Sophisticated Access Control via SMT and Logical Frameworks

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2014-04-01 DOI:10.1145/2595222

Konstantine Arkoudas, R. Chadha, C. Chiang

{"title":"Sophisticated Access Control via SMT and Logical Frameworks","authors":"Konstantine Arkoudas, R. Chadha, C. Chiang","doi":"10.1145/2595222","DOIUrl":null,"url":null,"abstract":"We introduce a new methodology for formulating, analyzing, and applying access-control policies. Policies are expressed as formal theories in the SMT (satisfiability-modulo-theories) subset of typed first-order logic, and represented in a programmable logical framework, with each theory extending a core ontology of access control. We reduce both request evaluation and policy analysis to SMT solving, and provide experimental results demonstrating the practicality of these reductions. We also introduce a class of canonical requests and prove that such requests can be evaluated in linear time. In many application domains, access requests are either naturally canonical or can easily be put into canonical form. The resulting policy framework is more expressive than XACML and languages in the Datalog family, without compromising efficiency. Using the computational logic facilities of the framework, a wide range of sophisticated policy analyses (including consistency, coverage, observational equivalence, and change impact) receive succinct formulations whose correctness can be straightforwardly verified. The use of SMT solving allows us to efficiently analyze policies with complicated numeric (integer and real) constraints, a weak point of previous policy analysis systems. Further, by leveraging the programmability of the underlying logical framework, our system provides exceptionally flexible ways of resolving conflicts and composing policies. Specifically, we show that our system subsumes FIA (Fine-grained Integration Algebra), an algebra recently developed for the purpose of integrating complex policies.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2014-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2595222","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 23

Abstract

We introduce a new methodology for formulating, analyzing, and applying access-control policies. Policies are expressed as formal theories in the SMT (satisfiability-modulo-theories) subset of typed first-order logic, and represented in a programmable logical framework, with each theory extending a core ontology of access control. We reduce both request evaluation and policy analysis to SMT solving, and provide experimental results demonstrating the practicality of these reductions. We also introduce a class of canonical requests and prove that such requests can be evaluated in linear time. In many application domains, access requests are either naturally canonical or can easily be put into canonical form. The resulting policy framework is more expressive than XACML and languages in the Datalog family, without compromising efficiency. Using the computational logic facilities of the framework, a wide range of sophisticated policy analyses (including consistency, coverage, observational equivalence, and change impact) receive succinct formulations whose correctness can be straightforwardly verified. The use of SMT solving allows us to efficiently analyze policies with complicated numeric (integer and real) constraints, a weak point of previous policy analysis systems. Further, by leveraging the programmability of the underlying logical framework, our system provides exceptionally flexible ways of resolving conflicts and composing policies. Specifically, we show that our system subsumes FIA (Fine-grained Integration Algebra), an algebra recently developed for the purpose of integrating complex policies.

查看原文本刊更多论文

通过SMT和逻辑框架的复杂访问控制

我们介绍了一种用于制定、分析和应用访问控制策略的新方法。策略被表示为类型化一阶逻辑的SMT(可满足性-模理论)子集中的形式化理论，并在可编程逻辑框架中表示，每个理论都扩展了访问控制的核心本体。我们将请求评估和政策分析都简化为SMT解决，并提供实验结果来证明这些简化的实用性。我们还引入了一类正则请求，并证明了这类请求可以在线性时间内求值。在许多应用程序领域中，访问请求要么是自然规范的，要么可以很容易地采用规范形式。生成的策略框架比Datalog家族中的XACML和语言更具表现力，而且不会影响效率。使用该框架的计算逻辑功能，广泛的复杂策略分析(包括一致性、覆盖范围、观察等效性和变化影响)可以得到简洁的公式，其正确性可以直接验证。SMT求解的使用使我们能够有效地分析具有复杂数值(整数和实数)约束的策略，这是以前的策略分析系统的一个弱点。此外，通过利用底层逻辑框架的可编程性，我们的系统提供了解决冲突和组合策略的非常灵活的方法。具体来说，我们展示了我们的系统包含FIA(细粒度集成代数)，这是最近为集成复杂策略而开发的代数。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.