Reasoning about XACML policies using CSP

Bryans, Jeremy

doi:10.1145/1103022.1103028

Cited by 39 publications

(26 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our prototype contains an implementation of · SCL which compiles security constraints as well as the decision function ∆ described in Sec. 4.…”

Section: Experimental Evaluationmentioning

confidence: 99%

“…However, XACML is quite a complex policy language with informal evaluation semantics, so the development of tools complementing testing with formal verification of XACML is difficult. To tackle this issue, different formal semantics have been given to core concepts of XACML using for instance process algebra [4], description logics [5], answer set programming [6], specific algebraic variety [7] or ad hoc compositional semantics [8].…”

Section: Related Workmentioning

confidence: 99%

“…which is not a URL according to Definition 2. We can then write v ∈ u ↓ ⇒ v |v| = * leading, according to (4), to the following conclusion:…”

Section: Proof (Proposition 2)mentioning

confidence: 99%

See 2 more Smart Citations

Access Control Configuration for J2EE Web Applications: A Formal Perspective

Casalino

Thion

Hacid

2012

Trust, Privacy and Security in Digital Business

View full text Add to dashboard Cite

Abstract. Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. We argue that this risk can be mitigated by providing formal analysis tools to evaluate access control policies as well as the impact of changes on configurations. In order to tackle this issue, this paper gives a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. Two different analysis tools are developed on top of this formal building block: a decision engine and a comparison algorithm for change impact of access control configurations. The formal semantics is compared against two major web application containers. The experiments reveal non-compliant access control decisions of these containers and validate our approach.

show abstract

“…Our prototype contains an implementation of · SCL which compiles security constraints as well as the decision function ∆ described in Sec. 4.…”

Section: Experimental Evaluationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Access Control Configuration for J2EE Web Applications: A Formal Perspective

Casalino

Thion

Hacid

2012

Trust, Privacy and Security in Digital Business

View full text Add to dashboard Cite

show abstract

“…Regarding works on XACML's formalization, a largely followed approach is based on 'transformational' semantics (see, e.g., [10,4,3]). The target formalisms have in their turn their own semantics.…”

Section: Related Workmentioning

confidence: 99%

Towards model-driven development of access control policies for web applications

Busch

Koch

Masi³

et al. 2012

Proceedings of the Workshop on Model-Driven Security

View full text Add to dashboard Cite

show abstract

“…A largely followed approach is based on 'transformational' semantics, where XACML policies are translated into terms of some formalism. For example, [11] uses description logic expressions as target formalism, [12] exploits the process algebra CSP [13], and [14] the model-oriented specification language VDM++ [15]. The main advantage of this approach is the possibility of analysing policies by means of off-the-shelf reasoning tools that may be already available for the considered formalisms.…”

Section: Introductionmentioning

confidence: 99%

Formalisation and Implementation of the XACML Access Control Mechanism

Masi¹,

Pugliese

Tiezzi

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.

show abstract

Reasoning about XACML policies using CSP

Cited by 39 publications

References 7 publications

Access Control Configuration for J2EE Web Applications: A Formal Perspective

Access Control Configuration for J2EE Web Applications: A Formal Perspective

Towards model-driven development of access control policies for web applications

Formalisation and Implementation of the XACML Access Control Mechanism

Contact Info

Product

Resources

About