Distributed systems: methods and tools for specification. An advanced course
Distributed systems: methods and tools for specification. An advanced course
Safety and liveness from a methodological point of view
Information Processing Letters
Specifying real-time properties with metric temporal logic
Real-Time Systems
Handbook of theoretical computer science (vol. B)
Techniques for automatic verification of real-time systems
Techniques for automatic verification of real-time systems
POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Temporal verification of reactive systems: safety
Temporal verification of reactive systems: safety
IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
The declarative past and imperative future
The imperative future
Proving Liveness Properties of Concurrent Programs
ACM Transactions on Programming Languages and Systems (TOPLAS)
Protection in operating systems
Communications of the ACM
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
Synthesizing Monitors for Safety Properties
TACAS '02 Proceedings of the 8th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
The Ponder Policy Specification Language
POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
The anchored version of the temporal framework
Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, School/Workshop
Logics and Models of Real Time: A Survey
Proceedings of the Real-Time: Theory in Practice, REX Workshop
Synthesizing Dynamic Programming Algorithms fromLinear Temporal Logic Formulae
Synthesizing Dynamic Programming Algorithms fromLinear Temporal Logic Formulae
Efficient monitoring of safety properties
International Journal on Software Tools for Technology Transfer (STTT) - Special section on tools and algorithms for the construction and analysis of systems
Privacy and Contextual Integrity: Framework and Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
On the modeling and analysis of obligations
Proceedings of the 13th ACM conference on Computer and communications security
Privacy-aware role based access control
Proceedings of the 12th ACM symposium on Access control models and technologies
Privacy and Utility in Business Processes
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Proving the Correctness of Multiprocess Programs
IEEE Transactions on Software Engineering
Analyzing Regulatory Rules for Privacy and Security Requirements
IEEE Transactions on Software Engineering
A logical framework for history-based access control and reputation systems
Journal of Computer Security
The temporal logic of programs
SFCS '77 Proceedings of the 18th Annual Symposium on Foundations of Computer Science
Checking Traces for Regulatory Conformance
Runtime Verification
A Formalization of HIPAA for a Medical Messaging System
TrustBus '09 Proceedings of the 6th International Conference on Trust, Privacy and Security in Digital Business
Monitoring security policies with metric first-order temporal logic
Proceedings of the 15th ACM symposium on Access control models and technologies
Experiences in the logical specification of the HIPAA and GLBA privacy laws
Proceedings of the 9th annual ACM workshop on Privacy in the electronic society
Büchi store: an open repository of büchi automata
TACAS'11/ETAPS'11 Proceedings of the 17th international conference on Tools and algorithms for the construction and analysis of systems: part of the joint European conferences on theory and practice of software
On the management of user obligations
Proceedings of the 16th ACM symposium on Access control models and technologies
Policy auditing over incomplete logs: theory, implementation and applications
Proceedings of the 18th ACM conference on Computer and communications security
Declarative privacy policy: finite models and attribute-based encryption
Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium
Journal of Computer and System Sciences
Ensuring authorization privileges for cascading user obligations
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
On XACML's adequacy to specify and to enforce HIPAA
HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy
Obligations and their interaction with programs
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
| Hi-index | 0.00 |
Organizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared by the organizations. It is thus incumbent upon the organizations to have means to check compliance with the applicable regulations. Prior work by Barth et. al. introduces two notions of compliance, weak compliance (WC) and strong compliance (SC). WC ensures that present requirements of the policy can be met whereas SC also ensures obligations can be met. An action is compliant with a privacy policy if it is both weakly and strongly compliant. However, their definitions of compliance are restricted to only propositional linear temporal logic (pLTL), which cannot feasibly specify HIPAA. To this end, we present a policy specification language based on a restricted subset of first order temporal logic (FOTL) which can capture the privacy requirements of HIPAA. We then formally specify WC and SC for policies of our form. We prove that checking WC is feasible whereas checking SC is undecidable. We then formally specify the property WC entails SC, denoted by Δ, which requires that each weakly compliant action is also strongly compliant. To check whether an action is compliant with such a policy, it is sufficient to only check whether the action is weakly compliant with that policy. We also prove that when a policy ℘ has the Δ-property, the present requirements of the policy reduce to the safety requirements imposed by ℘. We then develop a sound, semi-automated technique for checking whether practical policies have the Δ-property. We finally use HIPAA as a case study to demonstrate the efficacy of our policy analysis technique.