Role-Based Access Control Models
Computer
Model checking
ACM Transactions on Information and System Security (TISSEC)
Protection in operating systems
Communications of the ACM
A logical framework for reasoning about access control models
ACM Transactions on Information and System Security (TISSEC)
Security Through Aspect-Oriented Programming
Proceedings of the IFIP TC11 WG11.4 First Annual Working Conference on Network Security: Advances in Network and Distributed Systems Security
On context in authorization policy
Proceedings of the eighth ACM symposium on Access control models and technologies
Organization based access control
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Obligation Monitoring in Policy Management
POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
Supporting Multiple Access Control Policies in Database Systems
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Logical Language for Expressing Authorizations
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Modelling Contexts in the Or-BAC Model
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
The UCONABC usage control model
ACM Transactions on Information and System Security (TISSEC)
An integrated approach to engineer and enforce context constraints in RBAC environments
ACM Transactions on Information and System Security (TISSEC)
Nomad: A Security Model with Non Atomic Actions and Deadlines
CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Availability Enforcement by Obligations and Aspects Identification
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
An Approach for the Specification, Verification and Synthesis of Secure Systems
Electronic Notes in Theoretical Computer Science (ENTCS)
A state/event temporal deontic logic
DEON'06 Proceedings of the 8th international conference on Deontic Logic and Artificial Normative Systems
A dyadic operator for the gradation of desirability
DEON'10 Proceedings of the 10th international conference on Deontic logic in computer science
Usage control enforcement - a survey
ARES'11 Proceedings of the IFIP WG 8.4/8.9 international cross domain conference on Availability, reliability and security for business, enterprise and health information systems
Specifying and analysing run-time security policies for time dependant services
Proceedings of the First International Workshop on Security and Privacy Preserving in e-Societies
A first step towards security policy compliance of connectors
FSEN'09 Proceedings of the Third IPM international conference on Fundamentals of Software Engineering
| Hi-index | 0.00 |
A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the information system enforces its associated security policy if and only if actions executed in this system are permitted by the policy (if the policy is closed) or not prohibited (if the policy is open) and every obligatory actions are actually executed in the system (no violation of obligations). In this paper, we investigate a more sophisticated approach in which an information system specification is compliant with its security policy even though some security requirements may be violated. Our proposal is to consider that this is acceptable when the security policy specifies additional requirements that apply in case of violation of other security requirements. In this case, we formally define conditions to be satisfied by an information system to comply with its security policy. We then present a proof-based approach to check if these conditions are enforced.