A logical framework for reasoning on data access control policies

Bertino, Elisa; Buccafurri, Francesco; Ferrari, Elena; Rullo, Pasquale

doi:10.1109/csfw.1999.779772

Cited by 40 publications

(34 citation statements)

References 19 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conflicts between policy modules entered by different administrators can be detected by automated methods [44,7,36] that can be built into policy management tools. At the same time, because FSL policies are used by real systems [14,26,52], any conflicts that are not resolved by administrative tools must be resolved automatically at enforcement time [53,36,12,10,24,27,48,11]. Unlike prior languages, FSL conflict resolution is complicated by the fact that policies can reference external sources [48,13,41], which can change independent of the policy.…”

Section: Related Workmentioning

confidence: 99%

“…Because disagreements naturally arise among administrators, FSL was designed so that those disagreements would manifest as conflicts in policies [53,36,12,10,24,27,48,11,7]. Conflicts between policy modules entered by different administrators can be detected by automated methods [44,7,36] that can be built into policy management tools.…”

Section: Related Workmentioning

confidence: 99%

“…Sometimes the conflict-resolution scheme for a language is built-in [48,24,11], but sometimes it is defined by the user [10,53,27]. Sometimes, conflicts are only detected but not resolved [7], and other times conflicts are handled by a combination of detection and user-defined resolution [36].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Evolution of the Ethane Architecture

Casado¹,

Shenker²

2009

View full text Add to dashboard Cite

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Evolution of the Ethane Architecture

Casado¹,

Shenker²

2009

View full text Add to dashboard Cite

show abstract

“…A variety of policy languages and models have been proposed. Some of them are generic [1,14,25,26,37] while others are designed for specific applications [7,11,36,38] or data models [8,9,19,29].…”

Section: Related Workmentioning

confidence: 99%

Defining and Measuring Policy Coverage in Testing Access Control Policies

Martin

Xie

2006

Information and Communications Security

View full text Add to dashboard Cite

Abstract. To facilitate managing access control in a system, security officers increasingly write access control policies in specification languages such as XACML, and use a dedicated software component called a Policy Decision Point (PDP). To increase confidence on written policies, certain types of policy testing (often in an ad hoc way) are usually conducted, which probe the PDP with some typical requests and check PDP's responses against expected ones. This paper develops a first step toward systematic policy testing by defining and measuring policy coverage when testing policies. We have developed a coverage-measurement tool to measure policy coverage given a set of XACML policies and a set of requests. We have developed a tool for request generation, which randomly generates requests for a given set of policies, and a tool for request reduction, which greedily selects a nearly minimal set of requests for achieving the same coverage as the originally generated requests. To evaluate coverage-based request reduction and its effect on fault detection, we have conducted an experiment with mutation testing on a set of real policies. Our experimental results show that the coverage-based test reduction can substantially reduce the size of generated requests and incur only relatively low loss on fault detection. We also conduct a study on the policy coverage achieved by manually generated requests.

show abstract

“…Some authors regard multiple models as an opportunity to write nondeterministic specifications where each model is an acceptable policy and the system makes an automatic choice between the available alternatives [34]. For instance, the models of a policy may correspond to all possible ways of assigning permissions that preserve a Chinese Wall policy [35].…”

Section: Rule-based Policy Representationmentioning

confidence: 99%

Rule-Based Policy Representation and Reasoning for the Semantic Web

Bonatti

Olmedilla

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Summary. The Semantic Web aims at enabling sophisticated and autonomic machine to machine interactions without human intervention, by providing machines not only with data but also with its meaning (semantics). In this setting, traditional security mechanisms are not suitable anymore. For example, identity-based access control assumes that parties are known in advance. Then, a machine first determines the identity of the requester in order to either grant or deny access, depending on its associated information (e.g., by looking up its set of permissions). In the Semantic Web, any two strangers can interact with each other automatically and therefore this assumption does not hold. Hence, a semantically enriched process is required in order to regulate an automatic access to sensitive information. Policy-based access control provides sophisticated means in order to support protecting sensitive resources and information disclosure.

show abstract

A logical framework for reasoning on data access control policies

Cited by 40 publications

References 19 publications

Evolution of the Ethane Architecture

Evolution of the Ethane Architecture

Defining and Measuring Policy Coverage in Testing Access Control Policies

Rule-Based Policy Representation and Reasoning for the Semantic Web

Contact Info

Product

Resources

About