A logical framework for history-based access control and reputation systems

Reputation systems are meta systems that record, aggregate and distribute information about principals' behaviour in distributed applications. Similarly, history-based access control systems make decisions based on programs' past security-sensitive actions. While the applications are distinct, the two types of systems are fundamentally making decisions based on information about the past behaviour of an entity. A logical policy-centric framework for such behaviour-based decision-making is presented. In the framework, principals specify policies which state precise requirements on the past behaviour of other principals that must be fulfilled in order for interaction to take place. The framework consists of a formal model of behaviour, based on event structures; a declarative logical language for specifying properties of past behaviour; and efficient dynamic algorithms for checking whether a particular behaviour satisfies a property from the language. It is shown how the framework can be extended in several ways, most notably to encompass parameterized events and quantification over parameters. In an extended application, it is illustrated how the framework can be applied for dynamic history-based access control for safe execution of unknown and untrusted programs.

[1]  Albert R. Meyer,et al.  Word problems requiring exponential time(Preliminary Report) , 1973, STOC.

[2]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[3]  David M. Kreps,et al.  Reputation and imperfect information , 1982 .

[4]  Glynn Winskel,et al.  Event Structure Semantics for CCS and Related Languages , 1982, ICALP.

[5]  A. P. Sistla,et al.  The complexity of propositional linear temporal logics , 1985, JACM.

[6]  Robert B. Wilson,et al.  Game-theoretic models of bargaining: Reputations in games and markets , 1985 .

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[8]  Mogens Nielsen,et al.  Models for Concurrency , 1992 .

[9]  Tiziano Villa,et al.  Multi-valued decision diagrams: theory and applications , 1998 .

[10]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[11]  P. Kollock The Production of Trust in Online Markets , 1999 .

[12]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[13]  Paul Resnick,et al.  Reputation systems , 2000, CACM.

[14]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[15]  Jean Goubault-Larrecq,et al.  Log auditing through model-checking , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[16]  Lik Mui,et al.  Notions of reputation in multi-agents systems: a review , 2002, AAMAS '02.

[17]  Riccardo Pucella,et al.  A logic for reasoning about digital rights , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[18]  Audun Jøsang,et al.  AIS Electronic Library (AISeL) , 2017 .

[19]  Philippe Schnoebelen,et al.  Temporal logic with forgettable past , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[20]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[21]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[22]  Yong Chen,et al.  Using Trust for Secure Collaboration in Uncertain Environments , 2003, IEEE Pervasive Comput..

[23]  Chrysanthos Dellarocas,et al.  The Digitization of Word-of-Mouth: Promise and Challenges of Online Feedback Mechanisms , 2003, Manag. Sci..

[24]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[25]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[26]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  Mogens Nielsen,et al.  On the Formal Modelling of Trust in Reputation-Based Systems , 2004, Theory Is Forever.

[28]  Jaehong Park,et al.  A logical specification for usage control , 2004, SACMAT '04.

[29]  Chrysanthos Dellarocas,et al.  Sanctioning Reputation Mechanisms in Online Trading Environments with Moral Hazard , 2004 .

[30]  Nils Klarlund,et al.  The DSD Schema Language , 2002, Automated Software Engineering.

[31]  Scott F. Smith,et al.  History Effects and Verification , 2004, APLAS.

[32]  Vladimiro Sassone,et al.  A Calculus for Trust Management , 2004, FSTTCS.

[33]  Gian Luigi Ferrari,et al.  History-Based Access Control with Local Policies , 2005, FoSSaCS.

[34]  Vitaly Shmatikov,et al.  Reputation-Based Trust Management ∗ , 2003 .

[35]  Karl Krukow,et al.  Towards a Theory of Trust for the Global Ubiquitous Computer , 2006 .

[36]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..