On the modeling and analysis of obligations

Keith Irwin; Ting Yu; William H. Winsborough

doi:10.1145/1180405.1180423

On the modeling and analysis of obligations

Keith Irwin^*, Ting Yu, William H. Winsborough

^*Corresponding author for this work

Research output: Contribution to journal › Conference article › peer-review

84 Citations (Scopus)

Abstract

Traditional security policies largely focus on access control requirements, which specify who can access what under what circumstances. Besides access control requirements, the availability of services in many applications often further imposes obligation requirements, which specify what actions have to be taken by a subject in the future as a condition of getting certain privileges at present. However, it is not clear yet what the implications of obligation policies are concerning the security goals of a system.In this paper, we propose a formal metamodel that captures the key aspects of a system that are relevant to obligation management. We formally investigate the interpretation of security policies from the perspective of obligations, and define secure system states based on the concept of accountability. We also study the complexity of checking a state's accountability under different assumptions about a system.

Original language	English
Article number	1180423
Pages (from-to)	134-143
Number of pages	10
Journal	Proceedings of the ACM Conference on Computer and Communications Security
DOIs	https://doi.org/10.1145/1180405.1180423
Publication status	Published - 2006
Externally published	Yes
Event	CCS 2006: 13th ACM Conference on Computer and Communications Security - Alexandria, VA, United States Duration: 30 Oct 2006 → 3 Nov 2006

Keywords

Obligations
Policy

Access to Document

10.1145/1180405.1180423

Cite this

@article{36a5eb86264445ac964174aecf2f4fd3,

title = "On the modeling and analysis of obligations",

abstract = "Traditional security policies largely focus on access control requirements, which specify who can access what under what circumstances. Besides access control requirements, the availability of services in many applications often further imposes obligation requirements, which specify what actions have to be taken by a subject in the future as a condition of getting certain privileges at present. However, it is not clear yet what the implications of obligation policies are concerning the security goals of a system.In this paper, we propose a formal metamodel that captures the key aspects of a system that are relevant to obligation management. We formally investigate the interpretation of security policies from the perspective of obligations, and define secure system states based on the concept of accountability. We also study the complexity of checking a state's accountability under different assumptions about a system.",

keywords = "Obligations, Policy",

author = "Keith Irwin and Ting Yu and Winsborough, {William H.}",

year = "2006",

doi = "10.1145/1180405.1180423",

language = "English",

pages = "134--143",

journal = "Proceedings of the ACM Conference on Computer and Communications Security",

issn = "1543-7221",

note = "CCS 2006: 13th ACM Conference on Computer and Communications Security ; Conference date: 30-10-2006 Through 03-11-2006",

}

TY - JOUR

T1 - On the modeling and analysis of obligations

AU - Irwin, Keith

AU - Yu, Ting

AU - Winsborough, William H.

PY - 2006

Y1 - 2006

N2 - Traditional security policies largely focus on access control requirements, which specify who can access what under what circumstances. Besides access control requirements, the availability of services in many applications often further imposes obligation requirements, which specify what actions have to be taken by a subject in the future as a condition of getting certain privileges at present. However, it is not clear yet what the implications of obligation policies are concerning the security goals of a system.In this paper, we propose a formal metamodel that captures the key aspects of a system that are relevant to obligation management. We formally investigate the interpretation of security policies from the perspective of obligations, and define secure system states based on the concept of accountability. We also study the complexity of checking a state's accountability under different assumptions about a system.

AB - Traditional security policies largely focus on access control requirements, which specify who can access what under what circumstances. Besides access control requirements, the availability of services in many applications often further imposes obligation requirements, which specify what actions have to be taken by a subject in the future as a condition of getting certain privileges at present. However, it is not clear yet what the implications of obligation policies are concerning the security goals of a system.In this paper, we propose a formal metamodel that captures the key aspects of a system that are relevant to obligation management. We formally investigate the interpretation of security policies from the perspective of obligations, and define secure system states based on the concept of accountability. We also study the complexity of checking a state's accountability under different assumptions about a system.

KW - Obligations

KW - Policy

UR - http://www.scopus.com/inward/record.url?scp=34547346853&partnerID=8YFLogxK

U2 - 10.1145/1180405.1180423

DO - 10.1145/1180405.1180423

M3 - Conference article

AN - SCOPUS:34547346853

SN - 1543-7221

SP - 134

EP - 143

JO - Proceedings of the ACM Conference on Computer and Communications Security

JF - Proceedings of the ACM Conference on Computer and Communications Security

M1 - 1180423

T2 - CCS 2006: 13th ACM Conference on Computer and Communications Security

Y2 - 30 October 2006 through 3 November 2006

ER -

On the modeling and analysis of obligations

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this