Information Technology Reference
In-Depth Information
•
The fifth axiom defines a notion of authorization conflict: the user requested the
assignment for the second of two contradictory roles:
(
AC5
)
Happens
(
conflictEvent, t
);
Initiates
(
AuthorizeConflict
(
r,r0
),
conflictEvent
,
t
) ←
HoldsAt
(
Authorized
(
u, r0
),
t
) &
Happens
(
AuthorizeRequest
(
r, u
),
t
) &
ContradictoryRoles
(
r,
r0, a, t
) .
4 Conclusions
This paper describes the architecture and implementation of security checker intended
for consistency verification in policy-based security framework. We have
implemented two verification modules: (1) the model checking module implemented
using SPIN; (2) the theorem prover that uses Event Calculus and implemented in Jess
[5]. The example of authorization conflict detection based on event calculus-based
module was presented. In the future evolution of security checker we plan to improve
the possibilities of Event Calculus and model checking modules for detection and
resolution of security policy conflicts.
Acknowledgement
This research is being partly supported by grant of Russian Foundation of Basic
Research (№ 04-01-00167), grant of the Department for Informational Technologies
and Computation Systems of the Russian Academy of Sciences (contract №3.2/03)
and funded by the EC as part of the POSITIF project (contract IST-2002-002314).
References
1.
Basile, C., Lioy, A.: Towards an algebraic approach to solve policy conflicts. Proceedings
of FCS'04 Workshop on Foundations of Computer Security (2004) 331-338.
2.
IETF
Policy
Framework
(policy)
Working
Group.
http://www.ietf.org/html.
charters/policy-charter.html
3.
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V. S.: Flexible support for multiple
access control policies. ACM Trans. Database Systems, Vol. 26, No.2 (2001) 214-260
4.
Jajodia, S., Samarati, P., Subrahmanian, V.S.: A Logical Language for Expressing
Authorizations. IEEE Symposium on Security and Privacy (1997)
5.
Jess, the Rule Engine for the Java
TM
Platform. http://herzberg.ca.sandia.gov/jess/
index.shtml
6.
Kowalski, R.A., Sergot, M.J.: A Logic-Based Calculus of Events. New Generation
Computing, 4 (1986) 67-95
7.
Lymberopoulos, L., Lupu, E., Sloman. M.: Ponder Policy Implementation and Validation
in a CIM and Differentiated Services Framework. IFIP/IEEE Network Operations and
Management Symposium (NOMS 2004), Seoul, Korea (2004)
8.
OASIS: eXtensible Access Control Markup Language (XACML). http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=xacml
9.
Ponder: A Policy Language for Distributed Systems Management. Department of
Computing, Imperial College. http://www-dse.doc.ic.ac.uk/Research/policies/ponder.shtml
10.
POSITIF Project leaflet, June 2004. http://www.positif.org/idissemination.html (2004)
