论文信息 - Towards reasonability properties for access-control policy languages

Towards reasonability properties for access-control policy languages

The growing importance of access control has led to the definition of numerous languages for specifying policies. Since these languages are based on different foundations, language users and designers would benefit from formal means to compare them. We present a set of properties that examine the behavior of policies under enlarged requests, policy growth, and policy decomposition. They therefore suggest whether policies written in these languages are easier or harder to reason about under various circumstances. We then evaluate multiple policy languages, including XACML and Lithium, using these properties.

Michael Carl Tschantz | Shriram Krishnamurthi | S. Krishnamurthi

[1] John C. Mitchell. On Abstraction and the Expressive Power of Programming Languages , 1991, Sci. Comput. Program..

[2] Kathi Fisler,et al. Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[3] Elisa Bertino,et al. Authorizations in relational database management systems , 1993, CCS '93.

[4] Matthias Felleisen,et al. On the Expressive Power of Programming Languages , 1990, European Symposium on Programming.

[5] L. Meyerovich,et al. The Soundness and Completeness of Margrave with Respect to a Subset of XACML , 2005 .

[6] Ravi S. Sandhu,et al. Role-Based Access Control Models , 1996, Computer.

[7] Mark Evered,et al. A Case Study in Access Control Requirements for a Health Information System , 2004, ACSW.

[8] Joseph Y. Halpern,et al. Using First-Order Logic to Reason about Policies , 2008, TSEC.

[9] Sushil Jajodia,et al. Policies, Models, and Languages for Access Control , 2005, DNIS.

[10] James A. Malcolm,et al. Brevity and clarity in command languages , 1981, SIGP.

[11] Peter Sewell,et al. Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[12] Elisa Bertino,et al. A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.