TC: Small: Towards precise specification of logic-based acces-control policies

TC：小：迈向基于逻辑的访问控制策略的精确规范

• 批准号: 1018211
• 负责人: Ljudevit Bauer
• 金额: $ 47.96万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2015-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018211&HistoricalAwards=false
• 关键词: TC; Small; Towards; precise; specification

Today's computing environments are characterized by an ongoing dramatic increase in connectivity and data sharing. A critical concern in this setting is access control---the ability to easily and quickly allow access to authorized users or devices, while preventing misuse, unauthorized access, and violations of privacy. Two common pitfalls in many approaches to access control are (1) their inability to support highly flexible access-control policies while avoiding unintended side effects and (2) difficulty in usefully differentiating between all the authority that a user might need and the minimal authority that she requires to perform a specific task. Both these shortcomings prevent systems from enforcing exactly the policies that users desire and thereby increase the danger of misuse and the costs of compromise.This award supports the design and implementation of mechanisms that make it possible to specify and enforce security policies that more precisely limit the amount of authority that is conveyed to users or devices. More specifically, new mechanisms will be developed to enable restricting the circumstances under which the authority to access a resource can be used, and to allow administrators to specify these restrictions as constraints on policies. At the same time, new methods will be developed to distinguish between the total authority that is conveyed to a user and the subset of that authority that she may exercise at a specific moment. These improvements will be carried out in the context of logic-based access control, an approach that offers significant benefits in terms of flexibility and assurance of correctness.

当今的计算环境的特征是连接性和数据共享的持续急剧增加。在这种设置中，关键的问题是访问控制 - - 能够轻松，快速允许访问授权的用户或设备的能力，同时防止滥用，未经授权的访问和侵犯隐私。 在许多访问控制的方法中，有两个常见的陷阱是（1）他们无法支持高度灵活的访问控制策略，同时避免了意外的副作用，以及（2）难以在用户可能需要的所有权威和她需要执行特定任务所需的最小权限之间有效区分。 这两种缺点都阻止了系统准确执行用户想要的政策，从而增加了滥用的危险和妥协的成本。该奖项支持了设计和实施机制的设计和实施，这些机制使得有可能指定和执行安全政策，从而更加精确地限制了传达给用户或权力的权威量。 更具体地说，将开发新的机制来限制可以使用访问资源的权限的情况，并允许管理员将这些限制指定为政策的限制。 同时，将开发新的方法，以区分传达给用户的全部权限以及她可能在特定时刻行使的该权限的子集。 这些改进将在基于逻辑的访问控制的背景下进行，这种方法在灵活性和确保正确性方面具有重大好处。