Top

Journal of Intelligent Information Systems

Published in:

01-02-2012

A relational database integrity framework for access control policies

Authors: Romuald Thion, Stéphane Coulondre

Published in: Journal of Intelligent Information Systems | Issue 1/2012

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Access control is one of the most common and versatile mechanisms used for information systems security enforcement. An access control model formally describes how to decide whether an access request should be granted or denied. Since the role-based access control initiative has been proposed in the 90s, several access control models have been studied in the literature. An access control policy is an instance of a model. It defines the set of basic facts used in the decision process. Policies must satisfy a set of constraints defined in the model, which reflect some high level organization requirements. First-order logic has been advocated for some time as a suitable framework for access control models. Many frameworks have been proposed, focusing mainly on expressing complex access control models. However, though formally expressed, constraints are not defined in a unified language that could lead to some well-founded and generic enforcement procedures. Therefore, we make a clear distinction by proposing a logical framework focusing primarily on constraints, while keeping as much as possible a unified way of expressing constraints, policies, models, and reference monitors. This framework is closely tied to relational database integrity models. We then show how to use well-founded procedures in order to enforce and check constraints. Without requiring any rewriting previous to the inference process, these procedures provide clean and intuitive debugging traces for administrators. This approach is a step toward bridging the gap between general but hard to maintain formalisms and effective but insufficiently general ones.

previous article Knowledge-driven delivery of home care services

next article “Andromaly”: a behavioral malware detection framework for android devices

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

http://www.ois.com/Products/MILS-Technical-Primer.html

\(\bot\) stands for a logical antilogy (e.g., 0 = 1).

http://www.dbai.tuwien.ac.at/proj/dlv/

http://xsb.sourceforge.net/

Abiteboul, S., Hull, R., & Vianu, V. (1995). Foundations of databases. Boston: Addison-Wesley. ISBN 0-201-53771-0.MATH

Ahn, G.-J., & Sandhu, R. S. (1999). The RSL99 language for role-based separation of duty constraints. In RBAC’99: 4th ACM workshop on role-based access control (pp. 43–54). New York: ACM Press. ISBN 1-58113-180-1. doi:10.1145/319171.319176.CrossRef

Barker, S., & Stuckey, P. J. (2003). Flexible access control policy specification with constraint logic programming. ACM Transactions on Information & System Security, 6(4), 501–546.CrossRef

Beeri, C., & Vardi, M. Y. (1984). A proof procedure for data dependencies. Journal of the ACM, 31(4), 718–741.CrossRefMATHMathSciNet

Benantar, M. (Ed.) (2006). Access control systems—security, identity management and trust models. New York: Springer.MATH

Bertino, E., Bonatti, P. A., & Ferrari, E. (2001). TRBAC: A temporal role-based access control model. ACM Transactions on Information & System Security, 4(3), 191–233.CrossRef

Bertino, E., Catania, B., Ferrari, E., & Perlasca, P. (2003). A logical framework for reasoning about access control models. ACM Transactions on Information & System Security, 6(1), 71–127.CrossRef

Calì, A., Gottlob, G., & Kifer, M. (2008). Taming the infinite chase: Query answering under expressive relational constraints. In G. Brewka, & J. Lang (Eds.), KR (pp. 70–80). Menlo Park: AAAI Press. ISBN 978-1-57735-384-3.

Chomicki, J., & Marcinkowski, J. (2005). Minimal-change integrity maintenance using tuple deletions. Information & Computation, 197(1–2), 90–121.CrossRefMATHMathSciNet

Coulondre, S. (2003). A top-down proof procedure for generalized data dependencies. Acta Informatica, 39(1), 1–29.CrossRefMATHMathSciNet

Crampton, J. (2003). Specifying and enforcing constraints in role-based access control. In SACMAT’03: 8th ACM symposium on access control models and technologies (pp. 43–50). New York: ACM Press. ISBN 1-58113-681-1. doi:10.1145/775412.775419.CrossRef

Damiani, M. L., Bertino, E., Catania, B., & Perlasca, P. (2007). GEO-RBAC: A spatially aware rbac. ACM Transactions on Information & System Security, 10(1).

DeTreville, J. (2002). Binder, a logic-based security language. In SP’02: IEEE symposium on security and privacy (p. 105). Washington: IEEE Computer Society. ISBN 0-7695-1543-6.CrossRef

Fagin, R. (2006). Inverting schema mappings. In S. Vansummeren (Ed.), PODS’06: 25th ACM SIGACT-SIGMOD-SIGART symposium on principles of database systems, Chicago, Illinois (pp. 50–59). New York: ACM Press. ISBN 1-59593-318-2.CrossRef

Ferraiolo, D. F., Kuhn, R. D., & Chandramouli, R. (2003). Role-based access control. Norwoord: Artech House. ISBN 1-58053-370-1.MATH

Gallier, J. H. (1986). Logic for computer science: Foundations of automatic theorem proving. Revised on-line version 2003. New York: Harper & Row. ISBN 0-06-042225-4. http://www.cis.upenn.edu/~jean/gbooks/logic.html.

Gavrila, S. I., & Barkley, J. F. (1998). Formal specification for role based access control user/role and role/role relationship management. In RBAC’98: 3rd ACM workshop on Role-based access control (pp. 81–90).

Gligor, V. D., Gavrila, S. I., & Ferraiolo, D. F. (1998). On the formal definition of separation-of-duty policies and their composition. In 1998 symposium on security and privacy, Oakland, California (pp. 172–183). New York: IEEE Computer Society Press.

Halpern, J. Y., & Weissman, V. (2003). Using first-order logic to reason about policies. In CSFW’03: 16th IEEE computer security foundations workshop, Pacific Grove, CA (pp. 187–201). New York: IEEE Computer Society. ISBN 0-7695-1927-X.CrossRef

Jaeger, T., & Tidswell, J. E. (2001). Practical safety in flexible access control models. ACM Transactions on Information and System Security, 4(2), 158–190. ISSN 1094-9224. doi:10.1145/501963.501966.CrossRef

Jajodia, S., Samarati, P., Sapino, M. L., & Subrahmanian, V. S. (2001). Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26, 214–260. ISSN 0362-5915. doi:10.1145/383891.383894.CrossRefMATH

Jim, T. (2001). SD3: A trust management system with certified evaluation. In IEEE symposium on security and privacy (pp. 106–115).

Joshi, J., Bertino, E., Latif, U., & Ghafoor, A. (2005). A generalized temporal role-based access control model. IEEE Transactions on Knowledge & Data Engineering, 17(1), 4–23.CrossRef

Kuhn, R. D. (1997). Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In RBAC’97: 2nd ACM workshop on Role-based access control (pp. 23–30). New York: ACM Press. ISBN 0-89791-985-8. doi:10.1145/266741.266749.CrossRef

Lampson, B. W. (1974). Protection. ACM SIGOPS Operating Systems Review, 8(1), 18–24. ISSN 0163-5980. doi:10.1145/775265.775268.CrossRef

Li, N., Bizri, Z., & Tripunitara, M. V. (2004). On mutually-exclusive roles and separation of duty. In CCS’04: 11th ACM conference on computer and communications security (pp. 42–51). New York: ACM Press. ISBN 1-58113-961-6. doi:10.1145/1030083.1030091.CrossRef

Li, N., Byun, J.-W., & Bertino, E. (2007). A critique of the ANSI standard on role-based access control. IEEE Security and Privacy, 5(6), 41–49. ISSN 1540-7993. doi:10.1109/MSP.2007.158.CrossRef

Li, N., Grosof, B. N., & Feigenbaum, J. (2003). Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information & System Security, 6(1), 128–171.CrossRef

Li, N., & Mitchell, J. C. (2003). DATALOG with constraints: A foundation for trust management languages. In V. Dahl, & P. Wadler (Eds.), PADL’03: 5th international symposium on practical aspects of declarative languages, New Orleans. Lecture notes in computer science (Vol. 2562, pp. 58–73). New York: Springer. ISBN 3-540-00389-4.

Li, N., & Wang, Q. (2008). Beyond separation of duty: An algebra for specifying high-level security policies. Journal of the ACM, 55(3) 1–46. ISSN 0004-5411. doi:10.1145/1379759.1379760.CrossRefMathSciNet

Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., et al. (2009). Access control policy combining: Theory meets practice. In SACMAT ’09: Proceedings of the 14th ACM symposium on access control models and technologies (pp. 135–144). New York: ACM. ISBN 978-1-60558-537-6. doi:10.1145/1542207.1542229.CrossRef

Maher, M. J., & Srivastava, D. (1996). Chasing constrained tuple-generating dependencies. In R. Hull (Ed.), PODS’96: 15th ACM SIGACT-SIGMOD-SIGART symposium on principles of database systems, Montreal, Canada (pp. 128–138). New York: ACM Press. ISBN 0-89791-781-2.CrossRef

Miège, A. (2005). Dénition d’un environnement formel d’expression de politiques de sécurité: Modèle Or-BAC et extensions. PhD thesis, Ecole Nationale Supérieure des Télécommunications, Paris.

Ni, Q., Bertino, E., Lobo, J. & Calo, S. B. (2009). Privacy-aware role-based access control. IEEE Security and Privacy, 7, 35–43. ISSN 1540-7993. doi:10.1109/MSP.2009.102.CrossRef

Sandhu, R. S. (1993). Lattice-based access control models. Computer, 26(11), 9–19. ISSN 0018-9162. doi:10.1109/2.241422.CrossRef

Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.CrossRef

Thomas, R. K. (1997). Team-based access control (tmac): A primitive for applying role-based access controls in collaborative environments. In RBAC’97: 2nd ACM workshop on Role-based access control (pp. 13–19). New York: ACM Press. ISBN 0-89791-985-8. doi:10.1145/266741.266748.CrossRef

Thomas, R. K., & Sandhu, R. S. (1997). Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In T. Y. Lin, & S. Qian (Eds.), IFIP’98: 11th international conference on database security, Lake Tahoe, CA. IFIP conference proceedings (Vol. 113, pp. 166–181). London: Chapman & Hall. ISBN 0-412-82090-0.

Wainer, J., Barthelmess, P., & Kumar, A. (2003). W-RBAC—a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems, 12(4), 455–485.CrossRef

Wainer, J., Kumar, A., & Barthelmess, P. (2007). DW-RBAC: A formal security model of delegation and revocation in workflow systems. Information Systems, 32(3), 365–384.CrossRef

Title: A relational database integrity framework for access control policies
Authors: Romuald Thion
Stéphane Coulondre
Publication date: 01-02-2012
Publisher: Springer US
Published in: Journal of Intelligent Information Systems / Issue 1/2012
Print ISSN: 0925-9902
Electronic ISSN: 1573-7675
DOI: https://doi.org/10.1007/s10844-010-0146-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2012

Learning non-taxonomical semantic relations from domain texts

A density-based spatial clustering for physical constraints

Knowledge-driven delivery of home care services

Wavelet ridges for musical instrument classification

The ramification problem in temporal databases: an approach with conflicting constraints

Probabilistic skylines on uncertain data: model and bounding-pruning-refining methods

Premium Partner