Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

  title={Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis},
  author={Glenn Bruns and Michael Huth},
  journal={2008 21st IEEE Computer Security Foundations Symposium},
  • G. Bruns, M. Huth
  • Published 23 June 2008
  • Computer Science
  • 2008 21st IEEE Computer Security Foundations Symposium
It is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for all desired policy compositions. In \cite{BH07}, a policy language was presented having policy combinators based on Belnap logic, a four-valued logic in which truth values correspond to policy results of "grant", "deny", "conflict", and… 

Figures from this paper

PTaCL: A Language for Attribute-Based Access Control in Open Systems
This paper decomposes the problem of policy specification into two distinct sub-languages: the policy target language (PTL) for target specification; and the policy composition language (PCL) for building more complex policies from existing ones, and defines syntax and semantics for two such languages and demonstrates that they can be both simple and expressive.
Multi-Decision Policy and Policy Combinator Specifications
The goals of this thesis are to provide a unified extension to the semantics for policies and policy combination, to cleanly support decision conflict resolution mechanisms in a general way within those semantics, and to provide insight into the properties of policy combination and decision conflict Resolution for multi-decision policies in general.
TBA : A Hybrid of Logic and Extensional Access Control Systems
This paper formally study a hybrid approach, tag-based authorization (TBA), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems.
Globally reasoning about localised security policies in distributed systems
This report identifies how a Labelled Transition System (LTS) can be induced for every particular system, and how this LTS is indeed obtained, and proposes an alternative way of model checking the not-yet-induced LTS, by using the system design directly.
D-algebra for composing access control policy decisions
This paper proposes a D-algebra to compose decisions from multiple access control policies, namely the analysis of policy languages decision mechanisms, and the development of tools for policy authoring and enforcement.
An Authorization Framework Resilient to Policy Evaluation Failures
This work defines syntax and semantics for an XACML-like policy language that uses simple binary operators to combine sub-policy decisions and identifies a number of strategies for optimizing policy evaluation and policy representation.
Logic-Based Program Synthesis and Transformation
  • E. Albert
  • Computer Science
    Lecture Notes in Computer Science
  • 2012
Search combinators is introduced, a lightweight and solverindependent method that bridges the gap between a conceptually simple modeling language for search and an efficient implementation (low-level, imperative and highly non-modular).
An Algebraic Model to Analyze Role-Based Access Control Policies
  • K. Sabri
  • Computer Science
    Modern Applied Science
  • 2018
An algebraic model for specifying and analyzing RBAC policies that enables us to specify policies and verify the satisfaction of predefined authorization constraints and a prototype tool used for facilitating the analysis is presented.
Aggregation Policies for Tuple Spaces
The development of a policy language to transparently incorporate aggregate programming and privacy models for distributed data, designed to accommodate well-known models such as k-anonymity and \((\varepsilon ,\delta )\)-differential privacy, is presented.


A simple and expressive semantic framework for policy composition in access control
This work defines an access controlpolicy as a four-valued predicate that maps accesses to either grant, deny, conflict, or unspecified, and proposes a basic query language that can reduce important analyses to checks of policy refinement.
An algebra for composing access control policies
An algebra of security policies together with its formal semantics is proposed and how to formulate complex policies in the algebra is illustrated, which provides the basis for the implementation of the algebra.
Defeasible security policy composition for web services
The concept of defeasibles policy composition is explored, wherein policies are represented in defeasible logic and composition is based on rules for non-monotonic inference, which enables policy writers to assert rules tentatively and provides a practical system that is efficiently automated by computers.
A model-based approach to integrating security policies for embedded devices
This paper shows how a framework based on a concise formal model lets us securely customize a payment card equipped with a programmable chip using policy automata, a formal model of computations that grant or deny access to a resource.
Authorizations in Distributed Systems: A New Approach
This work proposes a logical approach to representing and evaluating authorization, and introduces a language for specifying policy bases that encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy.
The Value of the Four Values
Graph-Based Algorithms for Boolean Function Manipulation
  • R. Bryant
  • Computer Science
    IEEE Transactions on Computers
  • 1986
Experimental results from applying a new data structure for representing Boolean functions and an associated set of manipulation algorithms to problems in logic design verification demonstrate the practicality of this approach.
Bilattices Are Nice Things
One approach to the paradoxes of self-referential languages is to allow some sentences to lack a truth value (or to have more than one). Then assigning truth values where possible becomes a fixpoint
A Useful Four-Valued Logic
It is argued that a sophisticated question-answering machine that has the capability of making inferences from its data base should employ a certain four-valued logic, the motivating consideration
Multivalued logics: a uniform approach to reasoning in artificial intelligence
This paper describes a uniform formalization of much of the current work in artificial intelligence on inference systems. We show that many of these systems, including first‐order theorem provers,