Abstract
Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, this paper attempts to address two important issues: the specification and enforcement of SSoD in UCON. We give a set-based specification scheme, which is simpler and more general than existing approaches. As for the enforcement, we study the problem of determining whether an SSoD policy is enforceable, and show that directly enforcing an SSoD policy is a coNP-complete problem. In indirect enforcement, we generate the least restrictive static mutually exclusive attribute (SMEA) constraints to enforce SSoD policies, by using the attribute level SSoD requirement as an intermediate step. The results are fundamental to understanding the effectiveness of using constraints to enforce SSoD policies in UCON.
This work is supported by National Natural Science Foundation of China under Grant 60873225, 60773191 and 60403027, National High Technology Research and Development Program of China under Grant 2007AA01Z403.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Clark, D., Wilson, D., Kuhn, D.R.: A Comparison of Commercial and Military Computer Security Policies. In: 8th IEEE Symposium on Security and Privacy, pp. 184–195. IEEE Press, Los Alamitos (1987)
Clark, D., Wilson, D., Kuhn, D.R.: Evolution of a Model for Computer Integrity. Technical Report, Invitational Workshop on Data Integrity, Section A2, pp. 1–3 (1989)
Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, 47–63 (April 2003)
Park, J., Sandhu, R.: The UCONABC Usage Control Model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)
Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal Model and Policy Specification of Usage Control. ACM Transactions on Information and Systems Security 8(4), 351–387 (2005)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceed Communications of the ACM 63(9), 1278–1308 (1975)
Brewer, D., Nash, M.: The Chinese Wall security policy. In: 10th IEEE Symposium on Security and Privacy, pp. 206–214. IEEE Press, California (1989)
Sandhu, R.: Transaction Control Expressions for Separation of Duties. In: 4th Annual Computer Security Applications Conference, pp. 282–286. IEEE Press, Orlando (1988)
Sandhu, R.: Separation of Duties in Computerized Information Systems. In: The IFIP WG11.3 Workshop on Database Security, pp. 18–21. IEEE Press, Halifax (1990)
Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analyzing Organizational Controls in a Loan Origination Process. In: 11th ACM Symposium on Access Control Models and Technologies, pp. 139–149. ACM Press, California (2006)
Crampton, J.: Specifying and Enforcing Constraints in Role-based Access Control. In: 8th ACM Symposium on Access Control Models and Technologies, pp. 43–50. ACM Press, New York (2003)
Li, N., Tripunitara, M., Bizri, Z.: On Mutually Exclusive Roles and Separation-of-Duty. ACM Transactions on Information and System Security 10(2), 1–35 (2007)
Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond Proof-of-Compliance: Security Analysis in Trust Management. Journal of the ACM 52(3), 474–514 (2005)
ANSI. American National Standard for Information Technology-Role Based Access Control. ANSI INCITS 359-2004 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, J., Li, R., Lu, Z., Hu, J., Ma, X. (2009). Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_32
Download citation
DOI: https://doi.org/10.1007/978-3-642-04474-8_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04473-1
Online ISBN: 978-3-642-04474-8
eBook Packages: Computer ScienceComputer Science (R0)