Logic-based policy engineering in distributed authorization
暂无分享,去创建一个
This dissertation work started with the desire to solve the distributed authorization problems in open and large computer networks. During the initial investigation, we learned that by using certificate technologies, authorization localization could be achieved. However, research on these technologies is mostly focused on delegation algorithms. More fundamental issues such as authorization policy generation need to be explored and systematic approaches need to be incorporated with the current technologies in order to establish a complete prevention mechanism for the purpose.
During our further research, we noticed that logic programming is a useful tool for implementing authorization policies. The logic system can play dual roles including knowledge representation as well as the high level specification of a secure authorization system. Although logic programming and knowledge representation have been developed for more than twenty years, their logic and languages still cannot fully support our authorization representation and reasoning. Therefore we developed an authorization logic model based on division of authorization domain to explain authorization policy behaviors. In addition, by extending the general software engineering approach, including formal specification, verification, testing, and measurement, we established a policy engineering approach suitable for generating authorization policies with logic programming system.
Finally, we have built CBASS as a test bed to experiment on policy separation and integration issues. Solutions to associate authorization policies and credentials with each programs or files, and techniques to build interfaces in the programs to connect the separated policy systems and application or system software was developed.
The theory and experiments that have been presented and demonstrated may be used to direct the development of distributed authorization systems, particularly their policies which are the core of the entire distributed and networked computer systems in the future.