Abstract
This paper describes an advanced authorization mechanism based on a logic formalism. The model supports both positive and negative authorizations. It also supports derivation rules by which an authorization can be granted on the basis of the presence or absence of other authorizations. Subjects, objects and authorization types are organized into hierarchies, supporting a more adequate representation of their semantics. From the authorizations explicitly specified, additional authorizations are automatically derived by the system based on those hierarchies. The combination of all the above features results in a powerful yet flexible access control mechanism.
The specification language of the system is an extension of Ordered Logic with ordered domains. This is an elegant yet powerful formalism whereby the basic concepts of the authorization model can be naturally formalized. Its semantics is based on the notion of stable model and assigns, to a given set of authorization rules, a multiplicity of (stable) models, each representing a possible way of assigning access authorizations. This form of non-determinism entails an innovative approach to enforce access control: when an access request is issued, the appropriate model is chosen on the basis of the accesses currently under execution in the system.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M., Burrows, M., Lampson, B.W., Plotkin, G. A Calculus for Access Control in Distributed Systems. ACM Trans. on Programming Languages and Systems, 15(4):706–734, 1993.
Bertino, E., Bettini, C., Ferrari, E., Samarati, P. A Temporal Access Control Mechanism for Database Systems. IEEE TKDE, 8(1):67–80, 1996.
Bertino, E., Bettini, C., Ferrari, E., Samarati, P. An Access Control Mechanism Supporting Periodicity Constraints and Temporal Reasoning. ACM TODS, to appear.
Bertino, E., Jajodia, S., Samarati, P. Supporting Multiple Access Control Policies in Database Systems. Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland (CA), 1996.
Buccafurri, F., Leone, N., Rullo, P. Stable Models and their Computation for Logic Programming with Inheritance and True Negation. Journal of Logic Programming, 27(1):5–43, 1996.
Buccafurri, F., Leone, N., Scarcello, F. On the Expressive Power of Ordered Logic. AI Communications, 9:14–13, 1996.
W. Chen, D.S. Warren. Computing of Stable Models and its Integration with Logical Query Processing. IEEE TKDE, 17:279–300, 1995.
Eiter, T., Leone, N., Mateis, C., Pfeifer, G., Scarcello, F., A Deductive System for Nonmonotonic Reasoning, Proc. of the 4th Int. Conf. on Logic Programming and Nonmonotonic Reasoning (LPNMR ’97), LNAI 1265, Berlin, 1997.
E. Fernandez, E.B. Gudes and H. Song. A Model for Evaluation and Administration of Security in Object-Oriented Databases. IEEE TKDE, 6:275–292, 1994.
Gelfond, M., Lifschitz, V. The Stable Model Semantics for Logic Programming. Proc. 5th Int. Conf. on Logic Programming, pp. 1070–1080, 1988.
Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E. A Unified Framework for Enforcing Multiple Access Control Policies. Proc. of ACM-SIGMOD, 1997.
Jajodia, S., Samarati, P. Subrahmanian, V.S. A Logical Language for Expressing Authorizations. Proc. IEEE Symposium on Research in Security and Privacy, Oakland (CA), pp. 31–42, 1997.
Laenens, E., Saccá, D., Vermeir, D. Extending Logic Programming. In Proc. of ACM-SIGMOD, 1990.
Lifschitz, V. On the Declarative Semantics of Logic Programs with Negation. Foundation of Deductive Database and Logic Programming, pp. 89–148, 1997.
Lloyd, J. W. Foundations of Logic Programming, Springer-Verlag, 1987.
Marek, W., Truszczyński, M., Computing Intersection of Autoepistemic expansions, Proc. of the 1st Int. Workshop on Logic Programming and Non Monotonic Reasoning, pp. 37–50, 191.
NiemelÄ, I., Simons, P., Efficient Implementation of the Well-founded and Stable Model Semantics. Proc. of the 1996 Joint Int. Conf. and Symposium on Logic Programming, pp. 289–303, Bonn, Germany, 1996.
Oracle Corporation. Oracle8 Server Concepts, 1997.
Rabitti, F., Bertino, E., Kim, E., Woelk, D. A Model of Authorization for Next-Generation Database Systems. ACM TODS, 16(1):88–131, 1991.
Subrahmanian, V.S., Nau, D. and Vago, C. WFS + Branch and Bound = Stable Models. IEEE TKDE, 7(3):362–377, 1995.
Ullman, J.D. Principles of Database and Knowledge-Base Systems, Vol. 1 and 2, Computer Science Press, 1989.
Woo, T.Y.C., Lam, S.S. Authorizations in Distributed Systems: A New Approach. Journal of Computer Security, 2(2 & 3):107–136, 1993.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bertino, E., Buccafurri, F., Ferrari, E., Rullo, P. (1998). An authorization model and its formal semantics. In: Quisquater, JJ., Deswarte, Y., Meadows, C., Gollmann, D. (eds) Computer Security — ESORICS 98. ESORICS 1998. Lecture Notes in Computer Science, vol 1485. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0055860
Download citation
DOI: https://doi.org/10.1007/BFb0055860
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65004-1
Online ISBN: 978-3-540-49784-4
eBook Packages: Springer Book Archive