Towards Use-Based Usage Control

Lecture Notes in Computer Science, 2016

Usage Control policies have been introduced to overcome issues related to the usage of resources. Indeed, a Usage Control policy takes into account attributes of subjects and resources which change over time. Hence, the policy is continuously enforced while an action is performed on a resource, and it is re-evaluated at every context change. This permits to revoke the access to a resource as soon as the new context violates the policy. The Usage Control model is very flexible, and mutable attributes can be exploited also to make a decision based on the actions that have been previously authorized and executed. This paper presents a history-based variant of U-XACML policies composed via process algebra-like operators in order to take trace of past actions made on resources by the subjects. In particular, we present a formalization of our idea through a process algebra and the enhanced logical architecture to enforce such policies.

European Symposium on Research in Computer Security, 2007

We present the Obligation Specification Language (OSL), a policy language for distributed usage control. OSL supports the formal- ization of a wide range of usage control requirements. We also present translations between OSL and two rights expression languages (RELs) from the DRM area. These translations make it possible to use DRM mechanisms to enforce OSL policies. Furthermore, the translations en-

ACM Conference on Computer and Communications Security, 2008

Usage control is a generalization of access control that also addresses how data is used after it is released. This prob- lem is particularly challenging in distributed settings, where servers, acting as data providers, release sensitive data to clients, acting as data consumers. We present a formal model for dierent mechanisms that can enforce usage con- trol policies on the

Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development, 2017

The sharing of data and resources is one of the cornerstones of our society. However, this comes together with several challenges regarding the increasing need of guaranteeing security and privacy during both the access and the usage of such shared resources. Access control policies first, and usage control policies secondly, have been introduced to overcome issues related to the access and usage of resources. However, the introduction of distributed and cloud systems to share data and resources enables the concurrent and shared access to the same resources. Here we present an enhanced version of History-based Usage Control policies in which we are able to manage concurrent access and usage of resources by several subjects, whose actions may influence one another. Moreover, to ease the understanding of the proposed approach, we present a reference example where a document is shared among a set of people having different roles in a company.

The security related characteristics of entities, the contextual information that describes them and the previous or concurrent usages exercised in the system are the criteria that the Usage CONtrol (UCON) family of models utilizes in the usage decision process. In this paper, a detailed classication of the aforementioned criteria along with a representative usage scenario for each category is presented, unveiling a number of UCON's limitations. In turn, a Use-based Usage CONtrol (UseCON) model is proposed that provides, for the creation of a usage decision, enhanced handling of information regarding context and previ- ous or current usages exercised in the system. The enhanced capabilities of the proposed approach are demonstrated and discussed with the use of detailed application examples.

IEEE Security & Privacy Magazine, 2000

Usage control is a comprehensive access control model developed to cater the security needs of the wide range of applications. Formal specification of the core usage control models and their expressivity, decidability of safety properties are explored recently. They help us to understand the usability and safety of the model. However, security of the usage control in the practical applications depends on the safety of the model as well as its correct implementation in the application. This paper presents an approach to verify the correctness of the usage control implementation using a semi- formal property verification tool. We also provide an illustrative case study.

2010

Usage control (UCON) proposed by R. Sandhu et al. [8, 9] is an attributebased authorization model and its main novelties are mutability of attributes and continuity of control. OASIS eXtensible Access Control Markup Language (XACML) [10] is a widely-used language to write authorization policies to protect resources in a distributed computing environment (e.g. Grid). The XACML policy specifies beforeusage authorization process optionally complemented with obligation actions fulfillment. By now, XACML has insufficient facilities to express continuous usage control afterwards an access was granted and started. In this paper, we introduce U-XACML, a new policy language, which enhances the original XACML with the UCON novelties. We extend a syntax and semantics of the XACML policy to define mutability of attributes and continuity of control. We introduce an architecture to enforce the U-XACML policy.

Computers & Security, 1994

A data processing environment allows users to create data objects of very different types. As a part of the management of these objects, the data processing system must support userdefined access control. In this paper we propose a general concept and user interface for user-defined access control and discuss a number of applications. The concept regards access control information as valuable information in its own right and consequently places this information, nowadays mostly specified within and as an integral part of meta-information either of objects or subjects, in objects of its own, called usage conditions. Each of these objects contains access control information corresponding to a task of the real world and formulated with general attributes. Access control for an object is implemented by references to appropriate usage conditions. Access to the object is granted if granted by at least one usage condition. Thus, by setting such references in an m-ton manner, a restricted set of usage conditions is sufficient to implement even complex access control conditions.

Applied Mechanics and Materials, 2014

Computer and information technology has evaded our every aspect of life. Information technology is seen in all aspect of the individual from banking and investing to shopping and communicating through the use of the internet services such as emails and chat rooms. Organizations and industries also utilize computer and information technology to collect information on individuals leading to the creation of warehouse of databases that enable them to achieve their objectives. In a distributed network environment today, information security is a very important issue in ensuring a safe computing environment.