Efficient and flexible access control via Jones-optimal logic program specialisation. (English) Zbl 1189.68043
Summary: We describe the use of a flexible meta-interpreter for performing access control checks on deductive databases. The meta-program is implemented in Prolog and takes as input a database and an access policy specification. For processing access control requests we specialise the meta-program for a given access policy and database by using the logen partial evaluation system. The resulting specialised control checking program is dependent solely upon dynamic information that can only be known at the time of actual access request evaluation. In addition to describing our approach, we give a number of performance measures for our implementation of an access control checker. In particular, we show that by using our approach we get flexible access control with virtually no overhead, satisfying the Jones optimality criterion. The paper also shows how to satisfy the Jones optimality criterion more generally for interpreters written in the non-ground representation.
MSC:
| 68P15 | Database theory |
| 68Q60 | Specification and verification (program logics, model checking, etc.) |
Keywords:
access control; deductive databases; partial evaluation; program transformation; meta-programming; Jones optimality criterionReferences:
| [1] | Apt, K.R., Turini, F.: Meta-logics and Logic Programming. MIT Press, Cambridge (1995) |
| [2] | Baral, C., Gelfond, M.: Logic programming and knowledge representation. JLP 19/20, 73–148 (1994) · Zbl 0820.68028 · doi:10.1016/0743-1066(94)90025-6 |
| [3] | Barker, S.: Web usage control in RSCLP. In: Proc. 18th IFIP WG Conf. on Database Security (2004) |
| [4] | Barker, S., Stuckey, P.: Flexible access control policy specification with constraint logic programming. ACM TISSEC 6(4), 501–546 (2003) · doi:10.1145/950191.950194 |
| [5] | Barker, S., Leuschel, M., Varea, M.: Efficient and flexible access control via logic program specialisation. In: PEPM’04: Proceedings of the 2004 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation, New York, NY, USA, 2004, pp. 190–199. ACM Press, New York (2004) · Zbl 1189.68043 |
| [6] | Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM TODS 23(3), 231–285 (1998) · doi:10.1145/293910.293151 |
| [7] | Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A system to specify and manage multipolicy access control models. In: Proc. IEEE 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002) (2002) |
| [8] | Bondorf, A., Palsberg, J.: Generating action compilers by partial evaluation. J. Funct. Program. 6(2) (1996) · Zbl 0856.68040 |
| [9] | Briney, A.: Information security 2000. In: Information Security, pp. 40–68 (2000) |
| [10] | Clark, K.: Negation as failure. In: Gallaire, H., Minker, J. (eds.) Logic and Databases, pp. 293–322. Plenum, New York (1978) |
| [11] | Date, C.: An Introduction to Database Systems. Addison–Wesley, Reading (2003) · Zbl 1058.68045 |
| [12] | Ferraiolo, D., Cugini, J., Kuhn, R.: Role-based access control (RBAC): features and motivations. In: Proc. of the 11th Annual Computer Security Applications Conf., pp. 241–248 (1995) |
| [13] | Futamura, Y.: Partial evaluation of computation process–an approach to a compiler-compiler. Higher-Order Symb. Comput. 12(4), 381–391 (1999). Reprinted from Systems Computers Controls 2(5), 1971, with a foreword · Zbl 1009.68504 · doi:10.1023/A:1010095604496 |
| [14] | Gallagher, J.: Tutorial on specialisation of logic programs. In: Proceedings of PEPM’93, the ACM Sigplan Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pp. 88–98. ACM Press, New York (1993) |
| [15] | Gallagher, J., Bruynooghe, M.: Some low-level transformations for logic programs. In: Bruynooghe, M. (ed.) Proceedings of Meta90 Workshop on Meta Programming in Logic, Leuven, Belgium, pp. 229–244 (1990) |
| [16] | Grosof, B., Poon, T.: Representing agent contracts with exceptions using XML rules, ontologies and process descriptions. In: WWW 2003, pp. 340–349 (2003) |
| [17] | Hill, P., Gallagher, J.: Meta-programming in logic programming. In: Gabbay, D.M., Hogger, C.J., Robinson, J.A. (eds.) Handbook of Logic in Artificial Intelligence and Logic Programming. Oxford Science Publications, vol. 5, pp. 421–497. Oxford University Press, London (1998) · Zbl 0900.68137 |
| [18] | Jajodia, S., Samarati, P., Sapino, M., Subrahmanian, V.: Flexible support for multiple access control policies. ACM TODS 26(2), 214–260 (2001) · Zbl 1136.68383 · doi:10.1145/383891.383894 |
| [19] | Jones, N.D.: Partial evaluation, self-application and types. In: Paterson, M.S. (ed.) Automata, Languages and Programming. LNCS, vol. 443, pp. 639–659. Springer, Berlin (1990) · Zbl 0765.68020 |
| [20] | Jones, N.D., Gomard, C.K., Sestoft, P.: Partial Evaluation and Automatic Program Generation. Prentice Hall, New York (1993) · Zbl 0875.68290 |
| [21] | Kunen, K.: Signed data dependencies in logic programs. J. Log. Program. 7(3), 231–245 (1989) · doi:10.1016/0743-1066(89)90022-8 |
| [22] | Lakhotia, A., Sterling, L.: How to control unfolding when specializing interpreters. New Gener. Comput. 8, 61–70 (1990) · Zbl 0705.68035 · doi:10.1007/BF03037513 |
| [23] | Leuschel, M.: Homeomorphic embedding for online termination of symbolic methods. In: Mogensen, T.Æ., Schmidt, D., Sudborough, I.H. (eds.) The Essence of Computation–Essays Dedicated to Neil Jones. LNCS, vol. 2566, pp. 379–403. Springer, Berlin (2002) · Zbl 1026.68028 |
| [24] | Leuschel, M., Bruynooghe, M.: Logic program specialisation through partial deduction: Control issues. Theory Practice Log. Program. 2(4–5), 461–515 (2002) · Zbl 1105.68331 · doi:10.1017/S147106840200145X |
| [25] | Leuschel, M., Schreye, D.D.: Creating specialised integrity checks through partial evaluation of meta-interpreters. JLP 36(1), 149–193 (1998) · Zbl 0911.68028 · doi:10.1016/S0743-1066(97)10012-7 |
| [26] | Leuschel, M., Martens, B., De Schreye, D.: Controlling generalisation and polyvariance in partial deduction of normal logic programs. ACM Trans. Program. Lang. Syst. 20(1), 208–258 (1998) · doi:10.1145/271510.271525 |
| [27] | Leuschel, M., Craig, S., Bruynooghe, M., Vanhoof, W.: Specializing interpreters using offline partial deduction. In: Bruynooghe, M., Lau, K.-K. (eds.) Program Development in Computational Logic. LNCS, vol. 3049, pp. 341–376. Springer, Berlin (2004) · Zbl 1080.68553 |
| [28] | Leuschel, M., Jørgensen, J., VanHoof, W., Bruynooghe, M.: Offline specialisation in Prolog using a hand-written compiler generator. TPLP 4(1), 139–191 (2004) · Zbl 1085.68020 |
| [29] | Lloyd, J.W.: Foundations of Logic Programming. Springer, Berlin (1987) · Zbl 0668.68004 |
| [30] | Makholm, H.: On Jones-optimal specialization for strongly typed languages. In: Taha, W. (ed.) Semantics, Applications, and Implementation of Program Generation. LNCS, vol. 1924, pp. 129–148. Springer, Berlin (2000) · Zbl 1044.68554 |
| [31] | Martens, B.: On the semantics of meta-programming and the control of partial deduction in logic programming. PhD thesis, K.U. Leuven (February 1994) |
| [32] | Martens, B., Gallagher, J.: Ensuring global termination of partial deduction while allowing flexible polyvariance. In: Sterling, L. (ed.) Proceedings ICLP’95, Kanagawa Japan, June 1995, pp. 597–613. MIT Press, Cambridge (1995) |
| [33] | NIST: The economic impact of role-based access control. NIST Planning Report 02-01 (2002) |
| [34] | Przymusinski, T.: On the declarative semantics of deductive databases and logic programming. In: Minker, J. (ed.) Foundations of Deductive Databases and Logic Programming, pp. 193–216. Morgan Kaufmann, San Mateo (1988) · Zbl 0726.68067 |
| [35] | Sagonas, K., Swift, T., Warren, D.S.: XSB as an efficient deductive database engine. In: Proceedings of the ACM SIGMOD International Conference on the Management of Data, Minneapolis, Minnesota, May 1994, pp. 442–453. ACM Press, New York (1994) |
| [36] | Sahlin, D.: Mixtus: an automatic partial evaluator for full prolog. New Gener. Comput. 12(1), 7–51 (1993) · Zbl 0942.68516 · doi:10.1007/BF03038271 |
| [37] | Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: Proc. 4th ACM Workshop on Role-Based Access Control, pp. 47–61 (2000) |
| [38] | SETA: A marketing survey of civil federal government organizations to determine the need for RBAC security product. SETA Corporation (1996) |
| [39] | Vanhoof, W., Martens, B.: To parse or not to parse. In: Fuchs, N. (ed.) Logic Program Synthesis and Transformation, Proceedings of LOPSTR’97, Leuven, Belgium, July 1997. LNCS, vol. 1463, pp. 322–342. Springer, Berlin (1997) |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
