topic.security_policy.bib

@comment{{This file has been generated by bib2bib 1.96}}
@comment{{Command line: /usr/bin/bib2bib -c topic:"security_policy" -ob topic.security_policy.bib sewellbib2.bib}}
@inproceedings{BS04a,
  author = {Moritz Y. Becker and Peter Sewell},
  title = {Cassandra: Distributed Access Control Policies with Tunable Expressiveness},
  optcrossref = {},
  optkey = {},
  conf = {POLICY 2004},
  booktitle = {Proceedings of  the 5th IEEE International Workshop on Policies for Distributed Systems and Networks (Yorktown Heights)},
  optpages = {},
  year = {2004},
  opteditor = {},
  optvolume = {},
  optnumber = {},
  optseries = {},
  optaddress = {},
  month = jun,
  optorganization = {},
  optpublisher = {},
  optannote = {},
  note = {},
  url = {https://doi.org/10.1109/POLICY.2004.1309162},
  doi = {10.1109/POLICY.2004.1309162},
  pdf = {http://www.cl.cam.ac.uk/users/pes20/policy-policy04.pdf},
  abstract = {
We study the specification of access control policy in
large-scale distributed systems. Our work on real-world
policies has shown that standard policy idioms such as role
hierarchy or role delegation occur in practice in many subtle variants. A policy specification language should therefore be able to express this variety of features smoothly,
rather than add them as specific features in an ad hoc way,
as is the case in many existing languages.
We present Cassandra, a role-based trust management
system with an elegant and readable policy specification
language based on Datalog with constraints. The expressiveness (and computational complexity) of the language
can be adjusted by choosing an appropriate constraint domain. With just five special predicates, we can easily express a wide range of policies including role hierarchy,
role delegation, separation of duties, cascading revocation, automatic credential discovery and trust negotiation.
Cassandra has a formal semantics for query evaluation and
for the access control enforcement engine. We use a goal-oriented distributed policy evaluation algorithm that is efficient and guarantees termination. Initial performance results for our prototype implementation have been promising.
},
  topic = {security_policy}
}
@inproceedings{BS04b,
  author = {Moritz Y. Becker and Peter Sewell},
  title = {Cassandra: Flexible Trust Management, Applied to Electronic Health Records},
  optcrossref = {},
  optkey = {},
  conf = {CSFW 2004},
  booktitle = {Proceedings of the 17th IEEE Computer Security Foundations Workshop (Asilomar)},
  pages = {139--154},
  year = {2004},
  opteditor = {},
  optvolume = {},
  optnumber = {},
  optseries = {},
  optaddress = {},
  month = jun,
  optorganization = {},
  optpublisher = {},
  optnote = {For more details, including the complete example policy, see \url{http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-628.html} and Moritz Becker's PhD Thesis at \url{http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-648.html}.},
  optannote = {},
  url = {http://doi.ieeecomputersociety.org/10.1109/CSFW.2004.7},
  doi = {10.1109/CSFW.2004.7},
  pdf = {http://www.cl.cam.ac.uk/users/pes20/policy-csfw04.pdf},
  ps = {http://www.cl.cam.ac.uk/users/pes20/policy-csfw04.ps},
  abstract = {We study the specification of access control policy in large-scale distributed systems. We present
Cassandra, a
language and system for expressing policy, and the results of a substantial case study, a security policy for a national
Electronic Health Record system, based on the requirements
for the ongoing UK National Health Service procurementexercise.

Cassandra policies are expressed in a language based on Datalog with constraints. The expressiveness of the language (and its computational complexity) can be tuned by choosing an appropriate constraint domain.

Cassandra is
role-based; it supports credential-based access control (e.g.~between administrative domains); and rules can refer to remote policies (for automatic credential retrieval and trust
negotiation). Moreover, the policy language is small, and it has a formal semantics for query evaluation and for the
access control engine. For the case study we choose a constraint domain C0 thatis sufficiently expressive to encode many policy idioms. The
case study turns out to require many subtle variants of these;
it is important to express this variety smoothly, rather than add them as ad hoc features. By ensuring only a constraint
compact fragment of C0 is used, we guarantee a finite and computable fixed-point model. We use a top-down evaluation algorithm, for efficiency and to guarantee termination.

The case study (with some 310 rules and 58 roles) demonstrates that this language is expressive enough for a real-world application; preliminary results suggest that the per-formance should be acceptable.
},
  topic = {security_policy}
}