6(4):501--546, 2003.

Digital Library

[3]

D. Bell and L. Lapadula. Secure computer systems: Mathematical foundations (volume 1). Technical report, 1973.

[4]

K. J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, Apr. 1977. (Also available through National Technical Information Service, Springfield Va., NTIS AD-A039324.).

[5]

J. P. Boyer, K. Tan, and C. A. Gunter. Privacy sensitive location information systems in smart buildings. In SPC '05: Proceedings of the 3rd International Conference on Security in Pervasive Computing, 2005.

[6]

T. Breaux and A. Antón. Deriving Semantic Models from Privacy Policies. Proc. IEEE 6 th Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, pages 67--76, 2005.

Digital Library

[7]

J. Crampton. Specifying and enforcing constraints in role-based access control. In SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies, pages 43--50, New York, NY, USA, 2003. ACM Press.

Digital Library

[8]

B. Demoen and P. Nguyen. Odd Prolog benchmarking. KU Leuven, CW report, 312, 2001.

[9]

K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 196--205, 2005.

Digital Library

[10]

J. Halpern and V. Weissman. Using first-order logic to reason about policies. Computer Security Foundations Workshop, 2003. Proceedings. 16th IEEE, pages 187--201.

[11]

T. Jaeger, R. Sailer, and X. Zhang. Resolving constraint conflicts. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 105--114, New York, NY, USA, 2004. ACM Press.

Digital Library

[12]

T. Jaeger and J. E. Tidswell. Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur., 4(2):158--190, 2001.

Digital Library

[13]

A. Kapadia, G. Sampemane, and R. H. Campbell. Know why your access was denied: regulating feedback for usable security. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 52--61, New York, NY, USA, 2004. ACM Press.

Digital Library

[14]

M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy rules. In Computer Security Foundations Workshop (CSFW '06), Venice, Italy, July 2006. IEEE.

Digital Library

[15]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[16]

J. G. Stell. A framework for order-sorted algebra. In AMAST '02: Proceedings of the 9th International Conference on Algebraic Methodology and Software Technology, pages 396--411, Reunion Island, France, September 2002.

Digital Library

[17]

L. Sterling and E. Shapiro. The art of Prolog (2nd ed.): advanced programming techniques. MIT Press, Cambridge, MA, USA, 1994.

Digital Library

[18]

L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55, New York, NY, USA, 2004. ACM Press.

Digital Library

Cited By

Trojer TKatt BBreu RSchabetsberger TMair R(2012)Managing Privacy and Effectiveness of Patient-Administered Authorization PoliciesInternational Journal of Computational Models and Algorithms in Medicine10.4018/jcmam.20120401033:2(43-62)Online publication date: 1-Apr-2012
https://doi.org/10.4018/jcmam.2012040103
Trojer TKatt BSchabetsberger TBreu RMair RLuo GLiu JYang C(2012)Considering privacy and effectiveness of authorization policies for shared electronic health recordsProceedings of the 2nd ACM SIGHIT International Health Informatics Symposium10.1145/2110363.2110425(553-562)Online publication date: 28-Jan-2012
https://dl.acm.org/doi/10.1145/2110363.2110425
Liang FGuo HYi SZhang XMa S(2012)An Attributes-Based Access Control Architecture within Large-Scale Device Collaboration Systems Using XACMLGreen Communications and Networks10.1007/978-94-007-2169-2_124(1051-1059)Online publication date: 4-Jan-2012
https://doi.org/10.1007/978-94-007-2169-2_124
Show More Cited By

Index Terms

PolicyMorph: interactive policy transformations for a logical attribute-based access control framework
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

On mutually-exclusive roles and separation of duty
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Separation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
Constraint generation for separation of duty
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies

Separation of Duty (SoD) is widely recognized to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
Enforcement of separation of duty constraints in attribute-based access control
Abstract
While the verification of separation of duty (SoD) constraints on attribute based access control (ABAC) systems has been defined and examined in existing works, it still remains an open problem since the existing approaches are either ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

June 2007

254 pages

ISBN:9781595937452

DOI:10.1145/1266840

General Chair:
Volkmar Lotz
SAP Labs, France
,
Program Chair:
Bhavani Thuraisingham
University of Texas at Dallas, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT07

Sponsor:

SACMAT07: 12th ACM Symposium on Access Control Models and Technologies

June 20 - 22, 2007

Sophia Antipolis, France

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
378
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Trojer TKatt BBreu RSchabetsberger TMair R(2012)Managing Privacy and Effectiveness of Patient-Administered Authorization PoliciesInternational Journal of Computational Models and Algorithms in Medicine10.4018/jcmam.20120401033:2(43-62)Online publication date: 1-Apr-2012
https://doi.org/10.4018/jcmam.2012040103
Trojer TKatt BSchabetsberger TBreu RMair RLuo GLiu JYang C(2012)Considering privacy and effectiveness of authorization policies for shared electronic health recordsProceedings of the 2nd ACM SIGHIT International Health Informatics Symposium10.1145/2110363.2110425(553-562)Online publication date: 28-Jan-2012
https://dl.acm.org/doi/10.1145/2110363.2110425
Liang FGuo HYi SZhang XMa S(2012)An Attributes-Based Access Control Architecture within Large-Scale Device Collaboration Systems Using XACMLGreen Communications and Networks10.1007/978-94-007-2169-2_124(1051-1059)Online publication date: 4-Jan-2012
https://doi.org/10.1007/978-94-007-2169-2_124
Trojer TKatt BSchabetsberger TMair RBreu R(2012)The Process of Policy Authoring of Patient-Controlled Privacy PreferencesElectronic Healthcare10.1007/978-3-642-29262-0_14(97-104)Online publication date: 2012
https://doi.org/10.1007/978-3-642-29262-0_14
May MGunter CLee IZdancewic S(2009)Strong and weak policy relationsProceedings of the 10th IEEE international conference on Policies for distributed systems and networks10.5555/1812664.1812672(33-36)Online publication date: 20-Jul-2009
https://dl.acm.org/doi/10.5555/1812664.1812672
May MGunter CLee IZdancewic S(2009)Strong and Weak Policy RelationsProceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks10.1109/POLICY.2009.20(33-36)Online publication date: 20-Jul-2009
https://dl.acm.org/doi/10.1109/POLICY.2009.20
Li BZhen KZhao Y(2009)Symmetrically Oblivious Envelope ProtocolProceedings of the 2009 IEEE International Conference on e-Business Engineering10.1109/ICEBE.2009.37(219-223)Online publication date: 21-Oct-2009
https://dl.acm.org/doi/10.1109/ICEBE.2009.37

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten