Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control

Authors:
Jianfeng Lu;Ruixuan Li;Zhengding Lu;Jinwei Hu;Xiaopu Ma
Affiliations:
Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, P.R. China 430074;Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, P.R. China 430074;Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, P.R. China 430074;Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, P.R. China 430074;Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, P.R. China 430074
Venue:
ISC '09 Proceedings of the 12th International Conference on Information Security
Year:
2009

Citing 7
Cited 0

Specifying and enforcing constraints in role-based access control

Proceedings of the eighth ACM symposium on Access control models and technologies
Role-Based Access Control

Role-Based Access Control
The UCONABC usage control model

ACM Transactions on Information and System Security (TISSEC)
Beyond proof-of-compliance: security analysis in trust management

Journal of the ACM (JACM)
Formal model and policy specification of usage control

ACM Transactions on Information and System Security (TISSEC)
A model-checking approach to analysing organisational controls in a loan origination process

Proceedings of the eleventh ACM symposium on Access control models and technologies
On mutually exclusive roles and separation-of-duty

ACM Transactions on Information and System Security (TISSEC)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, this paper attempts to address two important issues: the specification and enforcement of SSoD in UCON. We give a set-based specification scheme, which is simpler and more general than existing approaches. As for the enforcement, we study the problem of determining whether an SSoD policy is enforceable, and show that directly enforcing an SSoD policy is a coNP-complete problem. In indirect enforcement, we generate the least restrictive static mutually exclusive attribute (SMEA) constraints to enforce SSoD policies, by using the attribute level SSoD requirement as an intermediate step. The results are fundamental to understanding the effectiveness of using constraints to enforce SSoD policies in UCON.