A Logic for Reasoning About Time-Dependent Access Control Policies
Abstract
Allowing access to resources, including data and hardware, without compromising their security is a fundamental challenge in computer science. Because of the number and complexity of authorization policies in access control systems, it is clear that ad hoc methods for specifying and enforcing policies cannot inspire a high degree of trust. Authorization logics have been proposed as a theoretically sound alternative. However, for an authorization logic to be useful in practice, it should be able to model most, if not all, naturally occurring policy features. One common feature is the time-dependency of authorizations. For example, a user may only be permitted to access a given resource on workdays. Surprisingly, of the numerous proposals for access control logics, we know of no logic that incorporates time internally. In an attempt to fill this void, this thesis develops a logic with explicit time that permits reasoning about complex, yet natural, time-dependent authorizations. The logic is then extended to account for authorizations that may be used only once. A careful study of the meta-theory of both logics is conducted, and the logics? rich expressive power is demonstrated through several examples. Finally, a proof checker for the latter logic is formalized and discussed.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 20, 2008
- Accession Number
- ADA486202
Entities
People
- Henry Deyoung
Organizations
- Carnegie Mellon University