Traditional security policies largely focus on access control requirements, which specify who can access what under what circumstances. Besides access control requirements, the availability of services in many applications often further imposes obligation requirements, which specify what actions have to be taken by a subject in the future as a condition of getting certain privileges at present. However, it is not clear yet what the implications of obligation policies are concerning the security goals of a system.In this paper, we propose a formal metamodel that captures the key aspects of a system that are relevant to obligation management. We formally investigate the interpretation of security policies from the perspective of obligations, and define secure system states based on the concept of accountability. We also study the complexity of checking a state's accountability under different assumptions about a system.
|Number of pages||10|
|Journal||Proceedings of the ACM Conference on Computer and Communications Security|
|Publication status||Published - 1 Dec 2006|
|Event||CCS 2006: 13th ACM Conference on Computer and Communications Security - Alexandria, VA, United States|
Duration: 30 Oct 2006 → 3 Nov 2006
ASJC Scopus subject areas
- Computer Networks and Communications