Databases Reference
In-Depth Information
your policies, but I will reject the clause if I cannot statically verify that the
arguments of those function and relation symbols will be constant by a certain
stage in the evaluation of the clause body.
Cassandra's designers, Becker and Sewell [5], discuss a design option sim-
ilar to the one taken by Clarke et al. with SPKI/SDSI, which precomputes
answers to all authorization queries, enabling the results to be cached and
reused to make authorization decisions until new credentials are issued or old
credentials expire or are revoked. They elect not to take this approach be-
cause the policy set is changed every time a role is activated or deactivated.
Instead, Cassandra uses Toman's top-down CLP evaluation algorithm [61]
based on SLG resolution, which focuses computational effort on one query at
a time in the interest of eciency, as well as using a memoization strategy to
avoid ineciency and non-termination problems suffered by simpler top-down
methods.
Higher order logic has also been used to specify policies and credentials.
LolliMon [53] is proposed as a typed higher-order linear logic programming
language to specify security statements, which is proven to be more expressive
and ecient than Datalog or Prolog, especially in dealing with integration of
authorization checking and credential retrieval for certificate chain discovery
problem. The evaluation process combines bottom-up proof search and top-
down proof-search. Every evaluation execution starts and ends in the bottom-
up search mode, in which there are switches to and back from top-down mode.
Therefore, although the top-down search is still subject to cyclic dependency
behaviors, termination can be guaranteed by the property of linear logic.
PCA [2] also chooses to use higher-order logic. In order to avoid undecidable
computation, the service requester is required to construct and provide the
proof and the authorizer only needs to check the proof.
4.3 Credential Retrieval Mechanisms
Early trust management systems [10, 9, 18] assume that all credentials rel-
evant to making a given authorization decision are provided to the system
by the calling application. If no proof of compliance can be found, access is
denied. There is no consideration of the possibility that the credentials to
complete a proof exist, but are simply missing. This may be reasonable for
capability-based systems, like KeyNote, in which credentials are issued for
authorizing access to a specific resource, so clients can be expected to know
what credentials to provide to the application. However, when the credential
requirements of a requested resource are less obvious, it may not be obvious
what credentials might be needed. For instance, suppose an online ticket sales
service has a special offer for students of universities that are members of
the NCAA (National Collegate Athletics Association). In this case, a student
might have to present her student ID and a credential issued by the NCAA to
her university. Clearly an ideal system would not require the student to figure
out what credentials to submit and how to find them.
