A logic-based framework for attribute based access control

Attribute based access control (ABAC) grants accesses to services based on the attributes possessed by the requester. Thus, ABAC differs from the traditional discretionary access control model by replacing the <i>subject</i> by a set of attributes and the <i>object</i> by a set of services in the access control matrix. The former is appropriate in an identity-less system like the Internet where subjects are identified by their characteristics, such as those substantiated by certificates. These can be modeled as attribute sets. The latter is appropriate because most Internet users are not privy to method names residing on remote servers. These can be modeled as sets of service options. We present a framework that models this aspect of access control using logic programming with set constraints of a computable set theory [DPPR00]. Our framework specifies policies as stratified constraint flounder-free logic programs that admit primitive recursion. The design of the policy specification framework ensures that they are consistent and complete. Our ABAC policies can be transformed to ensure faster runtimes.

[1]  Sandro Etalle,et al.  Transformations of CLP Modules , 1996, Theor. Comput. Sci..

[2]  Alberto Pettorossi,et al.  Transformation of Logic Programs , 1994 .

[3]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[4]  Michael J. Maher A Transformation System for Deductive Database Modules with Perfect Model Semantics , 1989, FSTTCS.

[5]  Marianne Winslett,et al.  PRUNES: an efficient and complete strategy for automated trust negotiation over the Internet , 2000, CCS.

[6]  David Chan,et al.  An Extension of Constructive Negation and its Application in Coroutining , 1989, NACLP.

[7]  François Fages,et al.  A Hierarchy of Semantics for Normal Constraint Logic Programs , 1996, ALP.

[8]  Melvin Fitting,et al.  Fixpoint Semantics for Logic Programming a Survey , 2001, Theor. Comput. Sci..

[9]  Peter J. Stuckey,et al.  Negation and Constraint Logic Programming , 1995, Inf. Comput..

[10]  Hisao Tamaki,et al.  Unfold/Fold Transformation of Logic Programs , 1984, ICLP.

[11]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[12]  Kenneth Kunen,et al.  Set Theory: An Introduction to Independence Proofs , 2010 .

[13]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Melvin Fitting,et al.  A Kripke-Kleene Semantics for Logic Programs , 1985, J. Log. Program..

[15]  Joxan Jaffar,et al.  Constraint logic programming , 1987, POPL '87.

[16]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[17]  Agostino Dovier,et al.  Sets and constraint logic programming , 2000, TOPL.

[18]  François Fages,et al.  Constructive Negation by Pruning , 1997, J. Log. Program..

[19]  Melvin Fitting,et al.  Fixedpoint semantics for logic programming , 2002 .

[20]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[21]  John Darlington,et al.  A Transformation System for Developing Recursive Programs , 1977, J. ACM.

[22]  Dexter Kozen Set Constraints and Logic Programming , 1994, CCL.

[23]  Peter J. Stuckey,et al.  Constructive negation for constraint logic programming , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[24]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[25]  M. Fitting,et al.  Stratified, weak stratified and three-valued semantics , 1990 .

[26]  Kenneth Kunen,et al.  Negation in Logic Programming , 1987, J. Log. Program..

[27]  Sushil Jajodia,et al.  Removing permissions in the flexible authorization framework , 2003, TODS.

[28]  Agostino Dovier,et al.  A Uniform Axiomatic View of Lists, Multisets, and Sets, and the Relevant Unification Algorithms , 1998, Fundam. Informaticae.

[29]  Peter J. Stuckey,et al.  Flexible access control policy specification with constraint logic programming , 2003, TSEC.

[30]  David Chan,et al.  Constructive Negation Based on the Completed Database , 1988, ICLP/SLP.

[31]  Marianne Winslett,et al.  Interoperable strategies in automated trust negotiation , 2001, CCS '01.