Ensuring authorization privileges for cascading user obligations

Authors:
Omar Chowdhury;Murillo Pontual;William H. Winsborough;Ting Yu;Keith Irwin;Jianwei Niu
Affiliations:
The University of Texas at San Antonio, San Antonio, TX, USA;The University of Texas at San Antonio, San Antonio, TX, USA;The University of Texas at San Antonio, San Antonio, TX, USA;North Carolina State University, Raleigh, NC, USA;Winston-Salem State University, Winston-Salem, NC, USA;The University of Texas at San Antonio, San Antonio, TX, USA
Venue:
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Year:
2012

Citing 22
Cited 2

On the relationship between permission and obligation

ICAIL '87 Proceedings of the 1st international conference on Artificial intelligence and law
The ARBAC97 model for role-based administration of roles

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Ensuring integrity by adding obligations to privileges

ICSE '85 Proceedings of the 8th international conference on Software engineering
Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
The Ponder Policy Specification Language

POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement

POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Provisions and Obligations in Policy Rule Management

Journal of Network and Systems Management
Obligation Policies: An Enforcement Platform

POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Privacy and Contextual Integrity: Framework and Applications

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Policy Analysis for Administrative Role Based Access Control

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
On the modeling and analysis of obligations

Proceedings of the 13th ACM conference on Computer and communications security
Privacy-aware role based access control

Proceedings of the 12th ACM symposium on Access control models and technologies
Efficient policy analysis for administrative role based access control

Proceedings of the 14th ACM conference on Computer and communications security
An obligation model bridging access control policies and privacy policies

Proceedings of the 13th ACM symposium on Access control models and technologies
Permissions and obligations

IJCAI'83 Proceedings of the Eighth international joint conference on Artificial intelligence - Volume 1
Toward practical authorization-dependent user obligation systems

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
On the management of user obligations

Proceedings of the 16th ACM symposium on Access control models and technologies
Formal enforcement and management of obligation policies

Data & Knowledge Engineering
On practical specification and enforcement of obligations

Proceedings of the second ACM conference on Data and Application Security and Privacy
Obligation language and framework to enable privacy-aware SOA

DPM'09/SETOP'09 Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security
Obligations and their interaction with programs

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Beyond accountability: using obligations to reduce risk exposure and deter insider attacks

Proceedings of the 18th ACM symposium on Access control models and technologies
Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule

Proceedings of the 18th ACM symposium on Access control models and technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.