Hoang Nguyen Phuoc Bao,Manuel Clavel

2024-03-27

Abstract:In the context of the model-driven development of data-centric applications, OCL constraints play a major role in adding precision to the source models (e.g., data models and security models). Several code-generators have been proposed to bridge the gap between source models with OCL constraints and their corresponding database implementations. However, the database queries produced by these code-generators are significantly less efficient -- from the point of view of execution-time performance -- than the implementations manually written by database experts. In this paper, we propose a different approach to bridge the gap between models with OCL constraints and their corresponding database implementations. In particular, we introduce a model-based methodology for proving the correctness of manually written SQL implementations of OCL constraints. This methodology is based on a novel mapping from a significant subset of the SQL language into many-sorted first-order logic. Moreover, by leveraging on an already existing mapping from the OCL language into many-sorted first-order logic, we can use SMT solvers to automatically prove the correctness of SQL implementations of OCL constraints. To illustrate and show the applicability of our approach, we include in the paper a number of non-trivial examples. Finally, we report on the status of a suite of tools supporting our approach.

Databases

Guoqiang Zhan,Zude Li,Xiaojun Ye,Jianmin Wang

DOI: https://doi.org/10.1007/11824633_14

2006-01-01

Abstract:Applications require fine-grained access control (FGAC) supported by DBMSs themselves. Though much literature has referred to the FGAC, its key problems still remain open. Thus, we develop a FGAC-QD model based on query decomposition strategy with incorporating two notions of authorization rule and predicate transitive rule. In our model, users' queries are decomposed into a set of one-variable queries (OVQ). For each OVQ, its validity is checked against the corresponding authorization rule; if all the OVQs are valid, the query is inferred to be valid and will be executed without any modification; otherwise the query has illegal access, and will be partially evaluated or rejected directly, according to the feature of applications. Finally, the results of experiments demonstrate the feasibility of FGAC-QD.

Walter V Sujansky,Sam A Faus,Ethan Stone,Patricia Flatley Brennan

DOI: https://doi.org/10.1016/j.jbi.2010.08.001

Abstract:Online personal health records (PHRs) enable patients to access, manage, and share certain of their own health information electronically. This capability creates the need for precise access-controls mechanisms that restrict the sharing of data to that intended by the patient. The authors describe the design and implementation of an access-control mechanism for PHR repositories that is modeled on the eXtensible Access Control Markup Language (XACML) standard, but intended to reduce the cognitive and computational complexity of XACML. The authors implemented the mechanism entirely in a relational database system using ANSI-standard SQL statements. Based on a set of access-control rules encoded as relational table rows, the mechanism determines via a single SQL query whether a user who accesses patient data from a specific application is authorized to perform a requested operation on a specified data object. Testing of this query on a moderately large database has demonstrated execution times consistently below 100ms. The authors include the details of the implementation, including algorithms, examples, and a test database as Supplementary materials.

Xinyu Fan,Faen Zhang,Jianfei Song,Jingming Guo,Fujie Gao

DOI: https://doi.org/10.48550/arXiv.2001.01945

2020-01-07

Abstract:A fine-grained provenance-based access control policy model is proposed in this paper, in order to improve the express performance of existing model. This method employs provenance as conditions to determine whether a piece of data can be accessed because historical operations performed on data could reveal clues about its sensitivity and vulnerability. Particularly, our proposed work provides a four-valued decision set which allows showing status to match a restriction particularly. This framework consists of target policy, access control policy, and policy algebras. With the complete definition and algebra system construction, a practical fine-grained access control policy model is developed.

Cryptography and Security

Donia El Kateb,Tejeddine Mouelhi,Yves Le Traon,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/2188286.2188346

2012-01-01

Abstract:ABSTRACTIn order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of real-life Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

Daniela Inclezan

2023-05-23

Abstract:This paper introduces a framework for assisting policy authors in refining and improving their policies. In particular, we focus on authorization and obligation policies that can be encoded in Gelfond and Lobo's AOPL language for policy specification. We propose a framework that detects the statements that make a policy inconsistent, underspecified, or ambiguous with respect to an action being executed in a given state. We also give attention to issues that arise at the intersection of authorization and obligation policies, for instance when the policy requires an unauthorized action to be executed. The framework is encoded in Answer Set Programming. Under consideration for acceptance in TPLP.

Logic in Computer Science,Artificial Intelligence

Andrea Margheri,Massimiliano Masi,Rosario Pugliese,Francesco Tiezzi

DOI: https://doi.org/10.48550/arXiv.1612.09339

2016-12-30

Abstract:Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the accesses to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automatic verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, as e.g. missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse- based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.

Software Engineering

Akkamahadevi Hanni,Andrew Boateng,Yu Zhang

2024-03-30

Abstract:Human expectations arise from their understanding of others and the world. In the context of human-AI interaction, this understanding may not align with reality, leading to the AI agent failing to meet expectations and compromising team performance. Explicable planning, introduced as a method to bridge this gap, aims to reconcile human expectations with the agent's optimal behavior, facilitating interpretable decision-making. However, an unresolved critical issue is ensuring safety in explicable planning, as it could result in explicable behaviors that are unsafe. To address this, we propose Safe Explicable Planning (SEP), which extends the prior work to support the specification of a safety bound. The goal of SEP is to find behaviors that align with human expectations while adhering to the specified safety criterion. Our approach generalizes the consideration of multiple objectives stemming from multiple models rather than a single model, yielding a Pareto set of safe explicable policies. We present both an exact method, guaranteeing finding the Pareto set, and a more efficient greedy method that finds one of the policies in the Pareto set. Additionally, we offer approximate solutions based on state aggregation to improve scalability. We provide formal proofs that validate the desired theoretical properties of these methods. Evaluation through simulations and physical robot experiments confirms the effectiveness of our approach for safe explicable planning.

Robotics,Artificial Intelligence

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

Yan-nong Huang,Ming-chien Shan

DOI: https://doi.org/10.1007/3-540-48738-7_32

1999-01-01

Abstract:This paper proposes a new method to handle policies in Resource Management of Workflow Systems. Three types of policies are studied including qualification, requirement and substitution policies. The first two types of policies map an activity specification into constraints on resources that are qualified to carry out the activity. The third type of policies intends to suggest alternatives in cases where requested resources are not available. An SQL-like language is used to specify policies. Policy enforcement is realized through a query rewriting based on relevant policies. A novel approach is investigated for effective management of large policy bases, which consists of relational representation of policies and efficient retrieval of relevant policies for a given resource query.

Abhishek Bichhawat,Matt Fredrikson,Jean Yang,Akash Trehan

DOI: https://doi.org/10.1145/3320269.3384759

2020-03-14

Abstract:Database-backed applications rely on inlined policy checks to process users' private and confidential data in a policy-compliant manner as traditional database access control mechanisms cannot enforce complex policies. However, application bugs due to missed checks are common in such applications, which result in data breaches. While separating policy from code is a natural solution, many data protection policies specify restrictions based on the context in which data is accessed and how the data is used. Enforcing these restrictions automatically presents significant challenges, as the information needed to determine context requires a tight coupling between policy enforcement and an application's implementation. We present Estrela, a framework for enforcing contextual and granular data access policies. Working from the observation that API endpoints can be associated with salient contextual information in most database-backed applications, Estrela allows developers to specify API-specific restrictions on data access and use. Estrela provides a clean separation between policy specification and the application's implementation, which facilitates easier auditing and maintenance of policies. Policies in Estrela consist of pre-evaluation and post-evaluation conditions, which provide the means to modulate database access before a query is issued, and to impose finer-grained constraints on information release after the evaluation of query, respectively. We build a prototype of Estrela and apply it to retrofit several real world applications (from 1000-80k LOC) to enforce different contextual policies. Our evaluation shows that Estrela can enforce policies with minimal overheads.

Cryptography and Security

Aya Mohamed,Dagmar Auer,Daniel Hofer,Josef Küng

2023-06-22

Abstract:The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account such as vertices and edges along the path between a given subject and resource. In previous iterations of our research, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case and give an outlook on performance.

Cryptography and Security

Jason Crampton,Charles Morisset

DOI: https://doi.org/10.48550/arXiv.1204.2342

2014-07-31

Abstract:There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.

Cryptography and Security,Logic in Computer Science

Carlos Olarte,Elaine Pimentel,Camilo Rueda

DOI: https://doi.org/10.48550/arXiv.1802.04695

2018-02-14

Abstract:A recent trend in object oriented (OO) programming languages is the use of Access Permissions (APs) as an abstraction for controlling concurrent executions of programs. The use of AP source code annotations defines a protocol specifying how object references can access the mutable state of objects. Although the use of APs simplifies the task of writing concurrent code, an unsystematic use of them can lead to subtle problems. This paper presents a declarative interpretation of APs as Linear Concurrent Constraint Programs (lcc). We represent APs as constraints (i.e., formulas in logic) in an underlying constraint system whose entailment relation models the transformation rules of APs. Moreover, we use processes in lcc to model the dependencies imposed by APs, thus allowing the faithful representation of their flow in the program. We verify relevant properties about AP programs by taking advantage of the interpretation of lcc processes as formulas in Girard's intuitionistic linear logic (ILL). Properties include deadlock detection, program correctness (whether programs adhere to their AP specifications or not), and the ability of methods to run concurrently. By relying on a focusing discipline for ILL, we provide a complexity measure for proofs of the above mentioned properties. The effectiveness of our verification techniques is demonstrated by implementing the Alcove tool that includes an animator and a verifier. The former executes the lcc model, observing the flow of APs and quickly finding inconsistencies of the APs vis-a-vis the implementation. The latter is an automatic theorem prover based on ILL. This paper is under consideration for publication in Theory and Practice of Logic Programming (TPLP).

Logic in Computer Science

Pranav Subramaniam,Sanjay Krishnan

2024-08-06

Abstract:In every enterprise database, administrators must define an access control policy that specifies which users have access to which assets. Access control straddles two worlds: policy (organization-level principles that define who should have access) and process (database-level primitives that actually implement the policy). Assessing and enforcing process compliance with a policy is a manual and ad-hoc task. This paper introduces a new paradigm for access control called Intent-Based Access Control for Databases (IBAC-DB). In IBAC-DB, access control policies are expressed more precisely using a novel format, the natural language access control matrix (NLACM). Database access control primitives are synthesized automatically from these NLACMs. These primitives can be used to generate new DB configurations and/or evaluate existing ones. This paper presents a reference architecture for an IBAC-DB interface, an initial implementation for PostgreSQL (which we call LLM4AC), and initial benchmarks that evaluate the accuracy and scope of such a system. We further describe how to extend LLM4AC to handle other types of database deployment requirements, including temporal constraints and role hierarchies. We propose RHieSys, a requirement-specific method of extending LLM4AC, and DePLOI, a generalized method of extending LLM4AC. We find that our chosen implementation, LLM4AC, vastly outperforms other baselines, achieving high accuracies and F1 scores on our initial Dr. Spider benchmark. On all systems, we find overall high performance on expanded benchmarks, which include state-of-the-art NL2SQL data requiring external knowledge, and real-world role hierarchies from the Amazon Access dataset.

Databases,Cryptography and Security

Michael Gimelfarb,Ayal Taitler,Scott Sanner

2024-01-20

Abstract:We propose Constraint-Generation Policy Optimization (CGPO) for optimizing policy parameters within compact and interpretable policy classes for mixed discrete-continuous Markov Decision Processes (DC-MDPs). CGPO is not only able to provide bounded policy error guarantees over an infinite range of initial states for many DC-MDPs with expressive nonlinear dynamics, but it can also provably derive optimal policies in cases where it terminates with zero error. Furthermore, CGPO can generate worst-case state trajectories to diagnose policy deficiencies and provide counterfactual explanations of optimal actions. To achieve such results, CGPO proposes a bi-level mixed-integer nonlinear optimization framework for optimizing policies within defined expressivity classes (i.e. piecewise (non)-linear) and reduces it to an optimal constraint generation methodology that adversarially generates worst-case state trajectories. Furthermore, leveraging modern nonlinear optimizers, CGPO can obtain solutions with bounded optimality gap guarantees. We handle stochastic transitions through explicit marginalization (where applicable) or chance-constraints, providing high-probability policy performance guarantees. We also present a road-map for understanding the computational complexities associated with different expressivity classes of policy, reward, and transition dynamics. We experimentally demonstrate the applicability of CGPO in diverse domains, including inventory control, management of a system of water reservoirs, and physics control. In summary, we provide a solution for deriving structured, compact, and explainable policies with bounded performance guarantees, enabling worst-case scenario generation and counterfactual policy diagnostics.

Optimization and Control,Machine Learning,Robotics,Symbolic Computation,Systems and Control

Hui Song,Xiaodong Zhang,Nicolas Ferry,Franck Chauvel,Arnor Solberg,Gang Huang

DOI: https://doi.org/10.1007/978-3-319-11653-2_17

2014-01-01

Abstract:In order to develop appropriate adaptation policies for self-adaptive systems, developers usually have to accomplish two main tasks: (i) identify the application-level constraints that regulate the desired system states for the various contexts, and (ii) figure out how to transform the system to satisfy these constraints. The second task is challenging because typically there is complex interaction among constraints, and a significant gap between application domain expertice and state transition expertice. In this paper, we present a model-driven approach that relieves developers from this second task, allowing them to directly write domain-specific constraints as adaptation policies. We provide a language to model both the domain concepts and the application-level constraints. Our runtime engine transforms the model into a Satisfiability Modulo Theory problem, optimises it by pre-processing on the current system state at runtime, and computes required modifications according to the specified constraints using constraints solving. We evaluate the approach addressing a virtual machine placement problem in cloud computing.

Wen Zhang,Dev Bali,Jamison Kerney,Aurojit Panda,Scott Shenker

2024-11-18

Abstract:To safeguard sensitive user data, web developers typically rely on an implicit access-control policies, which they implement using access checks and query filters. This ad-hoc approach is error-prone, as these scattered checks and filters are easy to misplace or misspecify; and the lack of an explicit policy precludes external access-control enforcement. More critically, it is difficult to divine what policy is embedded in application code and what data the application may access -- an issue that worsens as development teams evolve. This paper tackles policy extraction: the task of extracting the access-control policy embedded in an application by summarizing its data queries. An extracted policy, once vetted for errors, can stand alone as a specification for the application's data access, and can be enforced to ensure compliance as code changes over time. We introduce Ote, a policy extractor for Ruby-on-Rails web applications. Ote uses concolic execution to explore execution paths through the application, generating traces of SQL queries and conditions that trigger them. It then merges and simplifies these traces into a final policy that aligns with the observed behaviors. We applied Ote to three real-world applications and compare extracted policies to handwritten ones, revealing several errors in the latter.

Software Engineering

Jason Crampton,James Sellwood

DOI: https://doi.org/10.48550/arXiv.1505.07945

2015-09-19

Abstract:Recent work on relationship-based access control has begun to show how it can be applied to general computing systems, as opposed to simply being employed for social networking applications. The use of relationships to determine authorization policies enables more powerful policies to be defined than those based solely on the commonly used concept of role membership. The relationships, paths and principal matching (RPPM) model described here is a formal access control model using relationships and a two-stage request evaluation process. We make use of path conditions, which are similar to regular expressions, to define policies. We then employ non-deterministic finite automata to determine which policies are applicable to a request. The power and robustness of the RPPM model allows us to include contextual information in the authorization process (through the inclusion of logical entities) and allows us to support desirable policy foundations such as separation of duty and Chinese Wall. Additionally, the RPPM model naturally supports a caching mechanism which has significant impact on request evaluation performance.

Cryptography and Security

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1007/978-3-642-13739-6_13

2010-01-01

Abstract:Access control mechanisms are used to control which principals (such as users or processes) have access to which resources based on access control policies. To ensure the correctness of access control policies, policy authors conduct policy verification to check whether certain properties are satisfied by a policy. However, these properties are often not written in practice. To facilitate property verification, we present an approach that automatically mines likely properties from a policy via the technique of association rule mining. In our approach, mined likely properties may not be true for all the policy behaviors but are true for most of the policy behaviors. The policy behaviors that do not satisfy likely properties could be faulty. Therefore, our approach then conducts likely-property verification to produce counterexamples, which are used to help policy authors identify faulty rules in the policy. To show the effectiveness of our approach, we conduct evaluation on four XACML policies. Our evaluation results show that our approach achieves more than 30% higher fault-detection capability than that of an existing approach. Our approach includes additional techniques such as basic and prioritization techniques that help reduce a significant percentage of counterexamples for inspection compared to the existing approach.