Article

Analyzing web access control policies

Authors:
Vladimir Kolovski

University of Maryland

University of Maryland
View Profile

,
James Hendler

University of Maryland

University of Maryland
View Profile

,
Bijan Parsia

University of Manchester

University of Manchester
View Profile

WWW '07: Proceedings of the 16th international conference on World Wide WebMay 2007Pages 677–686https://doi.org/10.1145/1242572.1242664

Published:08 May 2007Publication History

WWW '07: Proceedings of the 16th international conference on World Wide Web

Pages 677–686

ABSTRACT

XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved difficult to analyze in an automated fashion. In this paper, we present a formalization of XACML using description logics (DL), which are a decidable fragment of First-Order logic. This formalization allows us to cover a more expressive subset of XACML than propositional logic-based analysis tools, and in addition we provide a new analysis service (policy redundancy). Also, mapping XACML to description logics allows us to use off-the-shelf DL reasoners for analysis tasks such as policy comparison, verification and querying. We provide empirical evaluation of a policy analysis tool that was implemented on top of open source DL reasoner Pellet.

References

Continue access control policy example., 2005. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.Google Scholar
Xacml references, v1.65. http://docs.oasisopen.org/xacml/references/xacmlrefsv1.65.html, 2006.Google Scholar
A. Anderson. Core and hierarchical role based access control (rbac) profile of xacml v2.0, February 2005.Google Scholar
J. Bryans. Reasoning about xacml policies using csp. In SWS '05: Proceedings of the 2005 workshop on Secure web services, pages 28--35, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
M. Dean and G. Schreiber. Owl web ontology language reference w3c recommendation., feb 2004.Google Scholar
K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 196--205, 2005. Google ScholarDigital Library
S. Godik and T. Moses. Oasis extensible access control markup language (xacml) version 1.1. oasis committee specification, July 2003.Google Scholar
B. C. Grau, I. Horrocks, B. Parsia, P. Patel-Schneider, and U. Sattler. Next steps for owl. In OWL Experienced and Directions, 2006.Google Scholar
D. P. Guelev, M. Ryan, and P. -Y. Schobbens. Model-checking access control policies. In ISC, pages 219--230, 2004.Google ScholarCross Ref
I. Horrocks and U. Sattler. A tableaux decision procedure for SHOIQ. In Proc. of the 19th Int. Joint Conf. on Artificial Intelligence (IJCAI 2005). Morgan Kaufman, 2005. Google ScholarDigital Library
G. Hughes and T. Bultan. Automated verification of access control policies (technical report). Technical Report 2004-22, Department of Computer Science, University of California, Santa Barbara, September 2004.Google Scholar
D. Jackson. Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol., 11(2):256--290, 2002. Google ScholarDigital Library
V. Kolovski. Formalizing XACML Using Defeasible Description Logics. Technical Report TR-233-11, University of Maryland - College Park, 2006.Google Scholar
F. Massacci. Reasoning about security: A logic and a decision method for role-based access control. In ECSQARU-FAPR, pages 421--435, 1997. Google ScholarDigital Library
B. Parsia and E. Sirin. Pellet: An OWL DL reasoner. In Third International Semantic Web Conference - Poster, 2004.Google Scholar
K. Wang, D. Billington, J. Blee, and G. Antoniou. Combining description logic and defeasible logic for the semantic web. In RuleML, pages 170--181, 2004.Google ScholarCross Ref
WS-Policy. Web services policy framework (ws-policy). http://www-106.ibm.com/developerworks/library/specification/wspolfram/.Google Scholar
N. Zhang, M. D. Ryan, and D. Guelev. Evaluating access control policies through model checking. In Eighth Information Security Conference (ISC05), 2005. Google ScholarDigital Library
C. Zhao, N. Heilili, S. Liu, and Z. Lin. Representation and reasoning on rbac: A description logic approach. In ICTAC, pages 381--393, 2005. Google ScholarDigital Library

Index Terms

Analyzing web access control policies

Recommendations

Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis
CSF '08: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium

It is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for ...
Read More
Sophisticated Access Control via SMT and Logical Frameworks

We introduce a new methodology for formulating, analyzing, and applying access-control policies. Policies are expressed as formal theories in the SMT (satisfiability-modulo-theories) subset of typed first-order logic, and represented in a programmable ...
Read More
Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies

Display Omitted We provide policy analysis scheme to detect access contradictions among web services.We propose semantic-based policy analysis through deductive logic and inference rules.We present flaw, conflict and redundancy detection algorithms for ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WWW '07: Proceedings of the 16th international conference on World Wide Web
May 2007
1382 pages
ISBN:9781595936547
DOI:10.1145/1242572
General Chairs:
Carey Williamson
University of Calgary, Canada
,
Mary Ellen Zurko
IBM, USA
,
Program Chairs:
Peter Patel-Schneider
Bell Labs Research, USA
,
Prashant Shenoy
University of Massachusetts at Amherst, USA
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
XACML
access control
description logics
policy analysis
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,899of8,196submissions,23%
Upcoming Conference
WWW '24

Sponsor:

sigweb

The ACM Web Conference 2024

May 13 - 17, 2024

Singapore , Singapore
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 143
  Total Citations
  View Citations
- 1,441
  Total Downloads
- Downloads (Last 12 months)26
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Analyzing web access control policies

WWW '07: Proceedings of the 16th international conference on World Wide Web

ABSTRACT

References

Cited By

Index Terms

Recommendations

Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

Sophisticated Access Control via SMT and Logical Frameworks

Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies