Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. / Crampton, Jason; Williams, Conrad.

7th ACM Conference on Data and Application Security and Privacy. ACM Press, 2017. p. 47-58.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

E-pub ahead of print

Standard

Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. / Crampton, Jason; Williams, Conrad.

7th ACM Conference on Data and Application Security and Privacy. ACM Press, 2017. p. 47-58.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Crampton, J & Williams, C 2017, Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. in 7th ACM Conference on Data and Application Security and Privacy. ACM Press, pp. 47-58. https://doi.org/10.1145/3029806.3029808

APA

Crampton, J., & Williams, C. (2017). Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. In 7th ACM Conference on Data and Application Security and Privacy (pp. 47-58). ACM Press. https://doi.org/10.1145/3029806.3029808

Vancouver

Crampton J, Williams C. Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. In 7th ACM Conference on Data and Application Security and Privacy. ACM Press. 2017. p. 47-58 https://doi.org/10.1145/3029806.3029808

Author

Crampton, Jason ; Williams, Conrad. / Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. 7th ACM Conference on Data and Application Security and Privacy. ACM Press, 2017. pp. 47-58

BibTeX

@inproceedings{da86b8e32e5347d4a309f1ccd7c85491,
title = "Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control",
abstract = "The study of canonically complete attribute-based access control (ABAC) languages is relatively new. A canonically complete language is useful as it is functionally complete and provides a “normal form” for policies. However, previous work on canonically complete ABAC languages requires that the set of authorization decisions is totally ordered, which does not accurately reflect the intuition behind the use of the allow, deny and not-applicable decisions in access control. A number of recent ABAC languages use a fourth value and the set of authorization decisions is partially ordered. In this paper, we show how canonical completeness in multi-valued logics can be extended to the case where the set of truth values forms a lattice. This enables us to investigate the canonical completeness of logics having a partially ordered set of truth values, such as Belnap logic, and show that ABAC languages based on Belnap logic, such as PBel, are not canonically complete. We then construct a canonically complete four-valued logic using connections between the generators of the symmetric group (defined over the set of decisions) and unary operators operators in a canonically suitable logic. Finally, we propose a new authorization language PTaCL$^{\leqslant}_{4}$, an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. We then discuss how the advantages of PTaCL$^{\leqslant}_{4}$ can be leveraged within the framework of XACML.",
author = "Jason Crampton and Conrad Williams",
year = "2017",
month = "3",
day = "22",
doi = "10.1145/3029806.3029808",
language = "English",
pages = "47--58",
booktitle = "7th ACM Conference on Data and Application Security and Privacy",
publisher = "ACM Press",

}

RIS

TY - GEN

T1 - Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control

AU - Crampton, Jason

AU - Williams, Conrad

PY - 2017/3/22

Y1 - 2017/3/22

N2 - The study of canonically complete attribute-based access control (ABAC) languages is relatively new. A canonically complete language is useful as it is functionally complete and provides a “normal form” for policies. However, previous work on canonically complete ABAC languages requires that the set of authorization decisions is totally ordered, which does not accurately reflect the intuition behind the use of the allow, deny and not-applicable decisions in access control. A number of recent ABAC languages use a fourth value and the set of authorization decisions is partially ordered. In this paper, we show how canonical completeness in multi-valued logics can be extended to the case where the set of truth values forms a lattice. This enables us to investigate the canonical completeness of logics having a partially ordered set of truth values, such as Belnap logic, and show that ABAC languages based on Belnap logic, such as PBel, are not canonically complete. We then construct a canonically complete four-valued logic using connections between the generators of the symmetric group (defined over the set of decisions) and unary operators operators in a canonically suitable logic. Finally, we propose a new authorization language PTaCL$^{\leqslant}_{4}$, an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. We then discuss how the advantages of PTaCL$^{\leqslant}_{4}$ can be leveraged within the framework of XACML.

AB - The study of canonically complete attribute-based access control (ABAC) languages is relatively new. A canonically complete language is useful as it is functionally complete and provides a “normal form” for policies. However, previous work on canonically complete ABAC languages requires that the set of authorization decisions is totally ordered, which does not accurately reflect the intuition behind the use of the allow, deny and not-applicable decisions in access control. A number of recent ABAC languages use a fourth value and the set of authorization decisions is partially ordered. In this paper, we show how canonical completeness in multi-valued logics can be extended to the case where the set of truth values forms a lattice. This enables us to investigate the canonical completeness of logics having a partially ordered set of truth values, such as Belnap logic, and show that ABAC languages based on Belnap logic, such as PBel, are not canonically complete. We then construct a canonically complete four-valued logic using connections between the generators of the symmetric group (defined over the set of decisions) and unary operators operators in a canonically suitable logic. Finally, we propose a new authorization language PTaCL$^{\leqslant}_{4}$, an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. We then discuss how the advantages of PTaCL$^{\leqslant}_{4}$ can be leveraged within the framework of XACML.

U2 - 10.1145/3029806.3029808

DO - 10.1145/3029806.3029808

M3 - Conference contribution

SP - 47

EP - 58

BT - 7th ACM Conference on Data and Application Security and Privacy

PB - ACM Press

ER -