Dynamics in Delegation and Revocation Schemes: A Logical Approach

Barker, Steve; Boella, Guido; Genovese, Valerio; Torre, Leendert van der

doi:10.1007/978-3-642-22348-8_9

Cited by 6 publications

(23 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1 As many of these problems amount to a principal having access right in a situation where the intended meaning of the used revocation scheme implies that the principal should not have access right, these problems can pose security risks.…”

Section: Problems With Hagström Et Al's Frameworkmentioning

confidence: 99%

“…Depending on the reasons for the revocation, different ways to treat the delegation chain can be desirable [11,1,7]. For example, if one is revoking a permission given to an employee because he is moving to another position in the company, it makes sense to keep in place the permissions she previously granted; but if one is revoking a permission from a user who has abused his rights and is hence distrusted, it makes sense to delete the permissions she previously issued.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Postulates for Revocation Schemes

Cramer¹,

Casini²

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In access control frameworks with the possibility of delegating permissions and administrative rights, delegation chains can form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [11] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically. At the outset, we identify multiple problems with Hagström et al.'s definitions of the revocation schemes, which can pose security risks. This paper is centered around the question how one can systematically ensure that improved definitions of the revocation schemes do not lead to similar problems. For this we propose to apply the axiomatic method originating in social choice theory to revocation schemes. Our use of the axiomatic method resembles its use in belief revision theory. This means that we define postulates that describe the desirable behaviour of revocation schemes, study which existing revocation frameworks satisfy which postulates, and show how all defined postulates can be satisfied by defining the revocation schemes in a novel way.

show abstract

Section: Problems With Hagström Et Al's Frameworkmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Postulates for Revocation Schemes

Cramer¹,

Casini²

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The behaviour of weak negative authorizations is clear and does not pose any of the problems discussed below. So in our discussion, we will focus on revocation schemes that are called strong by Hagström et al [10] and Aucher et al [1] and called predecessor-takes-precedence (p-t-p) by Cramer et al [6]. The problems discussed below apply equally to global and local revocation schemes; for the sake of simplicity, we will concentrate on global revocation schemes in this paper.…”

Section: Revocation Via Negative Authorizationmentioning

confidence: 99%

“…So for the rest of the paper, the only revocation scheme we consider is what Hagström et al [10] and Aucher et al [1] call a Strong Global Negative revocation, and what Cramer et al [6] call a P-t-p Global Resilient revocation.…”

Section: Revocation Via Negative Authorizationmentioning

confidence: 99%

See 1 more Smart Citation

Resilient Delegation Revocation with Precedence for Predecessors Is NP-Complete

Cramer

Hertum

Lapauw

et al. 2016

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Abstract-In ownership-based access control frameworks with the possibility of delegating permissions and administrative rights, chains of delegated accesses will form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. One possibility studied in the literature is to revoke rights by issuing negative authorizations, meant to ensure that the revocation is resilient to a later reissuing of the rights, and to resolve conflicts between principals by giving precedence to predecessors, i.e. principals that come earlier in the delegation chain. However, the effects of negative authorizations have been defined differently by different authors. Having identified three definitions of this effect from the literature, the first contribution of this paper is to point out that two of these three definitions pose a security threat. However, avoiding this security threat comes at a price: We prove that with the safe definition of the effect of negative authorizations, deciding whether a principal does have access to a resource is an NP-complete decision problem. We discuss two limitations that can be imposed on an access-control system in order to reduce the complexity of the problem back to a polynomial complexity: Limiting the length of delegation chains to an integer m reduces the runtime complexity of determining access to O(n m ), and requiring that principals form a hierarchy that graph-theoretically forms a rooted tree makes this decision problem solvable in quadratic runtime. Finally we discuss an approach that can mitigate the complexity problem in practice without fully getting rid of NP-completeness.

show abstract