A formal modeling and analysis approach for access control rules, policies, and their combinations

Approaches to access control (AC) policy languages, such as eXtensible access control markup language, do not provide a formal representation for specifying rule- and policy-combining algorithms or for verifying properties of AC policies. Some authors propose formal representations for these combini...

Full description

Saved in:
Bibliographic Details
Published inInternational journal of information security Vol. 16; no. 1; pp. 43 - 74
Main Authors Karimi, Vahid R., Alencar, Paulo S. C., Cowan, Donald D.
Format Journal Article
LanguageEnglish
Published Berlin/Heidelberg Springer Berlin Heidelberg 01.02.2017
Springer Nature B.V
Subjects
Access control
Algorithms
Analysis
Automation
Coding and Information Theory
Communications Engineering
Computer Communication Networks
Computer programming
Computer Science
Cryptology
Language
Languages
Management of Computing and Information Systems
Modelling
Networks
Operating Systems
Policies
Regular Contribution
Representations
Security management
State machines
Studies
AC combining algorithms
Access control (AC)
Modeling
Analysis
XACML
Online AccessGet full text

Cover

More Information
Summary:Approaches to access control (AC) policy languages, such as eXtensible access control markup language, do not provide a formal representation for specifying rule- and policy-combining algorithms or for verifying properties of AC policies. Some authors propose formal representations for these combining algorithms. However, the proposed models are not expressive enough to represent formally history-based classes of these algorithms, such as ordered-permit-overrides. In addition, some other authors propose a formal representation but do not present automated support for formal verification of properties of AC policies that use these algorithms. This paper demonstrates a new representation that can express all existing AC rule and policy combinations of which the authors are aware. This representation can also be used to automate the formal verification of properties of AC policies related to these algorithms. A new modeling representation for rule- and policy-combining algorithms based on state machines is used to specify rule- and policy-combining algorithms. Examples of these algorithms are programmed in the language of the SPIN model checker, and the programs are then used to support the automated formal verification of properties of AC policies. We present our approach and then use the AC policies and properties of CONTINUE, a conference management system, to compare it with prior work. Our first contribution is a new modeling representation for combining algorithms based on state machines. The second contribution is the formal verification of AC properties under certain combining algorithms that are beyond the capability of other approaches.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:1615-5262
1615-5270
DOI:10.1007/s10207-016-0314-4