Using Event Calculus to Formalise Policy Specification and Analysis

As the interest in using policy-based approaches for systems management grows, it is becoming increasingly important to develop methods for performing analysis and refinement of policy specifications. Although this is an area that researchers have devoted some attention to, none of the proposed solutions address the issues of analysing specifications that combine authorisation and management policies; analysing policy specifications that contain constraints on the applicability of the policies; and performing a priori analysis of the specification that will both detect the presence of inconsistencies and explain the situations in which the conflict will occur. We present a method for transforming both policy and system behaviour specifications into a formal notation that is based on event calculus. Additionally it describes how this formalism can be used in conjunction with abductive reasoning techniques to perform a priori analysis of policy specifications for the various conflict types identified in the literature. Finally, it presents some initial thoughts on how this notation and analysis technique could be used to perform policy refinement

A Distributed Calculus for Role-Based Access Control

Role-based access control (RBAC) is increasingly attracting attention because it reduces the complexity and cost of security administration by interposing the notion of role in the assignment of permissions to users. In this paper, we present a formal framework relying on an extension of the π calculus to study the behavior of concurrent systems in a RBAC scenario. We define a type system ensuring that the specified policy is respected during computations, and a bisimulation to equate systems. The theory is then applied to three meaningful examples, namely finding the ‘minimal’ policy to run a given system, refining a system to be run under a given policy (whenever possible), and minimizing the number of users in a given system without changing the overall behavior

On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

The State Secrets Privilege and Separation of Powers

Since September 11, 2001, the Bush administration has repeatedly invoked the state secrets privilege in cases challenging executive conduct in the war on terror, arguing that the very subject matter of these cases must be kept secret to protect national security. The executive\u27s recent assertion of the privilege is unusual, in that it is seeking dismissal, pre-discovery, of all challenges to the legality of specific executive branch programs, rather than asking for limits on discovery in individual cases. This essay contends that the executive\u27s assertion of the privilege is therefore akin to a claim that the courts lack jurisdiction to hear and decide such cases. The executive\u27s recent invocation of the privilege raises a concern that has been largely overlooked thus far - the impact of the privilege on legislative power to assign jurisdiction to the federal courts. The U.S. Constitution grants to Congress, and not the President, near-plenary authority to craft federal jurisdiction. Furthermore, when Congress assigns federal courts to hear cases challenging the legality of executive action, it is enlisting the judiciary as its partner in policing executive conduct. The executive\u27s recent use of the privilege disrupts that constitutional collaboration, leaving the executive potentially unchecked by any branch of government. The Essay then discusses how courts should incorporate the concern for legislative power and executive oversight into its analysis of the state secrets privilege. It concludes by suggesting that courts refuse to dismiss these cases until Congress has indicated a willingness to take back the task of executive oversight that it had delegated to the courts through the original jurisdictional grant

Revealing Choices: Using Taxpayer Choice to Target Tax Enforcement

People pay their taxes for many different reasons. Some choose to game the system, paying only when the cost of noncompliance outweighs its benefits. Others comply out of habit, a sense of duty or reciprocity, a desire to avoid feelings of guilt or shame, and for many other reasons. Our tax enforcement system has ignored this variety of taxpaying motivations for decades. It continues to rely primarily on audits and penalties, at least where information reporting and withholding are impossible. Fines and audits deter those rationally playing the tax compliance game, but are wasteful or even counterproductive when applied to others. The shortcomings of the current one-size-fits-all approach to tax enforcement are well understood. They also appear to be insurmountable. This Article argues that it is possible to design a more tailored regime. The idea is to separate taxpayers based on their taxpaying motivations by creating two different enforcement regimes and inducing taxpayers to choose one when they file their annual returns. With this separation accomplished, the government can target enforcement by matching enforcement policies to taxpayer types. Those who choose to game the system will be deterred by higher penalties in one regime. Everyone else will be induced to comply by cooperative enforcement measures in the other. If successful, separation and targeted enforcement will improve tax compliance without raising its social cost, or keep the level of compliance unchanged while making tax administration more efficient

Participation Rights and Mechanism Design

This paper is concerned with the procedural aspects of collective choice and the impact of the parties' participation rights on the optimal mechanism. We find that the mechanism designer generally benefits from the selective engagement of the agents-the exclusion of some agent-types from the choice process. We show that optimization of mechanisms with voluntary participation involves two mutually dependent instruments: the scope of the agents' engagement, and the functional form of the social choice function. The benefits of selective engagement, as well as two optimization methodologies, are illustrated on principal-agent models. We find that the participation constraint is redundant and generally leads tot suboptimal mechanisms. Contrary to its general interpretation, this restriction does not reflect the voluntary aspect of the agents' participation. Rather, it gives them an additional entitlement: to force their involvement in the collective choice. We formulate a free-exit constraint that is devoid of incentives and fully accounts for the voluntary aspect of participation. It also leads to an equivalent representation of incentive-compatibility that explicates incentives and specifies the feasibility of a mechanism. Key words: Participation rights, voluntary participation, economics of information, incentives, incentive compatibility, principal-agent model.

The First Principles of Standing: Privilege, System Justification, and the Predictable Incoherence of Article III

This Article examines the indeterminacy of standing doctrine by deconstructing recent desegregation, affirmative action, and racial profiling cases. This examination is an attempt to uncover the often unstated meta-principles that guide standing jurisprudence. The Article contends that the inherent indeterminacy of standing law can be understood as reflecting an unstated desire to protect racial and class privilege, which is accomplished through the dogma of individualism, equal opportunity (liberty), and "white innocence." Relying on insights from System Justification Theory, a burgeoning field of social psychology, the Article argues that the seemingly incoherent results in racial standing cases can be understood as unconscious attempts to preserve the status quo. The Article proposes moving "beyond the transcendental nonsense" of standing doctrine and its inevitable replication of economic and racial privilege by completely eliminating all standing limitations to the access of justice