ABSTRACT
XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved difficult to analyze in an automated fashion. In this paper, we present a formalization of XACML using description logics (DL), which are a decidable fragment of First-Order logic. This formalization allows us to cover a more expressive subset of XACML than propositional logic-based analysis tools, and in addition we provide a new analysis service (policy redundancy). Also, mapping XACML to description logics allows us to use off-the-shelf DL reasoners for analysis tasks such as policy comparison, verification and querying. We provide empirical evaluation of a policy analysis tool that was implemented on top of open source DL reasoner Pellet.
- Continue access control policy example., 2005. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.Google Scholar
- Xacml references, v1.65. http://docs.oasisopen.org/xacml/references/xacmlrefsv1.65.html, 2006.Google Scholar
- A. Anderson. Core and hierarchical role based access control (rbac) profile of xacml v2.0, February 2005.Google Scholar
- J. Bryans. Reasoning about xacml policies using csp. In SWS '05: Proceedings of the 2005 workshop on Secure web services, pages 28--35, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- M. Dean and G. Schreiber. Owl web ontology language reference w3c recommendation., feb 2004.Google Scholar
- K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 196--205, 2005. Google ScholarDigital Library
- S. Godik and T. Moses. Oasis extensible access control markup language (xacml) version 1.1. oasis committee specification, July 2003.Google Scholar
- B. C. Grau, I. Horrocks, B. Parsia, P. Patel-Schneider, and U. Sattler. Next steps for owl. In OWL Experienced and Directions, 2006.Google Scholar
- D. P. Guelev, M. Ryan, and P. -Y. Schobbens. Model-checking access control policies. In ISC, pages 219--230, 2004.Google ScholarCross Ref
- I. Horrocks and U. Sattler. A tableaux decision procedure for SHOIQ. In Proc. of the 19th Int. Joint Conf. on Artificial Intelligence (IJCAI 2005). Morgan Kaufman, 2005. Google ScholarDigital Library
- G. Hughes and T. Bultan. Automated verification of access control policies (technical report). Technical Report 2004-22, Department of Computer Science, University of California, Santa Barbara, September 2004.Google Scholar
- D. Jackson. Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol., 11(2):256--290, 2002. Google ScholarDigital Library
- V. Kolovski. Formalizing XACML Using Defeasible Description Logics. Technical Report TR-233-11, University of Maryland - College Park, 2006.Google Scholar
- F. Massacci. Reasoning about security: A logic and a decision method for role-based access control. In ECSQARU-FAPR, pages 421--435, 1997. Google ScholarDigital Library
- B. Parsia and E. Sirin. Pellet: An OWL DL reasoner. In Third International Semantic Web Conference - Poster, 2004.Google Scholar
- K. Wang, D. Billington, J. Blee, and G. Antoniou. Combining description logic and defeasible logic for the semantic web. In RuleML, pages 170--181, 2004.Google ScholarCross Ref
- WS-Policy. Web services policy framework (ws-policy). http://www-106.ibm.com/developerworks/library/specification/wspolfram/.Google Scholar
- N. Zhang, M. D. Ryan, and D. Guelev. Evaluating access control policies through model checking. In Eighth Information Security Conference (ISC05), 2005. Google ScholarDigital Library
- C. Zhao, N. Heilili, S. Liu, and Z. Lin. Representation and reasoning on rbac: A description logic approach. In ICTAC, pages 381--393, 2005. Google ScholarDigital Library
Index Terms
- Analyzing web access control policies
Recommendations
Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis
CSF '08: Proceedings of the 2008 21st IEEE Computer Security Foundations SymposiumIt is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for ...
Sophisticated Access Control via SMT and Logical Frameworks
We introduce a new methodology for formulating, analyzing, and applying access-control policies. Policies are expressed as formal theories in the SMT (satisfiability-modulo-theories) subset of typed first-order logic, and represented in a programmable ...
Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies
Display Omitted We provide policy analysis scheme to detect access contradictions among web services.We propose semantic-based policy analysis through deductive logic and inference rules.We present flaw, conflict and redundancy detection algorithms for ...
Comments