AAL and Static Conflict Detection in Policy

Royer, Jean‐Claude; Oliveira, Anderson Santana de

doi:10.1007/978-3-319-48965-0_22

Cited by 2 publications

(6 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As we can see this property assumes that the input system is satisfiable, and it is different from many approaches looking for logical inconsistencies in a system, for instance [9,10,20].…”

Section: Definition 4 (Safety Of Rule-based System)mentioning

confidence: 94%

“…We describe here the case of the CONTINUE A policy already used in [27,20] and dedicated to conference management. This policy 5 is specified in 25 XACML files containing 44 rules.…”

Section: The Continue Examplementioning

confidence: 99%

“…[7,8,19,16]. A few studies rely on checking satisfiability as in [20], but it is too weak since satisfiability is always a system requirement. Other formal methods and verification, for instance [9,10,11,12], use manual proof or derivation tools and are able to prove expected properties of the system (e.g., an access is never both permitted and denied).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Cheng

Royer

Tisi

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Rule-based systems are used to define complex policies in several contexts, because of the flexibility and modularity they provide. This is especially critical for security systems, which may require to compose evolving policies for privacy, accountability, access control, etc. The inclusion of conflicting rules in complex policies, results in the inability of the system to unambiguously answer to certain requests, with possibly unpredictable effects. The static identification of these undefined requests is particularly challenging for unconstrained rule-based systems, including quantifiers, computations and chaining of rules. In this paper we introduce a static method to precisely characterize the set of all undefined requests for a given unconstrained rule-based system, providing the user with a global view of the rule conflicts. We propose an enumerative approach, made usable in practice by two key performance optimizations: a finer classification of the rules and the resort of the topological sorting. We demonstrate its application on a well-known policy with more than fifty rules.

show abstract

“…As we can see this property assumes that the input system is satisfiable, and it is different from many approaches looking for logical inconsistencies in a system, for instance [9,10,20].…”

Section: Definition 4 (Safety Of Rule-based System)mentioning

confidence: 94%

“…We describe here the case of the CONTINUE A policy already used in [27,20] and dedicated to conference management. This policy 5 is specified in 25 XACML files containing 44 rules.…”

Section: The Continue Examplementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Cheng

Royer

Tisi

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Taking the ABAC policy specified by the XACML [11] as an example, there exist conflict problems among the rules. Several concepts such as attribute expression, policy rule, access request, and conflict are taken into account in this study, which are described as follows:…”

Section: Conflict Problems In Abacmentioning

confidence: 99%

“…erefore, how to detect the conflicts among policies has become an urgent problem to be resolved. Royer and De Oliveira [11] separated the existing conflict detection mechanisms for the eXtensible Access Control Markup Language (XACML) into three different types. e dynamic and testing detections depend on access requests, while the static detection was based on the rule set without generating requests.…”

Section: Introductionmentioning

confidence: 99%

Attribute-Based Policy Evaluation Using Constraints Specification Language and Conflict Detections

Sun

2022

Mobile Information Systems

View full text Add to dashboard Cite

Attribute-based access control (ABAC) has attracted widespread interest and has become an ideal mechanism due to its flexibility characteristic and the powerful expressiveness for various security policies, such as the separation-of-duty constraint and cardinality constraint. The formulation of appropriate ABAC policies is critical for ensuring system security and robustness. However, conflicts occur frequently in existing state-of-the-art systems. Most conventional detection methods either lack the evaluation of the policy quality or consider no constraint. To resolve these problems, a novel method for the ABAC policy evaluation is proposed in this study. First, to meet diverse organizational requirements, we use the attribute-based constraints specification language to uniformly formulate and specify the conflict relations among attributes and present the satisfiability of conflict relations. Second, to comprehensively detect the conflict problems, we present the evaluation criteria for conflicts on attributes and rules and propose a novel algorithm for detecting conflicts. Last, we validate the effectiveness and efficiency of the proposal through experiments, which demonstrate that it not only improves the policy quality but also reduces the conflicting number and conflicting probability.

show abstract

AAL and Static Conflict Detection in Policy

Cited by 2 publications

References 25 publications

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Attribute-Based Policy Evaluation Using Constraints Specification Language and Conflict Detections

Contact Info

Product

Resources

About