Automated Reasoning about XACML 3.0 Delegation Using Answer Set Programming
نویسندگان
چکیده
XACML is an XML-based declarative access control language standardized by OASIS. Its latest version 3.0 has several new features including the concept of delegation for decentralized administration of access control. Though it is important to avoid unintended consequences of ill-designed policies, delegation makes formal analysis of XACML policies highly complicated. In this paper, we present a logic-based approach to XACML 3.0 policy analysis. We formulate XACML 3.0 in Answer Set Programming (ASP) and use ASP solvers to perform automated reasoning about XACML policies. To the best of our knowledge this is the first work that fully captures the XACML delegation model in a formal executable language.
منابع مشابه
A Cloud - based Resource and Service Sharing Platform for Computer and Network Security Education
1. Automated Reasoning about Web Access Control Policies via Answer Set Programming Gail-Joon Ahn*, Joohyung Lee*, Hongxin Hu and Yunsong Meng Summary: We introduce a logic-based policy management approach for XACML (eXtensible Access Control Markup Language), which has become the defacto standard for specifying and enforcing access control policies for various applications and services in curr...
متن کاملXACML 3.0 in Answer Set Programming
Abstract We present a systematic technique for transforming XACML 3.0 policies in Answer Set Programming (ASP). We show that the resulting logic program has a unique answer set that directly corresponds to our formalisation of the standard semantics of XACML 3.0 from [9]. We demonstrate how our results make it possible to use off-the-shelf ASP solvers to formally verify properties of access con...
متن کاملDetecting Incompleteness, Conflicting and Unreachability XACML Policies using Answer Set Programming
Recently, XACML is a popular access control policy language that is used widely in many applications. Policies in XACML are built based on many components over distributed resources. Due to the expressiveness of XACML, it is not trivial for policy administrators to understand the overall effect and consequences of XACML policies they have written. In this paper we show a mechanism and a tool ho...
متن کاملReasoning about XACML Policy Descriptions in Answer Set Programming (Preliminary Report)
The advent of emerging technologies such as Web services, service-oriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized services while providing more convenient services to Internet users through such a cuttingedge technological growth. Furthermore, desig...
متن کاملDelegation Constraint Management Delegation Constraint Management
The paper addresses the issue of providing access control via delegation and constraint management across multiple security domains. Specifically, this paper proposes a novel Delegation Constraint Management model to manage and enforce delegation constraints across security domains. An algorithm to trace the authority of delegation constraints is introduced as well as an algorithm to form a del...
متن کامل