Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. / Crampton, Jason; Williams, Conrad.
7th ACM Conference on Data and Application Security and Privacy. ACM Press, 2017. p. 47-58.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control. / Crampton, Jason; Williams, Conrad.
7th ACM Conference on Data and Application Security and Privacy. ACM Press, 2017. p. 47-58.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control
AU - Crampton, Jason
AU - Williams, Conrad
PY - 2017/3/22
Y1 - 2017/3/22
N2 - The study of canonically complete attribute-based access control (ABAC) languages is relatively new. A canonically complete language is useful as it is functionally complete and provides a “normal form” for policies. However, previous work on canonically complete ABAC languages requires that the set of authorization decisions is totally ordered, which does not accurately reflect the intuition behind the use of the allow, deny and not-applicable decisions in access control. A number of recent ABAC languages use a fourth value and the set of authorization decisions is partially ordered. In this paper, we show how canonical completeness in multi-valued logics can be extended to the case where the set of truth values forms a lattice. This enables us to investigate the canonical completeness of logics having a partially ordered set of truth values, such as Belnap logic, and show that ABAC languages based on Belnap logic, such as PBel, are not canonically complete. We then construct a canonically complete four-valued logic using connections between the generators of the symmetric group (defined over the set of decisions) and unary operators operators in a canonically suitable logic. Finally, we propose a new authorization language PTaCL$^{\leqslant}_{4}$, an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. We then discuss how the advantages of PTaCL$^{\leqslant}_{4}$ can be leveraged within the framework of XACML.
AB - The study of canonically complete attribute-based access control (ABAC) languages is relatively new. A canonically complete language is useful as it is functionally complete and provides a “normal form” for policies. However, previous work on canonically complete ABAC languages requires that the set of authorization decisions is totally ordered, which does not accurately reflect the intuition behind the use of the allow, deny and not-applicable decisions in access control. A number of recent ABAC languages use a fourth value and the set of authorization decisions is partially ordered. In this paper, we show how canonical completeness in multi-valued logics can be extended to the case where the set of truth values forms a lattice. This enables us to investigate the canonical completeness of logics having a partially ordered set of truth values, such as Belnap logic, and show that ABAC languages based on Belnap logic, such as PBel, are not canonically complete. We then construct a canonically complete four-valued logic using connections between the generators of the symmetric group (defined over the set of decisions) and unary operators operators in a canonically suitable logic. Finally, we propose a new authorization language PTaCL$^{\leqslant}_{4}$, an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. We then discuss how the advantages of PTaCL$^{\leqslant}_{4}$ can be leveraged within the framework of XACML.
U2 - 10.1145/3029806.3029808
DO - 10.1145/3029806.3029808
M3 - Conference contribution
SP - 47
EP - 58
BT - 7th ACM Conference on Data and Application Security and Privacy
PB - ACM Press
ER -