DATALOG with Constraints: A Foundation for Trust Management Languages

Trust management (TM) is a promising approach for authorization and access control in distributed systems, based on signed distributed policy statements expressed in a policy language. Although several TM languages are semantically equivalent to subsets of Datalog, Datalog is not sufficiently expressive for fine-grained control of structured resources. We define the class of linearly decomposable unary constraint domains, prove that DATALOG extended with constraints in any combination of such constraint domains is tractable, and show that permissions associated with structured resources fall into this class. We also present a concrete declarative TM language, RT1C, based on constraint DATALOG, and use constraint DATALOG to analyze another TM system, KeyNote, which turns out to be less expressive than RT1C in significant respects, yet less tractable in the worst case. Although constraint DATALOG has been studied in the context of constraint databases, TM applications involve different kinds of constraint domains and have different computational complexity requirements.

[1]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Mads Dam,et al.  A note on SPKI's authorisation syntax , 2002 .

[3]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[5]  David Kotz,et al.  Naming and sharing resources across administrative boundaries , 2000 .

[6]  Peter J. Stuckey,et al.  Memoing Evaluation for Constraint Extensions of Datalog , 1997 .

[7]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[8]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[10]  Stéphane Grumbach,et al.  Constraint Databases , 1999, JFPLC.

[11]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[14]  Michael J. Maher,et al.  Constraint Logic Programming: A Survey , 1994, J. Log. Program..

[15]  Gabriel M. Kuper,et al.  Constraint Query Languages , 1995, J. Comput. Syst. Sci..

[16]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[17]  Ninghui Li,et al.  Distributed credential chain discovery in trust management: extended abstract , 2001, CCS '01.

[18]  Peter Z. Revesz,et al.  Constraint Databases: A Survey , 1995, Semantics in Databases.

[19]  Elisa Bertino,et al.  An access control model supporting periodicity constraints and temporal reasoning , 1998, TODS.

[20]  Peter Z. Revesz,et al.  Safe Datalog Queries with Linear Constraints , 1998, CP.

[21]  Jan Chomicki,et al.  Variable Independence in Constraint Databases , 2003, IEEE Trans. Knowl. Data Eng..

[22]  Jan Chomicki,et al.  Datalog with Integer Periodicity Constraints , 1994, J. Log. Program..