Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2012: Security and Trust Management pp 97–112Cite as

Analysis of Communicating Authorization Policies

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7783))

Abstract

We present a formal language for specifying distributed authorization policies that communicate through insecure asynchronous media. The language allows us to write declarative authorization policies; the interface between policy decisions and communication events can be specified using guards and policy updates. The attacker, who controls the communication media, is modeled as a message deduction engine. We give trace semantics to communicating authorization policies, and formulate a generic reachability problem. We show that the reachability problem is decidable for a large class of practically-relevant policies specified in our formal language.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)

    Article  Google Scholar 

  2. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE Symposium on Security and Privacy, pp. 164–173. IEEE CS (1996)

    Google Scholar 

  3. DeTreville, J.: Binder, a logic-based security language. In: IEEE S&P, p. 105 (2002)

    Google Scholar 

  4. Becker, M., Fournet, C., Gordon, A.: Design and semantics of a decentralized authorization language. In: CSF 2007, pp. 3–15. IEEE Computer Society (2007)

    Google Scholar 

  5. Gurevich, Y., Neeman, I.: DKAL: Distributed-knowledge authorization language. In: CSF 2008, pp. 149–162. IEEE Computer Society (2008)

    Google Scholar 

  6. Hammer, E., et al.: The OAuth 2.0 authorization framework (2012); IETF

    Google Scholar 

  7. Frau, S., Torabi Dashti, M.: Integrated specification and verification of security protocols and policies. In: CSF, pp. 18–32. IEEE CS (2011)

    Google Scholar 

  8. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. on Information Theory IT-29(2), 198–208 (1983)

    Google Scholar 

  9. Frau, S.: Analysis of Reachability Properties in Communicating Authorization Policies. PhD Thesis, ETH Zürich (November 2012)

    Google Scholar 

  10. Krishnan, R., Niu, J., Sandhu, R.S., Winsborough, W.H.: Stale-safe security properties for group-based secure information sharing. In: FMSE 2008, pp. 53–62 (2008)

    Google Scholar 

  11. Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)

    Article  Google Scholar 

  12. Armando, A., Arsac, W., Avanesov, T., Barletta, M., Calvi, A., Cappai, A., Carbone, R., Chevalier, Y., Compagna, L., Cuéllar, J., Erzse, G., Frau, S., Minea, M., Mödersheim, S., von Oheimb, D., Pellegrino, G., Ponta, S.E., Rocchetto, M., Rusinowitch, M., Torabi Dashti, M., Turuani, M., Viganò, L.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  13. Griffiths, P., Wade, B.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. 1(3), 242–255 (1976)

    Article  Google Scholar 

  14. Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: CSFW 2001, p. 174. IEEE CS (2001)

    Google Scholar 

  15. Chaudhuri, A., Naldurg, P., Rajamani, S., Ramalingam, G., Velaga, L.: EON: modeling and analyzing dynamic access control systems with logic programs. In: ACM CCS 2008, pp. 381–390. ACM (2008)

    Google Scholar 

  16. Dougherty, D., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Garg, D., Pfenning, F.: Stateful authorization logic: In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 210–225. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)

    Article  Google Scholar 

  19. Becker, M., Nanz, S.: A logic for state-modifying authorization policies. ACM Trans. Inf. Syst. Secur. 13(3) (2010)

    Google Scholar 

  20. Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: CSF, pp. 203–217. IEEE Computer Society (2009)

    Google Scholar 

  21. Guttman, J.D., Thayer, F.J., Carlson, J.A., Herzog, J.C., Ramsdell, J.D., Sniffen, B.T.: Trust management in strand spaces: A rely-guarantee method. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 325–339. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  22. Fournet, C., Gordon, A., Maffeis, S.: A type discipline for authorization policies. ACM Trans. Program. Lang. Syst. 29(5) (2007)

    Google Scholar 

  23. Barletta, M., Ranise, S., Viganò, L.: A declarative two-level framework to specify and verify workflow and authorization policies in service-oriented architectures. Service Oriented Computing and Applications 5(2), 105–137 (2011)

    Article  Google Scholar 

  24. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis (2012); to appear in CSF 2012

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Information Security, ETH Zürich, Switzerland

    Simone Frau & Mohammad Torabi Dashti

Authors
  1. Simone Frau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Torabi Dashti
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Informatics, University of Oslo, P.O.Box 1080, 0316, Blindern, Oslo, Norway

    Audun Jøsang

  2. Dipartimento di Informatica, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, CR, Italy

    Pierangela Samarati

  3. National Research Center(CNR), Institute of Informatics and Telematics(IIT), Via G. Moruzzi, 1, 56124, Pisa, Italy

    Marinella Petrocchi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Frau, S., Torabi Dashti, M. (2013). Analysis of Communicating Authorization Policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds) Security and Trust Management. STM 2012. Lecture Notes in Computer Science, vol 7783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38004-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38004-4_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38003-7

  • Online ISBN: 978-3-642-38004-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation