Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, this paper attempts to address two important issues: the specification and enforcement of SSoD in UCON. We give a set-based specification scheme, which is simpler and more general than existing approaches. As for the enforcement, we study the problem of determining whether an SSoD policy is enforceable, and show that directly enforcing an SSoD policy is a coNP-complete problem. In indirect enforcement, we generate the least restrictive static mutually exclusive attribute (SMEA) constraints to enforce SSoD policies, by using the attribute level SSoD requirement as an intermediate step. The results are fundamental to understanding the effectiveness of using constraints to enforce SSoD policies in UCON.

This work is supported by National Natural Science Foundation of China under Grant 60873225, 60773191 and 60403027, National High Technology Research and Development Program of China under Grant 2007AA01Z403.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Clark, D., Wilson, D., Kuhn, D.R.: A Comparison of Commercial and Military Computer Security Policies. In: 8th IEEE Symposium on Security and Privacy, pp. 184–195. IEEE Press, Los Alamitos (1987)

    Google Scholar 

  2. Clark, D., Wilson, D., Kuhn, D.R.: Evolution of a Model for Computer Integrity. Technical Report, Invitational Workshop on Data Integrity, Section A2, pp. 1–3 (1989)

    Google Scholar 

  3. Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, 47–63 (April 2003)

    Google Scholar 

  4. Park, J., Sandhu, R.: The UCONABC Usage Control Model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)

    Article  Google Scholar 

  5. Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal Model and Policy Specification of Usage Control. ACM Transactions on Information and Systems Security 8(4), 351–387 (2005)

    Article  Google Scholar 

  6. Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceed Communications of the ACM 63(9), 1278–1308 (1975)

    Google Scholar 

  7. Brewer, D., Nash, M.: The Chinese Wall security policy. In: 10th IEEE Symposium on Security and Privacy, pp. 206–214. IEEE Press, California (1989)

    Google Scholar 

  8. Sandhu, R.: Transaction Control Expressions for Separation of Duties. In: 4th Annual Computer Security Applications Conference, pp. 282–286. IEEE Press, Orlando (1988)

    Google Scholar 

  9. Sandhu, R.: Separation of Duties in Computerized Information Systems. In: The IFIP WG11.3 Workshop on Database Security, pp. 18–21. IEEE Press, Halifax (1990)

    Google Scholar 

  10. Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analyzing Organizational Controls in a Loan Origination Process. In: 11th ACM Symposium on Access Control Models and Technologies, pp. 139–149. ACM Press, California (2006)

    Google Scholar 

  11. Crampton, J.: Specifying and Enforcing Constraints in Role-based Access Control. In: 8th ACM Symposium on Access Control Models and Technologies, pp. 43–50. ACM Press, New York (2003)

    Google Scholar 

  12. Li, N., Tripunitara, M., Bizri, Z.: On Mutually Exclusive Roles and Separation-of-Duty. ACM Transactions on Information and System Security 10(2), 1–35 (2007)

    Article  Google Scholar 

  13. Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond Proof-of-Compliance: Security Analysis in Trust Management. Journal of the ACM 52(3), 474–514 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  14. ANSI. American National Standard for Information Technology-Role Based Access Control. ANSI INCITS 359-2004 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Intelligent and Distributed Computing Lab, College of Computer Sci. and Tech., Huazhong University of Sci. and Tech., Wuhan, 430074, P.R. China

    Jianfeng Lu, Ruixuan Li, Zhengding Lu, Jinwei Hu & Xiaopu Ma

Authors
  1. Jianfeng Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruixuan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhengding Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jinwei Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaopu Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lu, J., Li, R., Lu, Z., Hu, J., Ma, X. (2009). Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_32

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation