43 research outputs found
Automated Certification of Authorisation Policy Resistance
Attribute-based Access Control (ABAC) extends traditional Access Control by
considering an access request as a set of pairs attribute name-value, making it
particularly useful in the context of open and distributed systems, where
security relevant information can be collected from different sources. However,
ABAC enables attribute hiding attacks, allowing an attacker to gain some access
by withholding information. In this paper, we first introduce the notion of
policy resistance to attribute hiding attacks. We then propose the tool ATRAP
(Automatic Term Rewriting for Authorisation Policies), based on the recent
formal ABAC language PTaCL, which first automatically searches for resistance
counter-examples using Maude, and then automatically searches for an Isabelle
proof of resistance. We illustrate our approach with two simple examples of
policies and propose an evaluation of ATRAP performances.Comment: 20 pages, 4 figures, version including proofs of the paper that will
be presented at ESORICS 201
Time and Location Based Services with Access Control
Abstract—We propose an access control model that extends RBAC (Role-Based Access Control) to take time and location into account, and use term rewriting systems to specify access control policies in this model. We discuss implementation techniques for rewrite-based policy specifications, and the integration of these policies in web applications. The declarative nature of the model facilitates the analysis of policies and the evaluation of access requests: we present two case-studies. I
A rewriting calculus for cyclic higher-order term graphs
TERMGRAPH'04, M. Fernández, eds., Elsevie
A rewriting calculus for cyclic higher-order term graphs
The graph rewriting calculus is an extension of the rho-calculus, handling graph like structures rather than simple terms. The calculus over terms is naturally generalized by using unication constraints in addition to the standard rho-calculus matching constraints. The transformations are performed by explicit application of rewrite rules as first class entities. The possibility of expressing sharing and cycles allows one to represent and compute over regular infinite entities.
We propose in this paper a reduction strategy for the graph rewriting calculus which aims at maintaining the sharing information as long as possible in the terms. The corresponding reduction relation is shown to be con uent and complete w.r.t. the small-step semantics of the graph rewriting calculus