Toward practical authorization-dependent user obligation systems

Proceedings of the 5th International Symposium on Information, Computer and Communications Security, ASIACCS 2010

Volumn , Issue , 2010, Pages 180-191

  Pontual, Murillo ^a   Chowdhury, Omar ^a   Winsborough, William H ^a   Yu, Ting ^b   Irwin, Keith ^c  

^a UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^b NORTH CAROLINA STATE UNIVERSITY   (United States)

^c WINSTON SALEM STATE UNIVERSITY   (United States)

Author keywords

accountability; authorization systems; obligations; policy; RBAC

Indexed keywords

AUTHORIZATION SYSTEMS; PERFORMANCE ANALYSIS; REFERENCE MONITORS; THEORETICAL RESULT;

MODEL STRUCTURES;

EID: 77954470017     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1755688.1755711     Document Type: Conference Paper

References (27)

1. Enterprise privacy authorization language (EPAL) version 1.2, Nov. 2003. http://www.zurich.ibm.com/pri/projects/epal.html.
2. Cadence SMV, 2009. http://www.kenmcmil.com/.
3. Description of the policies used in the experiments, 2009. https://galadriel.cs.utsa.edu/policies/.
4. Technical report : Toward practical authorization-dependent user obligation systems, 2009. http://venom.cs.utsa.edu/dmz/techrep/2009/CS-TR-2009- 011.pdf
5. A. Bandara, J. Lobo, S. Calo, E. Lupu, A. Russo, and M. Sloman. Toward a Formal Characterization of Policy Specification Analysis. In Annual Conference of ITA (ACITA), University of Maryland, USA, September 2007.
6. A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. Security and Privacy, IEEE Symposium on, 0:184-198, 2006.
7. C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Netw. Syst. Manage., 11(3):351-372, 2003.
8. 20 states and beyond. Inf. Comput, 98(2):142-170, 1992.
9. D. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In 2nd International Workshop on Policies for Distributed Systems and Networks, Bristol, UK, Jan. 2001. Springer-Verlag.
10. D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In CESORICS '07: Proceedings of the 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings, pages 375-389, 2007.
11. P. Gama and P. Ferreira. Obligation policies: An enforcement platform. In 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden, June 2005. IEEE Computer Society.
12. Health Resources and Services Administration. Health insurance portability and accountability act, 1996. Public Law 104-191.
13. K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 134-143, New York, NY, USA, 2006. ACM.
14. K. Irwin, T. Yu, and W. H. Winsborough. Assigning responsibilities for failed obligations. In iTrust '08: IFIPTM Joined iTrust and PST Conference on Privacy, Trust Management and Security, pages 327-342. Springer Boston, 2008.
15. A. J. I. Jones. On the relationship between permission and obligation. In ICAIL '87: Proceedings of the 1st international conference on Artificial intelligence and law, pages 164-169, New York, NY, USA, 1987. ACM.
16. M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In CSFW '06: Proceedings of the 19th IEEE workshop on Computer Security Foundations, pages 85-97, Washington, DC, USA, 2006. IEEE Computer Society.
17. L. McCarty. Pemissions and obligations. In Proceedings IJCAI-83, 1983.
18. N. H. Minsky and A. D. Lockman. Ensuring integrity by adding obligations to privileges. In ICSE '85: Proceedings of the 8th international conference on Software engineering, pages 92-102, Los Alamitos, CA, USA, 1985. IEEE Computer Society Press.
19. Q. Ni, E. Bertino, and J. Lobo. An obligation model bridging access control policies and privacy policies. In SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pages 133-142, New York, NY, USA, 2008. ACM.
20. Q. Ni, D. Lin, E. Bertino, and J. Lobo. Conditional Privacy-Aware Role Based Access Control. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2007.
21. Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies, pages 41-50, New York, NY, USA, 2007. ACM.
22. R, Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, 1996.
23. R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security, 2(1):105-135, Feb. 1999.
24. A. Sasturkar, A. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control, volume 0, pages 124-138, Los Alamitos, CA, USA, 2006. IEEE Computer Society.
25. V. Swarup, L. Seligman, and A. Rosenthal. A data sharing agreement framework. In Information Systems Security, Second International Conference, ICISS 2006, Kolkata, India, December 19-21, 2006, Proceedings, pages 22-36, 2006.
26. A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, and J. Lott. Kaos policy and domain services: Toward a description-logic approach to policy representation, deconfhction, and enforcement. In POLICY '03: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, page 93, Washington, DC, USA, 2003. IEEE Computer Society.
27. XACML TC. Oasis extensible access control markup language (xacml). http://www.oasis-open.org/committees/xacml/.