skip to main content
10.1145/1377836.1377856acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

A general obligation model and continuity: enhanced policy enforcement engine for usage control

Published: 11 June 2008 Publication History

Abstract

The usage control model (UCON) has been proposed to augment traditional access control models by integrating authorizations, obligations, and conditions and providing the properties of decision continuity and attribute mutability. Several recent work have applied UCON to support security requirements in different computing environments such as resource sharing in collaborative computing systems and data control in remote platforms. In this paper we identify two individual but interrelated problems of the original UCON model and recent implementations: oversimplifying the concept of usage session of the model, and the lack of comprehensive ongoing enforcement mechanism of implementations. We extend the core UCON model with continuous usage sessions thus extensively augment the expressiveness of obligations in UCON, and then propose a general, continuity-enhanced and configurable usage control enforcement engine. Finally we explain how our approach can satisfy flexible security requirements with an implemented prototype for a healthcare information system.

References

[1]
{ACF}ITU-T Rec X.812 (1995) | ISO/IEC 10181-3:1996. Security frameworks for open systems: Access control framework. Technical report, 1996.]]
[2]
B. Agreiter, M. Alam, R. Breu, M. Hafner, A. Pretschner, J.-P. Seifert, and X. Zhang. A technical architecture for enforcing usage control requirements in service-oriented architectures. In Proc. ACM workshop on Secure web services, 2007.]]
[3]
M. Alam, M. Hafner, M. Memon, and P. Hung. Modeling and enforcing advanced access control policies in healthcare systems with sectet. Mothis, 2007.]]
[4]
C. Bettini, S. Jajodia, X. SeanWang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Network and System Mgmt., 2003.]]
[5]
C. Bettini, S. Jajodia, X. Sean Wang, and D. Wijesekera. Obligation monitoring in policy management. IEEE 3rd Intern. Workshop on Policies for Distributed Systems and Networks, 2002.]]
[6]
C. Bettini, S. Jajodia, X. Sean Wang, and D. Wijesekera. Provisions and obligations in policy management and security applications. In Proc. of the 28th VLDB Conference,Hong Kong, China, 2002.]]
[7]
N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. Lecture Notes in Computer Science, 2001.]]
[8]
P. Gama and P. Ferreira. Obligation policies: An enforcement platform. In Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, 2005.]]
[9]
P. Gama, C. Ribeiro, and P. Ferreira. A scalable history-based policy engine. In Seventh IEEE International Workshop on Policies for Distributed Systems and Networks, 2006.]]
[10]
M. Hafner, R. Mair, R. Breu, B. Agreiter, S. Unterthiner, and T. Schabetsberger. Health@net. Die verteilte elektronische gesundheitsakte- eine fallstudie in modell-getriebenem security engineering. IT-Sicherheitskongress des BSI, 2007.]]
[11]
M. Hilty, D. Basin, and A. Pretschner. On obligations. In Proc. of European Symposium on Research in Computer Security, 2005.]]
[12]
M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter. A policy language for distributed usage control. In Proc. of the 12th European Symposium on Research in Computer Security, 2007.]]
[13]
Keith Irwin, Ting Yu, and William H. Winsborogh. On the modeling and analysis of obligations. In Proc. of ACM Conference on Computer and Communications Security, 2006.]]
[14]
J. Park and R. Sandhu. The ucon abc usage control model. ACM Transactions of Information and System Security, 7(1):128--174, 2004.]]
[15]
J. Park and R. Sandhu. Towards usage control models: Beyond traditional access control. In Proc. of ACM symposium on Access control models and technologies, 2002.]]
[16]
J. Park, X. Zhang, and R. S. Sandhu. Attribute mutability in usage control. In Proc. of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security, 2004.]]
[17]
A. Pretschner, M. Hilty, and D. Basin. Distributed usage control. Communication of the ACM, 49(9):39--44, 2006.]]
[18]
A. Pretschner, M. Hilty, F. Casati, and F. Massacci. Usage control in service-oriented architecture. In Proc. of the 4th Intl. Conf. on Trust, Privacy & Security in Digital Business, 2007.]]
[19]
C. Ribeiro, A. Zuquete, P. Ferreira, and P. Guede. Spl: An access control language for security policies with complex constraints. In Proc. of the Network and Distributed System Security Symposium, 2001.]]
[20]
R. Sailer, T. Jaeger, X. Zhang, and L. van Doorn. Attestation based policy enforcement for remote access. ACM Conference on Computer and Communications Security, 2004.]]
[21]
R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of tcg based integrity measurement systems. In Proc. of the 13th conference on USENIX Security, 2004.]]
[22]
R. Sandhu and J. Park. Usage control: A vision for the next generation access control. Inter. Workshop on Mathematical Methods,Models and Architectures for Computer Networks Security, 2003.]]
[23]
R. Sandhu, K. Ranganathan, and X. Zhang. Secure information sharing enabled by trusted computing and pei models. In Proc. of ACM Symposium on Information, computer and communications security, 2006.]]
[24]
R. Sandhu and X. Zhang. Peer-to-peer access control architecture using trusted computing technology. In Proc. of ACM symposium on Access control models and technologies, 2005.]]
[25]
S. Unterthiner, M. Hafner, R.Breu, and T. Schabetsberger. Endpoint security in elga architekturen. eHealth-Medical Informatics meets eHealth. Vienna, 2007.]]
[26]
G. Vogt. Multiple authoriztion- a model and architecture for increased, practical security. In Proc. of IFIP/IEEE Symposium on Integrated Network Management, 2003.]]
[27]
G. Yee, L. Korba, and R. Song. Ensuring privacy for e-health services. In Proc. of The First International Conference on Availability, Reliability and Security, 2006.]]
[28]
X. Zhang, M. Nakae, M. J. Convington, and R. Sandhu. A usage-based authorization framework for collaborative computing systems. In Proc. of ACM Symposium on Access Control Models and Technologies, 2006.]]
[29]
X. Zhang, F. Parisi-Presicce, R. Sandhu, and J. Park. Formal model and policy specification of usage control. ACM Transactions on Information and System Security, 8(4):351--387, 2005.]]

Cited By

View all
  • (2024)Proactive enforcement of provisions and obligationsJournal of Computer Security10.3233/JCS-21007832:3(247-289)Online publication date: 17-Jun-2024
  • (2024)Specification and Enforcement of Activity Dependency Policies using XACML2024 10th International Symposium on System Security, Safety, and Reliability (ISSSR)10.1109/ISSSR61934.2024.00063(429-440)Online publication date: 16-Mar-2024
  • (2023)Integrity and Privacy-Aware, Patient-Centric Health Record Access Control Framework Using a BlockchainApplied Sciences10.3390/app1302102813:2(1028)Online publication date: 12-Jan-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies
June 2008
214 pages
ISBN:9781605581293
DOI:10.1145/1377836
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2008

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

SACMAT08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)14
  • Downloads (Last 6 weeks)7
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Proactive enforcement of provisions and obligationsJournal of Computer Security10.3233/JCS-21007832:3(247-289)Online publication date: 17-Jun-2024
  • (2024)Specification and Enforcement of Activity Dependency Policies using XACML2024 10th International Symposium on System Security, Safety, and Reliability (ISSSR)10.1109/ISSSR61934.2024.00063(429-440)Online publication date: 16-Mar-2024
  • (2023)Integrity and Privacy-Aware, Patient-Centric Health Record Access Control Framework Using a BlockchainApplied Sciences10.3390/app1302102813:2(1028)Online publication date: 12-Jan-2023
  • (2022)Assessment Framework for the Identification and Evaluation of Main Features for Distributed Usage Control SolutionsACM Transactions on Privacy and Security10.1145/356151126:1(1-28)Online publication date: 11-Nov-2022
  • (2022)WiP: Metamodel for Continuous Authorisation and Usage ControlProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535039(43-48)Online publication date: 7-Jun-2022
  • (2022)A domain-specific language for the specification of UCON policiesJournal of Information Security and Applications10.1016/j.jisa.2021.10300664:COnline publication date: 1-Feb-2022
  • (2021)A Policy-Agnostic Programming Language for the International Data SpacesData Management Technologies and Applications10.1007/978-3-030-83014-4_9(172-194)Online publication date: 23-Jul-2021
  • (2020)Policy Enforcement for Secure and Trustworthy Data Sharing in Multi-domain Infrastructures2020 IEEE 14th International Conference on Big Data Science and Engineering (BigDataSE)10.1109/BigDataSE50710.2020.00022(104-113)Online publication date: Dec-2020
  • (2018)An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data SpaceProceedings of the 4th ACM Workshop on Cyber-Physical System Security10.1145/3198458.3198459(39-50)Online publication date: 22-May-2018
  • (2018)On Using Obligations for Usage Control in Joining of DatasetsInformation Systems Security and Privacy10.1007/978-3-319-93354-2_9(173-196)Online publication date: 9-Jun-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media