An algebra for composing access control policies
ACM Transactions on Information and System Security (TISSEC)
The complexity of satisfiability problems
STOC '78 Proceedings of the tenth annual ACM symposium on Theory of computing
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
Combinatorial Algorithms: Theory and Practice
Combinatorial Algorithms: Theory and Practice
Compilers: Principles, Techniques, and Tools (2nd Edition)
Compilers: Principles, Techniques, and Tools (2nd Edition)
Analyzing web access control policies
Proceedings of the 16th international conference on World Wide Web
Automated Test Generation for Access Control Policies via Change-Impact Analysis
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Efficient policy analysis for administrative role based access control
Proceedings of the 14th ACM conference on Computer and communications security
Principles of Model Checking (Representation and Mind Series)
Principles of Model Checking (Representation and Mind Series)
Regulating Exceptions in Healthcare Using Policy Spaces
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Automated verification of access control policies using a SAT solver
International Journal on Software Tools for Technology Transfer (STTT)
A Model-Driven Approach for the Specification and Analysis of Access Control Policies
OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
D-algebra for composing access control policy decisions
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Access control policy combining: theory meets practice
Proceedings of the 14th ACM symposium on Access control models and technologies
Specification and Analysis of Dynamic Authorisation Policies
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Formal Analysis of Access Control Policies for Pattern-Based Business Processes
CONGRESS '09 Proceedings of the 2009 World Congress on Privacy, Security, Trust and the Management of e-Business
EXAM: a comprehensive environment for the analysis of access control policies
International Journal of Information Security
An authorization framework resilient to policy evaluation failures
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Relationship-based access control: protection model and policy language
Proceedings of the first ACM conference on Data and application security and privacy
Access control via belnap logic: Intuitive, expressive, and analyzable policy composition
ACM Transactions on Information and System Security (TISSEC)
Relationship-based access control policies and their policy languages
Proceedings of the 16th ACM symposium on Access control models and technologies
Automatic error finding in access-control policies
Proceedings of the 18th ACM conference on Computer and communications security
Relationship-based access control: its expression and enforcement through hybrid logic
Proceedings of the second ACM conference on Data and Application Security and Privacy
A model-based approach to automated testing of access control policies
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Hi-index | 0.00 |
In policy composition frameworks, such as XACML, composite policies can be formed by the application of policy composition algorithms (PCAs), which combine authorization decisions of component policies. Understanding the behaviour of composite policies is a non-trivial endeavour, but instrumental in the engineering of correct access control policies. Existing policy analyses take a black-box approach, in which the global behaviour of the composite policy is assessed. A black-box approach is useful for detecting the presence of erroneous behaviour, but not particularly useful for locating the source of the error. In this work, we propose a white-box policy analysis, known as Decision in Context (DIC), that assesses the behaviour of component policies situated in a composite policy. We show that the DIC query can be applied to facilitate policy change impact analysis, break-glass reduction analysis, dead policy identification, as well as the pruning of redundant subpolicies. For generality, the DIC query is defined in an XACML-style policy composition framework that is agnostic of the underlying access control model. The DIC query is implemented via a reduction to either propositional satisfiability (SAT) or pseudo boolean satisfiability (PBS) instances, after which standard solvers can be invoked to complete the evaluation. Empirical analyses have been conducted to compare the relative efficiency of the SAT and PBS encodings. The latter is found to be a more effective encoding, especially for composite policies containing majority-voting PCAs.