A framework for the modular specification and orchestration of authorization policies

Authors:
Jason Crampton;Michael Huth
Affiliations:
Information Security Group, Royal Holloway, University of London, United Kingdom;Department of Computing, Imperial College London, United Kingdom
Venue:
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Year:
2010

Citing 16
Cited 0

The value of the four values

Artificial Intelligence
Inside Java 2 platform security architecture, API design, and implementation

Inside Java 2 platform security architecture, API design, and implementation
Protection in operating systems

Communications of the ACM
An algebra for composing access control policies

ACM Transactions on Information and System Security (TISSEC)
A fine-grained access control system for XML documents

ACM Transactions on Information and System Security (TISSEC)
Securing XML Documents with Author-X

IEEE Internet Computing
Applying "Design by Contract"

Computer
A propositional policy algebra for access control

ACM Transactions on Information and System Security (TISSEC)
Binder, a Logic-Based Security Language

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Ternary Decision Diagrams: Survey

ISMVL '97 Proceedings of the 27th International Symposium on Multiple-Valued Logic
Cassandra: Distributed Access Control Policies with Tunable Expressiveness

POLICY '04 Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks
Timed constraint programming: a declarative approach to usage control

PPDP '05 Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming
A simple and expressive semantic framework for policy composition in access control

Proceedings of the 2007 ACM workshop on Formal methods in security engineering
Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

CSF '08 Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium
D-algebra for composing access control policy decisions

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Specifying and reasoning about dynamic access-control policies

IJCAR'06 Proceedings of the Third international joint conference on Automated Reasoning

Quantified Score

Hi-index	0.00

Visualization

Abstract

Many frameworks for defining authorization policies fail to make a clear distinction between policy and state. We believe this distinction to be a fundamental requirement for the construction of scalable, distributed authorization services. In this paper, we introduce a formal framework for the definition of authorization policies, which we use to construct the policy authoring language APOL. This framework makes the required distinction between policy and state, and APOL permits the specification of complex policy orchestration patterns even in the presence of policy gaps and conflicts. A novel aspect of the language is the use of a switch operator for policy orchestration, which can encode the commonly used rule- and policy-combining algorithms of existing authorization languages. We define denotational and operational semantics for APOL and then extend our framework with statically typed methods for policy orchestration, develop tools for policy analysis, and show how that analysis can improve the precision of static typing rules.