A propositional policy algebra for access control

Security-sensitive environments protect their information resources against unauthorized use by enforcing access control mechanisms driven by access control policies. Due to the need to compare, contrast, and compose such protected information resources, access control policies regulating their manipulation need to be compared, contrasted, and composed. An algebra for manipulating such access control policies at a higher (propositional) level, where the operations of the algebra are abstracted from their specification details, is the subject of this paper. This algebra is applicable to policies that have controlled nondeterminism and all or nothing assignments of access privileges in their specification. These requirements reflect current practices in discretionary and role-based access control models. Therefore, the proposed algebra can be used to reason about role-based access control policies combined with other forms of discretionary policies. We show how to use algebraic identities to reason about consistency, completeness, and determinacy of composed policies using similar properties of their constituents.

[1]  Ernst-Rüdiger Olderog,et al.  Verification of Sequential and Concurrent Programs , 1991, Texts and Monographs in Computer Science.

[2]  Zohar Manna,et al.  The Correctness of Nondeterministic Programs , 1970, Artif. Intell..

[3]  David Harel,et al.  First-Order Dynamic Logic , 1979, Lecture Notes in Computer Science.

[4]  Sabrina De Capitani di Vimercati,et al.  A modular approach to composing access control policies , 2000, CCS.

[5]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[7]  Anish Arora,et al.  Book Review: Verification of Sequential and Concurrent Programs by Krzysztof R. Apt and Ernst-Riidiger Olderog (Springer-Verlag New York, 1997) , 1998, SIGA.

[8]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[9]  D. Gabbay Semantical investigations in Heyting's intuitionistic logic , 1981 .

[10]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[11]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[12]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Vijay Varadharajan,et al.  A logic for state transformations in authorization policies , 1997, Proceedings 10th Computer Security Foundations Workshop.

[14]  Howard Barringer A Survey of Verification Techniques for Parallel Programs , 1985, Lecture Notes in Computer Science.

[15]  Dexter Kozen,et al.  Language-Based Security , 1999, MFCS.

[16]  John McLean,et al.  The algebra of security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[17]  J. Girard,et al.  Proofs and types , 1989 .

[18]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[19]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[20]  David Peleg,et al.  Concurrent dynamic logic , 1987, JACM.

[21]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[22]  David Peleg,et al.  Concurrent dynamic logic , 1985, STOC '85.

[23]  Sushil Jajodia,et al.  Policy algebras for access control: the propositional case , 2001, CCS '01.

[24]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[25]  Sushil Jajodia,et al.  Provisional Authorizations , 2001, E-Commerce Security and Privacy.

[26]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[27]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[28]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.