Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology and Network Security

CANS 2016: Cryptology and Network Security pp 367–382Cite as

AAL and Static Conflict Detection in Policy

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10052))

Abstract

Security and privacy requirements in ubiquitous systems need a sophisticated policy language with features to express access restrictions and obligations. Ubiquitous systems involve multiple actors owning sensitive data concerning aspects such as location, discrete and continuous time, multiple roles that can be shared among actors or evolve over time. Policy consistency is an important problem in languages supporting these aspects. In this paper we present an abstract language (AAL) to specify most of these security and privacy features and compare it with XACML. We also classified the existing conflict detection mechanisms for XACML in dynamic, testing, or static detection. A thorough analysis of these mechanisms reveals that they have several weaknesses and they are not applicable in our context. We advocate for a classic approach using the notion of logical consistency to detect conflicts in AAL.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    AccLab tool http://web.emn.fr/x-info/acclab/.

  2. 2.

    http://cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/.

  3. 3.

    http://www.a4cloud.eu/.

References

  1. Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii, S.: Typing for conflict detection in access control policies. In: Babin, G., Kropf, P., Weiss, M. (eds.) E-Technologies: Innovation in an Open World. LNBIP, vol. 26, pp. 212–226. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  2. Armando, A., Ranise, S.: Automated and efficient analysis of role-based access control with attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 25–40. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  3. Benghabrit, W., Grall, H., Royer, J.C., Sellami, M.: Abstract accountability language: translation, compliance and application. In: APSEC, pp. 214–221. IEEE Computer Society, New Delhi (2015)

    Google Scholar 

  4. Degtyarev, A., Fisher, M., Konev, B.: Monodic temporal resolution. ACM Trans. Comput. Logic 7(1), 108–150 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  5. Delmas, R., Polacsek, T.: Formal methods for exchange policy specification. In: Salinesi, C., Norrie, M.C., Pastor, Ó. (eds.) CAiSE 2013. LNCS, vol. 7908, pp. 288–303. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  6. Dunlop, N., Indulska, J., Raymond, K.: Methods for conflict resolution in policy-based management systems. In: Enterprise Distributed Object Computing Conference, pp. 98–111. IEEE Computer Society (2003)

    Google Scholar 

  7. Fatema, K., Chadwick, D.: Resolving policy conflicts - integrating policies from multiple authors. In: Iliadis, L., Papazoglou, M., Pohl, K. (eds.) CAiSE Workshops 2014. LNBIP, vol. 178, pp. 310–321. Springer, Heidelberg (2014)

    Google Scholar 

  8. Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur. 11(4), 1–41 (2008)

    Article  Google Scholar 

  9. Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Sec. Comput 10(6), 341–354 (2013)

    Article  Google Scholar 

  10. Huang, C., Sun, J., Wang, X., Si, Y.: Inconsistency management of role based access control policy. In: International Conference on E-Business and Information System Security (2009)

    Google Scholar 

  11. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer 10(6), 503–520 (2008)

    Article  Google Scholar 

  12. Hwang, J., Xie, T., Hu, V.C.: Detection of multiple-duty-related security leakage in access control policies. In: Secure Software Integration and Reliability Improvement, pp. 65–74. IEEE Computer Society (2009)

    Google Scholar 

  13. Li, N., Wang, Q., Qardaji, W.H., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Carminati, B., Joshi, J. (eds.) Proceedings of SACMAT, pp. 135–144. ACM (2009)

    Google Scholar 

  14. Liu, A.X., Chen, F., Hwang, J., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: Liu, Z., Misra, V., Shenoy, P.J. (eds.) Proceedings of SIGMETRICS, pp. 265–276. ACM (2008)

    Google Scholar 

  15. Ludwig, M., Hustadt, U.: Implementing a fair monodic temporal logic prover. AI Commun. 23(2–3), 69–96 (2010)

    MathSciNet  MATH  Google Scholar 

  16. Mohan, A., Blough, D.M., Kurç, T.M., Post, A.R., Saltz, J.H.: Detection of conflicts and inconsistencies in taxonomy-based authorization policies. In: Wu, F.X., Zaki, M.J., Morishita, S., Pan, Y., Wong, S., Christianson, A., Hu, X. (eds.) International Conference on Bioinformatics and Biomedicine, pp. 590–594. IEEE Computer Society (2011)

    Google Scholar 

  17. OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0, 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html (2013)

  18. Schuppan, V.: Towards a notion of unsatisfiable and unrealizable cores for LTL. Sci. Comput. Program. 77(7–8), 908–939 (2012)

    Article  MATH  Google Scholar 

  19. Schuppan, V., Darmawan, L.: Evaluating LTL satisfiability solvers. In: Bultan, T., Hsiung, P.-A. (eds.) ATVA 2011. LNCS, vol. 6996, pp. 397–413. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  20. Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: Information Assurance and Security, pp. 204–209. IEEE Computer Society (2010)

    Google Scholar 

  21. St-Martin, M., Felty, A.P.: A verified algorithm for detecting conflicts in XACML access control rules. In: Avigad, J., Chlipala, A. (eds.) Proceedings of the Conference on Certified Programs and Proofs, pp. 166–175. ACM (2016)

    Google Scholar 

  22. Stepien, B., Matwin, S., Felty, A.P.: Strategies for reducing risks of inconsistencies in access control policies. In: Availability, Reliability, and Security, pp. 140–147. IEEE Computer Society (2010)

    Google Scholar 

  23. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015)

    Google Scholar 

  24. Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)

    Article  Google Scholar 

  25. Xia, X.: A conflict detection approach for XACML policies on hierarchical resources. In: Proceedings of Conference on Green Computing and Communications, pp. 755–760. IEEE Computer Society (2012)

    Google Scholar 

  26. Xiao, Z., Nandhakumar Kathiresshan, Y.X.: A survey of accountability in computer networks and distributed systems. Security and Communication. Networks 5(10), 1083–1085 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Mines Nantes, 4 rue A. Kastler, 44307, Nantes, France

    Jean-Claude Royer

  2. SAP Labs France, 805 Avenue du Dr Donat Font de l’Orme, 06250, Mougins, Sophia Antipolis, France

    Anderson Santana De Oliveira

Authors
  1. Jean-Claude Royer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anderson Santana De Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jean-Claude Royer .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Crema, Italy

    Sara Foresti

  2. Università degli Studi di Salerno, Fisciano, Italy

    Giuseppe Persiano

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Royer, JC., Santana De Oliveira, A. (2016). AAL and Static Conflict Detection in Policy. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-48965-0_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-48964-3

  • Online ISBN: 978-3-319-48965-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation