Timed constraint programming: a declarative approach to usage control

This paper focuses on policy languages for (role-based) access control [14, 32], especially in their modern incarnations in the form of trust-management systems [9] and usage control [30, 31]. Any (declarative) approach to access control and trust management has to address the following issues: Explicit denial, inheritance, and overriding, and History-sensitive access control.Our main contribution is a policy algebra, in the timed concurrent constraint programming paradigm, that uses a form of default constraint programming to address the first issue, and reactive computing to address the second issue.The policy algebra is declarative --- programs can be viewed as imposing temporal constraints on the evolution of the system --- and supports equational reasoning. The validity of equations is established by coinductive proofs based on an operational semantics.The design of the policy algebra supports reasoning about policies by a systematic combination of constraint reasoning and model checking techniques based on linear time temporal-logic. Our framework permits us to perform security analysis with dynamic state-dependent restrictions.

[1]  Ke Wang,et al.  An access control language for web services , 2002, SACMAT '02.

[2]  Jaehong Park,et al.  A logical specification for usage control , 2004, SACMAT '04.

[3]  Prakash Panangaden,et al.  The semantic foundations of concurrent constraint programming , 1991, POPL '91.

[4]  James P. Titus,et al.  Security and Privacy , 1967, 2022 IEEE Future Networks World Forum (FNWF).

[5]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[6]  Nicolas Halbwachs,et al.  Synchronous Programming of Reactive Systems , 1992, CAV.

[7]  Michael Leuschel,et al.  Efficient and flexible access control via logic program specialisation , 2004, PEPM '04.

[8]  Joseph Y. Halpern,et al.  A formal foundation for XrML , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Frank D. Valencia,et al.  Temporal Concurrent Constraint Programming: Denotation, Logic and Applications , 2002, Nord. J. Comput..

[10]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[11]  Michael M. Swift,et al.  Improving the granularity of access control for Windows 2000 , 2002, TSEC.

[12]  Pascal Van Hentenryck,et al.  Constraint processing in cc(fd) , 1992 .

[13]  Krzysztof R. Apt,et al.  Logics and Models of Concurrent Systems , 1989, NATO ASI Series.

[14]  Hussein Zedan,et al.  A compositional framework for access control policies enforcement , 2003, FMSE '03.

[15]  Jaehong Park,et al.  Usage control: a unified framework for next generation access control , 2003 .

[16]  Michael J. Maher,et al.  Constraint Logic Programming: A Survey , 1994, J. Log. Program..

[17]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[18]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[19]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[20]  Sushil Jajodia,et al.  Policy algebras for access control the predicate case , 2002, CCS '02.

[21]  Amir Pnueli,et al.  On the Development of Reactive Systems , 1989, Logics and Models of Concurrent Systems.

[22]  V. N. Venkatakrishnan,et al.  Empowering mobile code using expressive security policies , 2002, NSPW '02.

[23]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[24]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[25]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[27]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[28]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[29]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[30]  Radha Jagadeesan,et al.  jcc: Integrating Timed Default Concurrent Constraint Programming into Java , 2003, EPIA.

[31]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[32]  Radha Jagadeesan,et al.  Timed Default Concurrent Constraint Programming , 1996, J. Symb. Comput..

[33]  Michael Backes,et al.  An Algebra for Composing Enterprise Privacy Policies , 2004, ESORICS.

[34]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[35]  Vijay A. Saraswat The category of constraint systems is Cartesian-closed , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[36]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[37]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[38]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[39]  Rajeev Alur,et al.  A model-based approach to integrating security policies for embedded devices , 2004, EMSOFT '04.

[40]  Ajay Chander,et al.  Reconstructing Trust Management , 2004, J. Comput. Secur..

[41]  Ninghui Li,et al.  Beyond proof-of-compliance: safety and availability analysis in trust management , 2003, 2003 Symposium on Security and Privacy, 2003..

[42]  Peter J. Stuckey,et al.  Flexible access control policy specification with constraint logic programming , 2003, TSEC.

[43]  John C. Mitchell,et al.  Conflict and combination in privacy policy languages , 2004, WPES '04.