Relationship-based access control: its expression and enforcement through hybrid logic

Access control policy is typically defined in terms of attributes, but in many applications it is more natural to define permissions in terms of relationships that resources, systems, and contexts may enjoy. The paradigm of relationship-based access control has been proposed to address this issue, and modal logic has been used as a technical foundation. We argue here that hybrid logic -- a natural and well-established extension of modal logic -- addresses limitations in the ability of modal logic to express certain relationships. We identify a fragment of hybrid logic to be used for expressing relationship-based access-control policies, show that this fragment supports important policy idioms, and demonstrate that it removes an exponential penalty in existing attempts of specifying complex relationships such as "at least three friends". We also capture the previously studied notion of relational policies in a static type system.

[1]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[2]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[3]  Philip W. L. Fong,et al.  Relationship-based access control policies and their policy languages , 2011, SACMAT '11.

[4]  Philip W. L. Fong,et al.  An Access Control Model for Facebook-Style Social Network Systems , 2010 .

[5]  Henry DeYoung A Logic for Reasoning About Time-Dependent Access Control Policies , 2008 .

[6]  Carlos Areces,et al.  Logic Engineering. The Case of Description and Hybrid Logics , 2000 .

[7]  Thomas P. Minka,et al.  Gates , 2008, NIPS.

[8]  Philip W. L. Fong Preventing Sybil Attacks by Privilege Attenuation: A Design Principle for Social Network Systems , 2011, 2011 IEEE Symposium on Security and Privacy.

[9]  Philip W. L. Fong,et al.  A Privacy Preservation Model for Facebook-Style Social Network Systems , 2009, ESORICS.

[10]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[11]  Balder ten Cate,et al.  Hybrid logics , 2007, Handbook of Modal Logic.

[12]  Michael Huth,et al.  Access control via belnap logic: Intuitive, expressive, and analyzable policy composition , 2011, TSEC.

[13]  Martín Abadi,et al.  A Modal Deconstruction of Access Control Logics , 2008, FoSSaCS.

[14]  M. de Rijke,et al.  Model checking hybrid logics (with an application to semistructured data) , 2006, J. Appl. Log..