A Nonmonotonic Delegation Logic with Prioritized Conflict Handling

We extend previous work on Delegation Logic (DL) [11, 12], a tractable and practically implementable logic-based language for authorization in large-scale, open, distributed systems. We expressively generalize the previous version of DL (called D1LP) to have nonmonotonic expressive features, including negation-as-failure, classical negation, and prioritized conflict handling. The resulting formalism is called D2LP. We discuss the motivations and usefulness of prioritized conflict handling and some subtleties and challenges in extending DL to have it. Partly because of these subtleties, in this paper we restrict D2LP by prohibiting queries about delegation statements. Our technical approach to defining D2LP is based on tractably compiling a D2LP into a Generalized Courteous LP (GCLP) [7, 8], which is in turn tractably compiled into an Ordinary LP (OLP). We show that D2LP is thus tractable and practically implementable on top of existing technologies for OLP, e.g., Prolog, SQL databases, and other rule-based systems.

[1]  Elisa Bertino,et al.  A logical framework for reasoning on data access control policies , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[2]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[3]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[4]  Tatyana Ryutov,et al.  Representation and evaluation of security policies for distributed system services , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[5]  Benjamin N. Grosof DIPLOMAT: Compiling Prioritized Default Rules into Ordinary Logic Programs, for E-Commerce Applications , 1999, AAAI/IAAI.

[6]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[7]  Simon S. Lam,et al.  Designing a distributed authorization service , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[8]  Victor W. Marek,et al.  Nonmonotonic logic - context-dependent reasoning , 1997, Artificial intelligence.

[9]  Lee Naish,et al.  Types and the Intended Meaning of Logic Programs , 1992, Types in Logic Programming.

[10]  Frank Pfenning,et al.  Types in Logic Programming , 1992, ICLP.

[11]  Joan Feigenbaum,et al.  A logic-based knowledge representation for authorization with delegation , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[12]  BertinoElisa,et al.  A flexible authorization mechanism for relational data management systems , 1999 .

[13]  Benjamin N. Grosof Prioritized Conflict Handling for Logic Programs , 1997, ILPS.

[14]  J. Lloyd Foundations of Logic Programming , 1984, Symbolic Computation.

[15]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.

[16]  Benjamin N. Grosof Compiling Prioritized Default Rules into Ordinary Logic Programs , 1999 .

[17]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[18]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[19]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.