TC: Small: Towards precise specification of logic-based acces-control policies

TC：小：迈向基于逻辑的访问控制策略的精确规范

• 批准号: 1018211
• 负责人: Ljudevit Bauer
• 金额: $ 47.96万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2015-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018211&HistoricalAwards=false
• 关键词: TC; Small; Towards; precise; specification

Today's computing environments are characterized by an ongoing dramatic increase in connectivity and data sharing. A critical concern in this setting is access control---the ability to easily and quickly allow access to authorized users or devices, while preventing misuse, unauthorized access, and violations of privacy. Two common pitfalls in many approaches to access control are (1) their inability to support highly flexible access-control policies while avoiding unintended side effects and (2) difficulty in usefully differentiating between all the authority that a user might need and the minimal authority that she requires to perform a specific task. Both these shortcomings prevent systems from enforcing exactly the policies that users desire and thereby increase the danger of misuse and the costs of compromise.This award supports the design and implementation of mechanisms that make it possible to specify and enforce security policies that more precisely limit the amount of authority that is conveyed to users or devices. More specifically, new mechanisms will be developed to enable restricting the circumstances under which the authority to access a resource can be used, and to allow administrators to specify these restrictions as constraints on policies. At the same time, new methods will be developed to distinguish between the total authority that is conveyed to a user and the subset of that authority that she may exercise at a specific moment. These improvements will be carried out in the context of logic-based access control, an approach that offers significant benefits in terms of flexibility and assurance of correctness.

今天的计算环境的特点是连接性和数据共享的持续急剧增加。这种设置中的一个关键问题是访问控制——能够轻松、快速地允许访问授权用户或设备，同时防止滥用、未经授权的访问和侵犯隐私。许多访问控制方法中的两个常见缺陷是：(1)它们无法在支持高度灵活的访问控制策略的同时避免意外的副作用；(2)难以有效地区分用户可能需要的所有权限和执行特定任务所需的最小权限。这两个缺点都阻碍了系统执行用户所希望的策略，从而增加了滥用的危险和妥协的成本。该奖励支持机制的设计和实现，使指定和执行安全策略成为可能，从而更精确地限制传递给用户或设备的权限数量。更具体地说，将开发新的机制来限制可以使用访问资源的权限的情况，并允许管理员将这些限制指定为对策略的约束。与此同时，将开发新的方法来区分传递给用户的全部权限和她在特定时刻可能行使的权限子集。这些改进将在基于逻辑的访问控制上下文中进行，这种方法在灵活性和正确性保证方面提供了显著的好处。