柔性访问控制研究
|
摘要
信息安全是可信计算的一个领域,访问控制是整个信息安全的基础。访问控制是保护安全系统所维护的数据和资源,以避免未授权访问与不恰当修改,同时确保对合法用户的可用性。访问控制系统的开发过程总是基于安全策略、安全模型和安全机制的多阶段实施。
然而,访问控制策略/模型的定义是非平凡的,它的最大难点在于如何以恰当的定义和明确的规则解释真实世界的安全策略(通常是复杂的,有时是模糊的)及其转化,并使它们易于计算机系统的实现。随着访问控制理论的发展和实际应用中对安全需求的日益提高,表达能力和灵活性现在已成为一个访问控制系统中的优先要求,而访问控制又经常要求处理冲突性、简单性和有效性,即现代访问控制策略要求是柔性的足以刻画现实世界中的安全需求。
柔性访问控制主要涉及柔性授权、逻辑形式化和策略集成等当今访问控制中的热点问题和发展趋势。研究如何使用逻辑程序强大的表达能力和计算能力确定现实中的柔性访问控制策略;如何平衡柔性访问控制规范的表达性、简单性和有效性;如何处理柔性访问控制中的冲突;如何在一个框架下集成已有柔性访问控制理论的优点;如何使用常识推理(即非单调推理)刻画柔性特征。本文研究主要集中于下列几个问题:柔性访问控制的概念;基于角色访问控制模型(RBAC)的柔性;柔性访问控制策略中的冲突消解;基于逻辑程序的柔性授权框架的设计与分析。
基于上述问题的深入研究,我们取得了四个方面的成果与创新:
(1)柔性访问控制规范与分析
就我们所知,有关柔性访问控制的概念尚无明确定义与总结,我们认为其含义是模糊的和处于进化过程中的。我们可以简单地理解柔性为“多属性”和“多域性”,但今天的柔性访问控制已涉及到信任管理和信任协商等问题,因此对柔性访问控制的概念归纳与特征描述是必要的。进一步,我们分析了如何用逻辑程序表示柔性访问控制策略所涉及的几个问题,特别是如何用逻辑程序规则确定“柔性”特征。我们也研究了几个流行的授权框架理论。这样,我们获得了以下结果:
—柔性访问控制的概念外延可归纳为:表达从显式到隐式、决策从身份标识到主体属性、更新从静态到动态、实施从单一到组合、环境从封闭到开放;
—柔性访问控制的特征有:条件(系统、上下文与历史)、层次(主体、客体、权限和角色)、正负授权、基于属性的规范、动态环境、授权推理;
—分析逻辑程序的结构特征能确定相应的安全需求性质,同时也决定其语义计算;
—几个经典的授权框架优缺点互补交叉,这给我们进一步研究的空间。
(2) RBAC模型的柔性
在分析RBAC柔性的基础上,我们提出了“在RBAC中实现LBAC策略的形式化分析”问题,它涉及如何用RBAC的机制来实施基于格的访问控制(LBAC)策略。尽管已有一些有关LBAC与RBAC关系的研究,但大多是非形式化的。我们的研究是基于形式化的方法,涉及到关系、逻辑与同态等。这一研究主要有下列贡献:
—形式化分析显示如何用RBAC框架使关键的LBAC策略有效,RBAC有一个好的机制——角色在统一处理一系列LBAC系统中所起的作用;
—研究得出几个基于格的访问控制策略能在RBAC中实现,并且也清楚地探索出RBAC控制管理机制;
—通过使用一种安全模型来统一研究其它的方法,使我们探索一种有关集成安全策略的推理成为可能。
(3)偏好冲突消解策略
据我们所知,少有基于文字偏好冲突消解用于访问控制领域。根据冲突消解原理,我们研究问题:用LPOD程序消解冲突,用带有序析取的逻辑程序(LPOD)规则消解冲突。我们所提出的方法有下列优点:
—这一方法是偏好冲突消解方法,它是基于文字与上下文依赖的,不同于规则优先和基于组织的策略,它有精细的粒度;
—LPOD程序的语义不是通常的稳定模型,但它的语义计算可转化为稳定模型计算。因此它是新颖的;
—选择LPOD程序回答集的选择标准是灵活的,并能很好适应于实际需求。
(4)基于逻辑程序的柔性授权框架
我们提出授权框架由三个程序模块组成:PRAP组件、URAP组件与UR-RP授权策略,PRAP指“权限角色分配程序”负责分配权限给角色,URAP表示“用户角色分配程序”,其功能是分配角色予用户,UR-RP程序结合PRAP和URAP实施多策略集成。这个授权框架有下列优点:
—由于该框架的管理机制是基于RBAC,所以它易于进一步扩展与精化;
—因为这个框架是基于逻辑程序的,所以它是柔性的。使用RBAC组织策略规范中的规则可强化规范的结构;
—框架中的组件模块能充分利用已有理论的优点。例如,PRAP对角色、客体与权限使用Bertino99框架中的精细粒度和结构化的遗传机制,URAP对用户利用FAF理论中的多重冲突消解与决策策略,UR-RP显式地体现出RBAC中会话功能;
—各组件模块在一个统一的框架下独立地实施策略并进行交互。事实上这种实施和交互功能是基于逻辑程序的结合;
—由于非单调理论应用于我们的授权框架,所以我们能应用信念修改来实现现实世界中的柔性策略。
上面所有结果无论在理论还是实践方面都是有价值的,同时也是我们进一步研究柔性访问控制的基础。
Information security is a realm in trusted computing,and access control plays an important role in overall information security.Access control is to protect the data and resources maintained by a security system against unauthorized disclosure or improper modifications,while at the same time ensuring their availability to legitimate users.The development process of an access control system is usually carried out with a multi-phase approach based on the concepts of security policy,security model and security mechanism.
However,the definition of an access control policy/model is far from being a trivial process.The most major difficulty lies in the interpretation of real-world security policies(often complex and sometimes ambiguous) and their translation in well defined and unambiguous rules,which are easily implemented by a computer system.With the development of access control theory and security requirements in many emerging applications,nowadays,expressiveness and flexibility have been become top requirements for an access control system together with,and usually in conflict with,simplicity and efficiency,that is,a modern access control policy needs to be flexible enough to capture security requirements in real world scenarios.This is why we study the flexible access control.
Our flexible access control mainly refers to three aspects:flexible authorizations,logic based formalization,and integration of policies,which obtain a significant attention and also reflect the development tendency of the current access control.It has been investigated in this dissertation that how to specify flexible access control policies in real world using the powerful expressiveness and computation of logic programs,how to deal with conflicts in flexible access controls,how to balance expressiveness,simplicity and efficiency in flexible access control specifications,how to make use of common reasoning(i.e.,non-monotonic reasoning) to express the flexible characteristics, and how to integrate the advantages in the prevailing flexible access control theories on the basis of a unified framework.The dissertation focuses on the following several problems:the concept of flexible access control;the flexibility of role based access control(RBAC);conflict resolution strategy in flexible access control policy;design and analysis of the flexible authorization framework based on logic programs.
By careful investigation of the above problems,the following results and contributions based on the four aspects have been obtained.
(1) Knowledge and specification of the flexible access control To our best knowledge,the concept of flexible access control has not been specified definitely and summarized so far.We think that the meaning of flexible access control is ambiguous and evolving.We can simply view it as multi-attributes and multi-domains,which are traditional and classical,but today's flexible access control may refer to trust management,trust negotiation etc.Therefore inducing concepts and describing characteristics are necessary for flexible access controls.Further,we analyzed several problems about how to use logic programs to represent the flexible access control policies.Especially,we analyzed how to the "flexible" features are specified via logic rules.We also exploited the several prevailing framework theories for the next investigation. Thus,the following consequences have been acquired:
-- The conceptual extension of flexible access controls is induced as:
a) Expression from explicit to implicit;
b) Determination from identity to attribute;
c) Update from static to dynamic;
d) Enforcement from single to compositional;
e) Environment from close to open.
-- The characteristics of flexible access controls are summarized as:
a) Conditions(referring to system,context,history and so on);
b) Hierarchies(include Subject,Object,Privilege and Role);
c) Positive and negative authorizations;
d) Attributes based specifications;
e) Dynamic environments;
f) Authorization derivations.
-- The structural features of logic programs can specify the responding properties of security requirements,at the same time,also determine the semantics computation of the logic programs.
-- Several prevailing authorization frameworks are complementary and cross between advantages and disadvantages.This gives us the space for further study.
(2) Flexibility of RBAC Model
Based on analyzing the flexibility of RBAC,we have proposed the problem:a formal analysis for implementing LBAC in RBAC,which refers to how to implement lattice-based access control(LBAC) policy using the mechanisms of RBAC.Although there have been some researches on the relationships between LBAC and RBAC,these researches are non-formal.Our investigation is based on the formal method related to the ideas of relation,homomorphism and logic etc.
The research has the following main contributions:
-- The formal analysis shows how to use the RBAC framework to validate the key LBAC policies,suggesting that RBAC has a good role to play in unifying the formal treatment of a range of LBAC systems.
-- The research can conclude that several studied lattice-based access control policies can be carried out in RBAC,and that the mechanism of managing access control in RBAC can be clearly exploited.
-- Through using one security model as a unifying principle for studying others, we have possibility to explore a way for reasoning about combinations of security policies.
(3) Conflict resolution strategy with preference
To our best knowledge,there are little conflict resolution polices with literal preference applied to access control.In terms of the principles of conflicts resolutions,we have researched the problem:Conflicts Resolution with LPOD Program,where rules with LPOD(Logic Program with Ordered Disjunction) are applied to solve conflicts.Our method has the following advantages:
-- The method is a conflict resolution with preference.It is based on literals and dependent-context,different from rule priority and organization based strategy. Thus decision of this method is fine-grain;
-- The semantics of LPOD program is not a stable model,but its semantic computation can transform into stable model.Therefore,it is novel.
-- The criteria of selecting answer sets are more flexible and well accommodating to practical requirements.
(4) Flexible authorization framework based on logic programs Our proposed authorization framework is composed of the programs of three main parts:PRAP module,URAP module and UR-RP authorization policy module,where PRAP means Privilege Role Assignment Program that is in charge of assigning privileges to roles;URAP expresses User Role Assignment Program whose function is the assignment of roles to users;UR-RP program combine PRAP and URAP for implementing the integration of multiple policies. The framework has the following advantages:
-- As the administrative mechanism of the framework is based on RBAC,it may be easily further extended and refined.
-- Since the framework is specified by logic programs,it is flexible.Using RBAC to organize the rules in a specification may enhance the construction of the specification.
-- The component modules can adopt the advantages of the theories in the literature.For instance,PRAP makes use of the fine-grained and structural propagation mechanism in Bertino99 Framework for roles,objects and privileges;URAP employs the multiple conflict resolution and decision policies in FAF for users.UR-RP explicitly facilitates the session like RBAC.
-- The component modules implement independently the policies,and interplay on base of the unifying framework.In fact,the functions of the implementations and interplay are based on the combination of logic programs.
-- Since non-monotonic theory is used in our framework,we can use belief revision to capture flexible policies in real world.
All the above consequences are worthwhile not only in theory but also in practice,and at the same time they are also the foundation of our further study on the flexible access control.
然而,访问控制策略/模型的定义是非平凡的,它的最大难点在于如何以恰当的定义和明确的规则解释真实世界的安全策略(通常是复杂的,有时是模糊的)及其转化,并使它们易于计算机系统的实现。随着访问控制理论的发展和实际应用中对安全需求的日益提高,表达能力和灵活性现在已成为一个访问控制系统中的优先要求,而访问控制又经常要求处理冲突性、简单性和有效性,即现代访问控制策略要求是柔性的足以刻画现实世界中的安全需求。
柔性访问控制主要涉及柔性授权、逻辑形式化和策略集成等当今访问控制中的热点问题和发展趋势。研究如何使用逻辑程序强大的表达能力和计算能力确定现实中的柔性访问控制策略;如何平衡柔性访问控制规范的表达性、简单性和有效性;如何处理柔性访问控制中的冲突;如何在一个框架下集成已有柔性访问控制理论的优点;如何使用常识推理(即非单调推理)刻画柔性特征。本文研究主要集中于下列几个问题:柔性访问控制的概念;基于角色访问控制模型(RBAC)的柔性;柔性访问控制策略中的冲突消解;基于逻辑程序的柔性授权框架的设计与分析。
基于上述问题的深入研究,我们取得了四个方面的成果与创新:
(1)柔性访问控制规范与分析
就我们所知,有关柔性访问控制的概念尚无明确定义与总结,我们认为其含义是模糊的和处于进化过程中的。我们可以简单地理解柔性为“多属性”和“多域性”,但今天的柔性访问控制已涉及到信任管理和信任协商等问题,因此对柔性访问控制的概念归纳与特征描述是必要的。进一步,我们分析了如何用逻辑程序表示柔性访问控制策略所涉及的几个问题,特别是如何用逻辑程序规则确定“柔性”特征。我们也研究了几个流行的授权框架理论。这样,我们获得了以下结果:
—柔性访问控制的概念外延可归纳为:表达从显式到隐式、决策从身份标识到主体属性、更新从静态到动态、实施从单一到组合、环境从封闭到开放;
—柔性访问控制的特征有:条件(系统、上下文与历史)、层次(主体、客体、权限和角色)、正负授权、基于属性的规范、动态环境、授权推理;
—分析逻辑程序的结构特征能确定相应的安全需求性质,同时也决定其语义计算;
—几个经典的授权框架优缺点互补交叉,这给我们进一步研究的空间。
(2) RBAC模型的柔性
在分析RBAC柔性的基础上,我们提出了“在RBAC中实现LBAC策略的形式化分析”问题,它涉及如何用RBAC的机制来实施基于格的访问控制(LBAC)策略。尽管已有一些有关LBAC与RBAC关系的研究,但大多是非形式化的。我们的研究是基于形式化的方法,涉及到关系、逻辑与同态等。这一研究主要有下列贡献:
—形式化分析显示如何用RBAC框架使关键的LBAC策略有效,RBAC有一个好的机制——角色在统一处理一系列LBAC系统中所起的作用;
—研究得出几个基于格的访问控制策略能在RBAC中实现,并且也清楚地探索出RBAC控制管理机制;
—通过使用一种安全模型来统一研究其它的方法,使我们探索一种有关集成安全策略的推理成为可能。
(3)偏好冲突消解策略
据我们所知,少有基于文字偏好冲突消解用于访问控制领域。根据冲突消解原理,我们研究问题:用LPOD程序消解冲突,用带有序析取的逻辑程序(LPOD)规则消解冲突。我们所提出的方法有下列优点:
—这一方法是偏好冲突消解方法,它是基于文字与上下文依赖的,不同于规则优先和基于组织的策略,它有精细的粒度;
—LPOD程序的语义不是通常的稳定模型,但它的语义计算可转化为稳定模型计算。因此它是新颖的;
—选择LPOD程序回答集的选择标准是灵活的,并能很好适应于实际需求。
(4)基于逻辑程序的柔性授权框架
我们提出授权框架由三个程序模块组成:PRAP组件、URAP组件与UR-RP授权策略,PRAP指“权限角色分配程序”负责分配权限给角色,URAP表示“用户角色分配程序”,其功能是分配角色予用户,UR-RP程序结合PRAP和URAP实施多策略集成。这个授权框架有下列优点:
—由于该框架的管理机制是基于RBAC,所以它易于进一步扩展与精化;
—因为这个框架是基于逻辑程序的,所以它是柔性的。使用RBAC组织策略规范中的规则可强化规范的结构;
—框架中的组件模块能充分利用已有理论的优点。例如,PRAP对角色、客体与权限使用Bertino99框架中的精细粒度和结构化的遗传机制,URAP对用户利用FAF理论中的多重冲突消解与决策策略,UR-RP显式地体现出RBAC中会话功能;
—各组件模块在一个统一的框架下独立地实施策略并进行交互。事实上这种实施和交互功能是基于逻辑程序的结合;
—由于非单调理论应用于我们的授权框架,所以我们能应用信念修改来实现现实世界中的柔性策略。
上面所有结果无论在理论还是实践方面都是有价值的,同时也是我们进一步研究柔性访问控制的基础。
Information security is a realm in trusted computing,and access control plays an important role in overall information security.Access control is to protect the data and resources maintained by a security system against unauthorized disclosure or improper modifications,while at the same time ensuring their availability to legitimate users.The development process of an access control system is usually carried out with a multi-phase approach based on the concepts of security policy,security model and security mechanism.
However,the definition of an access control policy/model is far from being a trivial process.The most major difficulty lies in the interpretation of real-world security policies(often complex and sometimes ambiguous) and their translation in well defined and unambiguous rules,which are easily implemented by a computer system.With the development of access control theory and security requirements in many emerging applications,nowadays,expressiveness and flexibility have been become top requirements for an access control system together with,and usually in conflict with,simplicity and efficiency,that is,a modern access control policy needs to be flexible enough to capture security requirements in real world scenarios.This is why we study the flexible access control.
Our flexible access control mainly refers to three aspects:flexible authorizations,logic based formalization,and integration of policies,which obtain a significant attention and also reflect the development tendency of the current access control.It has been investigated in this dissertation that how to specify flexible access control policies in real world using the powerful expressiveness and computation of logic programs,how to deal with conflicts in flexible access controls,how to balance expressiveness,simplicity and efficiency in flexible access control specifications,how to make use of common reasoning(i.e.,non-monotonic reasoning) to express the flexible characteristics, and how to integrate the advantages in the prevailing flexible access control theories on the basis of a unified framework.The dissertation focuses on the following several problems:the concept of flexible access control;the flexibility of role based access control(RBAC);conflict resolution strategy in flexible access control policy;design and analysis of the flexible authorization framework based on logic programs.
By careful investigation of the above problems,the following results and contributions based on the four aspects have been obtained.
(1) Knowledge and specification of the flexible access control To our best knowledge,the concept of flexible access control has not been specified definitely and summarized so far.We think that the meaning of flexible access control is ambiguous and evolving.We can simply view it as multi-attributes and multi-domains,which are traditional and classical,but today's flexible access control may refer to trust management,trust negotiation etc.Therefore inducing concepts and describing characteristics are necessary for flexible access controls.Further,we analyzed several problems about how to use logic programs to represent the flexible access control policies.Especially,we analyzed how to the "flexible" features are specified via logic rules.We also exploited the several prevailing framework theories for the next investigation. Thus,the following consequences have been acquired:
-- The conceptual extension of flexible access controls is induced as:
a) Expression from explicit to implicit;
b) Determination from identity to attribute;
c) Update from static to dynamic;
d) Enforcement from single to compositional;
e) Environment from close to open.
-- The characteristics of flexible access controls are summarized as:
a) Conditions(referring to system,context,history and so on);
b) Hierarchies(include Subject,Object,Privilege and Role);
c) Positive and negative authorizations;
d) Attributes based specifications;
e) Dynamic environments;
f) Authorization derivations.
-- The structural features of logic programs can specify the responding properties of security requirements,at the same time,also determine the semantics computation of the logic programs.
-- Several prevailing authorization frameworks are complementary and cross between advantages and disadvantages.This gives us the space for further study.
(2) Flexibility of RBAC Model
Based on analyzing the flexibility of RBAC,we have proposed the problem:a formal analysis for implementing LBAC in RBAC,which refers to how to implement lattice-based access control(LBAC) policy using the mechanisms of RBAC.Although there have been some researches on the relationships between LBAC and RBAC,these researches are non-formal.Our investigation is based on the formal method related to the ideas of relation,homomorphism and logic etc.
The research has the following main contributions:
-- The formal analysis shows how to use the RBAC framework to validate the key LBAC policies,suggesting that RBAC has a good role to play in unifying the formal treatment of a range of LBAC systems.
-- The research can conclude that several studied lattice-based access control policies can be carried out in RBAC,and that the mechanism of managing access control in RBAC can be clearly exploited.
-- Through using one security model as a unifying principle for studying others, we have possibility to explore a way for reasoning about combinations of security policies.
(3) Conflict resolution strategy with preference
To our best knowledge,there are little conflict resolution polices with literal preference applied to access control.In terms of the principles of conflicts resolutions,we have researched the problem:Conflicts Resolution with LPOD Program,where rules with LPOD(Logic Program with Ordered Disjunction) are applied to solve conflicts.Our method has the following advantages:
-- The method is a conflict resolution with preference.It is based on literals and dependent-context,different from rule priority and organization based strategy. Thus decision of this method is fine-grain;
-- The semantics of LPOD program is not a stable model,but its semantic computation can transform into stable model.Therefore,it is novel.
-- The criteria of selecting answer sets are more flexible and well accommodating to practical requirements.
(4) Flexible authorization framework based on logic programs Our proposed authorization framework is composed of the programs of three main parts:PRAP module,URAP module and UR-RP authorization policy module,where PRAP means Privilege Role Assignment Program that is in charge of assigning privileges to roles;URAP expresses User Role Assignment Program whose function is the assignment of roles to users;UR-RP program combine PRAP and URAP for implementing the integration of multiple policies. The framework has the following advantages:
-- As the administrative mechanism of the framework is based on RBAC,it may be easily further extended and refined.
-- Since the framework is specified by logic programs,it is flexible.Using RBAC to organize the rules in a specification may enhance the construction of the specification.
-- The component modules can adopt the advantages of the theories in the literature.For instance,PRAP makes use of the fine-grained and structural propagation mechanism in Bertino99 Framework for roles,objects and privileges;URAP employs the multiple conflict resolution and decision policies in FAF for users.UR-RP explicitly facilitates the session like RBAC.
-- The component modules implement independently the policies,and interplay on base of the unifying framework.In fact,the functions of the implementations and interplay are based on the combination of logic programs.
-- Since non-monotonic theory is used in our framework,we can use belief revision to capture flexible policies in real world.
All the above consequences are worthwhile not only in theory but also in practice,and at the same time they are also the foundation of our further study on the flexible access control.
引文
[Abadi and Lamport,1992]M.Abadi and L.Lamport.Composing speci_cations.ACM Transactions on Programming Languages,14(4):160,October 1992.
[Antoniou et al,2006]G.Antoniou,M.Baldoni,P.A.Bonatti,W.Nejdl and D.Olmedilla.Rule-Based Policy Specification.Advances in Information Security,Fol.33,pp1568-2633,Springer US,2006.
[Atzeni et al,1999]P.Atzeni,S.Ceri,S.Paraboschi,and R.Todone.Database Systems.McGraw-Hill,1999.
[Barker,2000]S.Barker.Data protection by logic programming.In Proceedings of 1st International Conference on Computational Logic.LNAI,vol.1861.Springer,Berlin,1300-1314.2000.
[Barker and Stuekey,2004]S.Barker and P.Stuckey.Flexible access control policy specification with constraint logic programming.ACM Trans.on Information and System Security,6(4):501-546,2004.
[Barker,2007]S.Barker.Action-status access control.Symposium on Access Control Models and Technologies,SACMAT'07,June 20-22,2007,Sophia Antipolis,France.Proceedings of the 12th ACM symposium on Access control models and technologies,2007.
[Baral,2003]C.Baral.Knowledge Representation,Reasoning and declarative Problem Solving.Cambridge University Press,2003.
[Bell and LaPadula,1973]D.E.Bell and L.J.LaPadula.Secure Computer Systems:Mathematical Foundations.MITRE Technical Report 2547,Volume Ⅰ,March 1973.
[Bell,1994]D.E.Bell.Modeling the multipolicy machine.In Proc.of the New Security Paradigm Workshop,August 1994.
[Benferhat et al,2003]S.Benferhat,R.El Baida,and F.Cuppens.A Stratification Based Approach for Handling Conflicts in Access Control.In 8th ACM Symposium on Access Control Models and Technologies(SACMAT'03),Lake Come,Italy,June 2003.
[Bertino et al.,1999]E.Bertino,E Buccafurri,E.Ferrari and P.Rullo.A logical framework for reasoning on data access control policies.Proc.Of the 1999IEEE Computer Security Foundations Workshop,1999.
[Bertino,Jajodia and Samarati,1999]E.Bertino,S.Jajodia,and P.Samarati.A Flexible Authorization for Relational Data Management Systems.ACM Transactions on Information Systems,vol.17,no.2,pp.101-140,April 1999.
[Bertino et al.,2000]E.Bertino,P.A.Bonatti,E.Ferrari,M.L.Sapino.Temporal authorization bases:from specification to integration.Journal of Computer Security,8(4),2000.
[Bertino et al.,2002]E.Bertino,B.Catania,E.Ferrari,and P.Perlasca.A system to specify and manage multipolicy access control models.In Proceedings of POLICY 2002.IEEE Computer Society Press,Los Alamitos,CA,116-127,2002.
[Bertino et al.,2003]E.Bertino,B.Catania,E.Ferrad,and P.Perlasca.A Logical Framework for Reasoning about Access Control Models.ACM Transactions on Information and System Security,6(1),February 2003.
[Bertino et al.,2004]E.Bertino,B.Catania,E.Ferrari,and P.Perlasca.On comparing the Expressing Power of Access Control Model.In Foundations of Computer Security(FCS'04),Turku,Finland,July 2004.
[Biba,1977]K.J.Biba.Integrity considerations for secure computer systems.Technical Report TR-3153,The Mitre Corporation,Bedford,MA,April 1977.
[Blaze et al.,1996]M.Blaze,J.Feigenbaum,and J.Lacy.Decentralized trust management.In Proc.of 1996 IEEE Symposium on Security and Privacy,pages 164-173,Oakland,CA,May 1996.
[Bonatti and Samarati,2004]P.Bonatti and P.Samarati.Logic for Authorizations and Security,2004.
[Bonatti and Samarati,2002]Piero Bonatti and Pierangela Samarati.A uniform framework for regulating service access and information release on the web.Journal of Computer Security,10(3):241-272,2002.
[Bonatti et al.,2002]P.Bonatti,S.Capitani,D.Vimercati and P.Samarati.An Algebra for Composing Access Control Policies.ACM Transactions on Information and System Security,5(1):1-35,2002.
[Bonatti et al.,2000]P.Bonatti,S.De Capitani di Vimercati,and P.Samarati. A modular approach to composing access control policies.In Proc.of the Seventh ACM Conference on Computer and Communications Security,Athens,Greece,2000.
[Bonatti and Samarati,2000]P.Bonatti and P.Samarati.Regulating service access and information release on the web.In Proc.of the Seventh ACM Conference on Computer and Communications Security,Athens,Greece,2000,
[Brewer et al.,1989]D.F.C.Brewer and M.J.Nash.The Chinese Wall security policy.In Proc.IEEE Symposium on Security and Privacy,pages 215-228,Oakland,CA,1989.
[Brewka et al.,2004]G.Brewka,I.Niemelii,T.Syrjanen.Logic programs with ordered disjunction.Computational Intelligence 20(2),2004,335-357.
[Brewka,2005]G.Brewka:Answer Sets and Qualitative Decision Making.Synthese 146,2005,171-181.
[Castano et al.,1995]S.Castano,M.G.Fugini,G.Martella,and P.Samarati.Database Security.Addison-Wesley,1995.
[Chinaei and Zhang,2006]Amir H.Chinaei and Huaxin Zhang.Hybrid Authorizations and Conflict Resolution.W.donker and M.Petkovic(Eds.):SDM 2006,LNCS4165,pp.131-145,2006.
[Chinaei et ai.,2007]Amir H.Chinaei and Hamid R.Chinaei,and Frank Wm.Tompa.A unified conflict resolution algorithm.W.donker and M.Petkovic(Eds.):SDM 2007,LNCS4721,pp.1-17,2007.
[Chomicki et al.2000]J.Chomicki,J.Lobo and S.Naqvi.A Logical Programming Approach to Conflict Resolution in Policy Management.Proceedings of International Conference on Principles of Knowledge Representation and Reasoning,pp121-132,2000.
[Clark and Wilson,1987]D.Clark and D.Wilson.A Comparison of Commercial and Military Computer Security Policies.In Proceedings of IEEE Symposium on Security and Privacy(Oakland,CA,May).pp184-194,1987.
[Cuppens et al.,2001]F.Cuppens,L.Cholvy,C.Saurel,and J.Carr'ere.Merging regulations:analysis of a practical example.International Journal of Intelligent Systems,16(11),November 2001.
[Cuppens et al.,2007]F.Cuppens,N.Cuppens-Boulahia and M.Ben Ghorbel.High Level Conflict Management Strategies in Advanced Access Control Models.Electronic Notes in Theoretical Computer Science(ENTCS),Vol.186,pp.3-26,July 2007.
[Crampton,2003]J.Crampton.Specifying and Enforcing Constraints in Role Based Access Control.SACMAT'03,June 2-3,Como,Italy,2003.
[Damiani et al.,2006]E.Damiani,S.Vimercati,and P.Samarati.New Paradigms for access control in open environment.2006.
[Daniel et al.,2006]J.Daniel,F.Kathi,and K.Shriram.Specifying and Reasoning about Dynamic Access Control Policies.2006.
[Dantsin et al.,2001]E.Dantsin,T.Eiter,G.Gottlob and A.Voronkov.Complexity and Expressive Power of Logic Programming.ACM Computing Surveys,Vol.33,No.3,May,pp.374-425,September 2001.
[Davy and Jennings,2007]S.Davy and B.Jennings.Harnessing models for policy conflicts analysis.2007
[Denning,1976]D.E.Denning.A Lattice Model of Secure Information Flow.Comm.ACM.Vol.19,No.5,May,pp.236-243,1976.
[Dougherty et al.,2006]D.J.Dougherty,K.Fisler,and S.Krishnamurthi.Specifying and Reasoning about Dynamic Access-Control Policies.International Joint Conference on Automated Reasoning,2006.
[Farrell and Housley,2002]S.Farrell and R.Housley.An intemet attribute certificate profile for authorization.RFC 3281,April 2002.
[Fernandez et al.,1994]E.Fernandez,E.Gudes and H.Song.A model for evaluation and administration of security in object-oriented databases.IEEE Transaction on Knowledge and Data Engineering,Vol.6,No.2,pp.275-292,1994.
[Ferraiolo et al.,2001]D.F.Ferraiolo,R.Sandhu,and S.Gavrila,D.R.Kunhnand R.Chandramouli.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Security,Vol.4,No.3,August 2001.
[Graham and Denning,1972]G.S.Graham and P.J.Denning.Protection:principles and practice.In AFIPS Press,editor,Proc.Spring Jt.Computer Conference,volume 40,pages 417-429,Montvale,N.J.,1972.
[Harrison,1985]M.A.Harrison.Theoretical issues concerning protection in operating systems.In M.C.Yovits,editor,Advances in Computers,volume 24,pp61-100.Academic Press,1985.
[Harrison et al.,1976]M.H.Harrison,W.L.Ruzzo,and J.D.Ullman.Protection in operating systems.Communications of the ACM,19(8):461-471,1976.
[Halpern and Weissman,2006]J.Y.Halpem,and V.Weissman.Using First-Order Logic to Reason about Policies.ACM Transactions on Computational Logic,Vol.V,No.N,May 2006.
[Hosmer,1992]H.Hosmer Metapolicies ii.In Proc.of the 15th National Computer Security Conference,1992.
[Howard et al.,1988]J.H.Howard,M.L.Kazar,S.G.Menees,D.A.Nichols,M.Satyanarayanan,R.N.Sidebotham,and M.J.West.Scale and Performance in a Distributed File System,ACM Transactions on Computer Systems,vol.6,no.1,pp.51-81,1988.
[Hu et al.,2006]V.Hu,D.R.Kuhn,and D.Ferraiolo.The Computational Complexity of Enforceability Validation for Generic Access Control Rules.Proceedings IEEE SUTC2006 Conference,Taichung,Taiwan 2006.
[Jaeger,2001]T.Jaeger.Access control in configurable systems.Lecture Notes in Computer Science,1603:289{316,2001.
[Jaeger et al.,2004]T.Jaeger,R.Sailer and X.Zhang.Resolving Constraint Conflicts.SACMAT'04,June 2-4,2004.
[Jajodia et al.,2001]S.Jajodia,P.Samarati,M.Sapino,and V.Subrahmaninan.Flexible support for multiple access control policies.ACM TODS 26,2,214-260,2001.
[Jonathan and Morris,1993]D.Jonathan,and S.Morris.Policy Conflict Analysis in Distributed System Management.Journal of Organizational Computer,1993.
[Lampson,1974]B.W.Lampson.Protection.In 5th Princeton Symposium on Information Science and Systems,pages 437-443,1971.Reprinted in ACM Operating Systems Review 8(1):18-24,1974.
[LaPadula and Bell,1973]Leonard J.LaPadula and D.Elliott Bell.Secure Computer Systems:A Mathematical Model.MITRE Technical Report 2547,Volume Ⅱ,May 1973.
[Lee,1988]T.Lee.Using Mandatory Integrity to Enforce "commercial"Security.In Proceedings of IEEE Symposium on Security and Privacy(Oakland,CA).pp140-146,1988.
[Leone and Rossi,1993]N.Leone and G.Rossi.Well-founded semantics and stratification for ordered logic programs.New Generation Computing,Vol.12,N.1,Springer-Verlag,pp.91-121,November 1993.
[Leone and Rullo,1993]N.Leone and P.Rullo.Ordered logic programming with sets.Journal of Logic and Computation,3(6):621-642,Oxford University Press,December 1993.
[Li et al.,1999]N.Li,J.Feigenbaum,and B.Grosof.A logic-based knowledge representation for authorization with delegation.In Proc.of the 12th IEEE Computer Security Foundations Workshop,pages 162-174,July 1999.
[Li and John,2003]N.Li,C.John.Mitchell.Datalog with Constraints:A Foundation for Trust Management Languages.2003.
[Li et al.,2002]Ninghui Li,John C.Mitchell,and William H.Winsborough.Design of a role based trust management framework.In Proc.IEEE Symposium on Security and Privacy,Oakland,May 2002.
[Lunt,1988]T.Lunt.Access control policies:Some unanswered questions.In IEEE Computer Security Foundations Workshop Ⅱ,pages 227-245,Franconia,NH,June 1988.
[McLean,1988]J.McLean.The algebra of security.In Proc.of the 1988 IEEE Computer Society Symposium on Security and Privacy,Oakland,CA,USA,April 1988.
[Moffett and Sloman,1994]J.D.Moffett and M.S.Sloman.Policy Conflict Analysis in Distributed Systems Management.Journal of Organizational Computing,1994.
[Marek and Truszczynski,1991]W.Marek and M.Truszczynski.Computing intersection of autoepistemic Expansions.Proc.of the 1st Int.Workshop on Logic Programming and Non Monotonic Reasoning,pp.37-50,1991.
[Mingyi Zhang,1996]Mingyi Zhang.A new research into default logic.Information and computation,129(2),1996:73-85.
[Nyanchama and Osborn,1996]M.Nyanchama and S.Osborn.Modeling Mandatory Access Control in Role-based Security Systems.In Database Security Ⅷ:Status and Prospects.Chapman and Hall,Ltd.,London,UK,pp129-144,1996.
[Osborn,1997]S.Osborn.Mandatory Access Control and Role-based Access Control Revisited.In Proceedings of the Second ACM Workshop on Role-based Access Control(RBAC '97,Fairfax,VA,Nov.6-7),C.Youman,E.Coyne,and T.Jaeger,Chairs.ACM Press,New York,NY,31-40,1997.
[Osborn et al.,2000]S.Osborn,R.Sandhu and Q.Munawer.Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.ACM Transactions on Information and System Security,Vol.3,No.2,May,pp85-106,2000.
[Osborn,2002]S,L.Osborn.Information Flow Analysis of an RBAC System.SACMAT'O2,june 3-4,Monterey,California,USA,2002.
[OASIS,2005]OASIS.eXtensible Access Control Markup Language(XACML)Version 2.0,2005.http://www.oasis-open.org/committees/xacml.
[Palopoli and Zaniolo,1996]L.Palopoli and C.Zaniolo.Polynomial Time Computable Stable Models.Annals of Mathematics and Artificial Intelligence,17(3,4):261-290,1996.
[Park and Sandhu,2004]J.Park and R.Sandhu.The UCONABC Usage Control Model.ACM Transactions on information and Systems Security,Feb.,2004.
[Pfleeger,1997]C.P.Pfleeger.Security in Computing.Prentice Hall,New Jersey,1997.
[Reiter,1980]R.Reiter.A logic for default reasoning.Artificial Intelligence,13(1-2):81-132,April 1980.
[Robert,1990]W.Baldwin Robert.Naming and grouping privileges to simplify security management in large database.In Proceedings IEEE Computer Society
Symposium on Research in Security and Privacy,pages 61-70,Oakland,CA,April 1990.
[Sacca and Zaniolo,1990]D.Sacca,C.Zaniolo.Partial stable models,stable models and non-determinism in logic programs with negation.Proc.of ACM-PODS,1990.
[Samarati and Vimercati,2001]P.Samarati and S.Vimercati.Access control: Policies,Models,and Mechanisms.In R.Focardi and R.Gorrieri,editors,Foundations of Security Analysis and Design,LNCS 2171.Springer-Verlag,2001.
[Sandhu,1992]R.S.Sandhu.The typed access matrix model.In Proc.of 1992IEEE Symposium on Security and Privacy,pages 122-136,Oakland,CA,May 1992.
[Sandhu,1993]R.S.Sandhu.Lattice-based Access Control Models.IEEE Computer 26,11,9-19.1993.
[Sandhu et al.,1996]R.Sandhu,E.Coyne,H.Feinstein,and C.Youman.Rolebased access control models.IEEE Computer 29,2,38-47.1996.
[Sandhu and Munawer,1998]R.Sandhu and Q.Munawer.How to do Discretionary Access Control using Roles.In Proceedings of the Third ACM Workshop on Role-Based Access Control(RBAC'98,Fairfax,VA,Oct.22-23),C.Youman and T.Jaeger,Chairs.ACM Press,New York,NY,pp47-54,1998.
[Sandhu and Munawer,1999]R.Sandhu and Q.Munawer.The ARBAC99model for administration of roles.In Proc.Of the 15th Annual Computer Security Applications Conference,Phoenix,Arizona,December 1999.
[Sandhu et al.,2000]R.Sandhu,D.Ferraiolo,and R.Kuhn.The NIST model for role-based access control:Towards a unified standard.In Proceedings of 4th ACM Workshop on Role-Based Access Control,47-61.2000.
[Sandhu,2004]R.Sandhu.A Perspective on Graphs and Access Control Models.H.Ehrig et al.(Eds.):ICGT 2004,LNCS 3256,pp.2-12,2004.Springer-Verlag Berlin Heidelberg 2004.
[Sheng et al.,2004]Ke-jun SHENG,Ji-qiang LIU and Xin LIU.Organization Structure Based Access Control Model.InfoSecu04,November 14-16,Pudong,Shanghai,China,2004.
[Vimercati et al.,2003]S.Vimercati,S.Paraboschi and P.Samarati.Access Control:principles and solutions.SOFTWARE-PRACTICE AND EXPERIENCE Sofw.Pract.Exper.2003;33.397-421.
[Vimercati et al.2005]S.Vimercati,P.Samarati and S.Jajodia.Policies,Models,and Languages for Access Control.S.Bhalla(Ed.):DNIS 2005,LNCS 3433,225-237,2005.
[Vimercati et al.2006]S.Vimercati,S.Foresti,S.Jajodia and P.Samarati. Access Control Policies and Languages in Open Environments.2006.
[Vimercati and Samarati.2004]S.Vimercati and P.Samarati.New directions in access control.2004.
[Vimereati et al.2007]S.Vimercati,P.Samarati and S.Jajodia.Access control policies and languages,Int.J.Computational Science and Engineering,Vol.3,No.2,2007.
[Wang et al.,2004]L.Wang,D.Wijesekera,and S.Jajodia.A logic-based framework for attribute based access control.In Proc.of the 2004 ACM Workshop on Formal Methods in Security Engineering,Washington DC,USA,October 2004.
[Wijesekera and Jajodia,2003]D.Wijesekera,and S.Jajodia.A propositional policy algebra for access control.ACM Transactions on Information and System Security,Vol.6,No.2,May,pp286-325,2003.
[Woo and Lain,1993]T.Woo and S.Lam.Authorizations in distributed systems:A new approach.Journal of Computer Security 2,2/3,107-136,1993.
[Xinwen Zhang et al.,2005]Xinwen Zhang,Yingjiu Li and Divya Nalla.An Attribute-Based Access Matrix Model.SAC'05,March 13-17,Santa Fe,New Mexico,USA,2005.
[Xinwen Zhang et al.,2008]Xinwen Zhang,M.Nakae,J.Covington and R.Sandhu.Toward a Usage-Based Security Framework for Collaborative Computing Systems.ACM Transactions on Information and System Security,Vol.11,No.1,Article 3,Pub date:February 2008.
[Yu et al.,2000]T.Yu,X.Ma,and M.Winslett.An efficient complete strategy for automated trust negotiation over the internet.In Proceedings of 7th ACM Computer and Communication Security,Athens,Greece,November 2000.
[Yu el al.,2003]T.Yu,M.Winslett,and K.E.Seamons.Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation.ACM Transactions on Information and System Security (TISSEC),6(1):1-42,2003.
[Zhang and Sandhu,2006]Xinwen ZHANG and Ravi Sandhu.Safety Analysis of Usage Control Authorization Models.ASIACCS'06 March 21-24,Taipei,Taiwan,2006.
[Antoniou et al,2006]G.Antoniou,M.Baldoni,P.A.Bonatti,W.Nejdl and D.Olmedilla.Rule-Based Policy Specification.Advances in Information Security,Fol.33,pp1568-2633,Springer US,2006.
[Atzeni et al,1999]P.Atzeni,S.Ceri,S.Paraboschi,and R.Todone.Database Systems.McGraw-Hill,1999.
[Barker,2000]S.Barker.Data protection by logic programming.In Proceedings of 1st International Conference on Computational Logic.LNAI,vol.1861.Springer,Berlin,1300-1314.2000.
[Barker and Stuekey,2004]S.Barker and P.Stuckey.Flexible access control policy specification with constraint logic programming.ACM Trans.on Information and System Security,6(4):501-546,2004.
[Barker,2007]S.Barker.Action-status access control.Symposium on Access Control Models and Technologies,SACMAT'07,June 20-22,2007,Sophia Antipolis,France.Proceedings of the 12th ACM symposium on Access control models and technologies,2007.
[Baral,2003]C.Baral.Knowledge Representation,Reasoning and declarative Problem Solving.Cambridge University Press,2003.
[Bell and LaPadula,1973]D.E.Bell and L.J.LaPadula.Secure Computer Systems:Mathematical Foundations.MITRE Technical Report 2547,Volume Ⅰ,March 1973.
[Bell,1994]D.E.Bell.Modeling the multipolicy machine.In Proc.of the New Security Paradigm Workshop,August 1994.
[Benferhat et al,2003]S.Benferhat,R.El Baida,and F.Cuppens.A Stratification Based Approach for Handling Conflicts in Access Control.In 8th ACM Symposium on Access Control Models and Technologies(SACMAT'03),Lake Come,Italy,June 2003.
[Bertino et al.,1999]E.Bertino,E Buccafurri,E.Ferrari and P.Rullo.A logical framework for reasoning on data access control policies.Proc.Of the 1999IEEE Computer Security Foundations Workshop,1999.
[Bertino,Jajodia and Samarati,1999]E.Bertino,S.Jajodia,and P.Samarati.A Flexible Authorization for Relational Data Management Systems.ACM Transactions on Information Systems,vol.17,no.2,pp.101-140,April 1999.
[Bertino et al.,2000]E.Bertino,P.A.Bonatti,E.Ferrari,M.L.Sapino.Temporal authorization bases:from specification to integration.Journal of Computer Security,8(4),2000.
[Bertino et al.,2002]E.Bertino,B.Catania,E.Ferrari,and P.Perlasca.A system to specify and manage multipolicy access control models.In Proceedings of POLICY 2002.IEEE Computer Society Press,Los Alamitos,CA,116-127,2002.
[Bertino et al.,2003]E.Bertino,B.Catania,E.Ferrad,and P.Perlasca.A Logical Framework for Reasoning about Access Control Models.ACM Transactions on Information and System Security,6(1),February 2003.
[Bertino et al.,2004]E.Bertino,B.Catania,E.Ferrari,and P.Perlasca.On comparing the Expressing Power of Access Control Model.In Foundations of Computer Security(FCS'04),Turku,Finland,July 2004.
[Biba,1977]K.J.Biba.Integrity considerations for secure computer systems.Technical Report TR-3153,The Mitre Corporation,Bedford,MA,April 1977.
[Blaze et al.,1996]M.Blaze,J.Feigenbaum,and J.Lacy.Decentralized trust management.In Proc.of 1996 IEEE Symposium on Security and Privacy,pages 164-173,Oakland,CA,May 1996.
[Bonatti and Samarati,2004]P.Bonatti and P.Samarati.Logic for Authorizations and Security,2004.
[Bonatti and Samarati,2002]Piero Bonatti and Pierangela Samarati.A uniform framework for regulating service access and information release on the web.Journal of Computer Security,10(3):241-272,2002.
[Bonatti et al.,2002]P.Bonatti,S.Capitani,D.Vimercati and P.Samarati.An Algebra for Composing Access Control Policies.ACM Transactions on Information and System Security,5(1):1-35,2002.
[Bonatti et al.,2000]P.Bonatti,S.De Capitani di Vimercati,and P.Samarati. A modular approach to composing access control policies.In Proc.of the Seventh ACM Conference on Computer and Communications Security,Athens,Greece,2000.
[Bonatti and Samarati,2000]P.Bonatti and P.Samarati.Regulating service access and information release on the web.In Proc.of the Seventh ACM Conference on Computer and Communications Security,Athens,Greece,2000,
[Brewer et al.,1989]D.F.C.Brewer and M.J.Nash.The Chinese Wall security policy.In Proc.IEEE Symposium on Security and Privacy,pages 215-228,Oakland,CA,1989.
[Brewka et al.,2004]G.Brewka,I.Niemelii,T.Syrjanen.Logic programs with ordered disjunction.Computational Intelligence 20(2),2004,335-357.
[Brewka,2005]G.Brewka:Answer Sets and Qualitative Decision Making.Synthese 146,2005,171-181.
[Castano et al.,1995]S.Castano,M.G.Fugini,G.Martella,and P.Samarati.Database Security.Addison-Wesley,1995.
[Chinaei and Zhang,2006]Amir H.Chinaei and Huaxin Zhang.Hybrid Authorizations and Conflict Resolution.W.donker and M.Petkovic(Eds.):SDM 2006,LNCS4165,pp.131-145,2006.
[Chinaei et ai.,2007]Amir H.Chinaei and Hamid R.Chinaei,and Frank Wm.Tompa.A unified conflict resolution algorithm.W.donker and M.Petkovic(Eds.):SDM 2007,LNCS4721,pp.1-17,2007.
[Chomicki et al.2000]J.Chomicki,J.Lobo and S.Naqvi.A Logical Programming Approach to Conflict Resolution in Policy Management.Proceedings of International Conference on Principles of Knowledge Representation and Reasoning,pp121-132,2000.
[Clark and Wilson,1987]D.Clark and D.Wilson.A Comparison of Commercial and Military Computer Security Policies.In Proceedings of IEEE Symposium on Security and Privacy(Oakland,CA,May).pp184-194,1987.
[Cuppens et al.,2001]F.Cuppens,L.Cholvy,C.Saurel,and J.Carr'ere.Merging regulations:analysis of a practical example.International Journal of Intelligent Systems,16(11),November 2001.
[Cuppens et al.,2007]F.Cuppens,N.Cuppens-Boulahia and M.Ben Ghorbel.High Level Conflict Management Strategies in Advanced Access Control Models.Electronic Notes in Theoretical Computer Science(ENTCS),Vol.186,pp.3-26,July 2007.
[Crampton,2003]J.Crampton.Specifying and Enforcing Constraints in Role Based Access Control.SACMAT'03,June 2-3,Como,Italy,2003.
[Damiani et al.,2006]E.Damiani,S.Vimercati,and P.Samarati.New Paradigms for access control in open environment.2006.
[Daniel et al.,2006]J.Daniel,F.Kathi,and K.Shriram.Specifying and Reasoning about Dynamic Access Control Policies.2006.
[Dantsin et al.,2001]E.Dantsin,T.Eiter,G.Gottlob and A.Voronkov.Complexity and Expressive Power of Logic Programming.ACM Computing Surveys,Vol.33,No.3,May,pp.374-425,September 2001.
[Davy and Jennings,2007]S.Davy and B.Jennings.Harnessing models for policy conflicts analysis.2007
[Denning,1976]D.E.Denning.A Lattice Model of Secure Information Flow.Comm.ACM.Vol.19,No.5,May,pp.236-243,1976.
[Dougherty et al.,2006]D.J.Dougherty,K.Fisler,and S.Krishnamurthi.Specifying and Reasoning about Dynamic Access-Control Policies.International Joint Conference on Automated Reasoning,2006.
[Farrell and Housley,2002]S.Farrell and R.Housley.An intemet attribute certificate profile for authorization.RFC 3281,April 2002.
[Fernandez et al.,1994]E.Fernandez,E.Gudes and H.Song.A model for evaluation and administration of security in object-oriented databases.IEEE Transaction on Knowledge and Data Engineering,Vol.6,No.2,pp.275-292,1994.
[Ferraiolo et al.,2001]D.F.Ferraiolo,R.Sandhu,and S.Gavrila,D.R.Kunhnand R.Chandramouli.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Security,Vol.4,No.3,August 2001.
[Graham and Denning,1972]G.S.Graham and P.J.Denning.Protection:principles and practice.In AFIPS Press,editor,Proc.Spring Jt.Computer Conference,volume 40,pages 417-429,Montvale,N.J.,1972.
[Harrison,1985]M.A.Harrison.Theoretical issues concerning protection in operating systems.In M.C.Yovits,editor,Advances in Computers,volume 24,pp61-100.Academic Press,1985.
[Harrison et al.,1976]M.H.Harrison,W.L.Ruzzo,and J.D.Ullman.Protection in operating systems.Communications of the ACM,19(8):461-471,1976.
[Halpern and Weissman,2006]J.Y.Halpem,and V.Weissman.Using First-Order Logic to Reason about Policies.ACM Transactions on Computational Logic,Vol.V,No.N,May 2006.
[Hosmer,1992]H.Hosmer Metapolicies ii.In Proc.of the 15th National Computer Security Conference,1992.
[Howard et al.,1988]J.H.Howard,M.L.Kazar,S.G.Menees,D.A.Nichols,M.Satyanarayanan,R.N.Sidebotham,and M.J.West.Scale and Performance in a Distributed File System,ACM Transactions on Computer Systems,vol.6,no.1,pp.51-81,1988.
[Hu et al.,2006]V.Hu,D.R.Kuhn,and D.Ferraiolo.The Computational Complexity of Enforceability Validation for Generic Access Control Rules.Proceedings IEEE SUTC2006 Conference,Taichung,Taiwan 2006.
[Jaeger,2001]T.Jaeger.Access control in configurable systems.Lecture Notes in Computer Science,1603:289{316,2001.
[Jaeger et al.,2004]T.Jaeger,R.Sailer and X.Zhang.Resolving Constraint Conflicts.SACMAT'04,June 2-4,2004.
[Jajodia et al.,2001]S.Jajodia,P.Samarati,M.Sapino,and V.Subrahmaninan.Flexible support for multiple access control policies.ACM TODS 26,2,214-260,2001.
[Jonathan and Morris,1993]D.Jonathan,and S.Morris.Policy Conflict Analysis in Distributed System Management.Journal of Organizational Computer,1993.
[Lampson,1974]B.W.Lampson.Protection.In 5th Princeton Symposium on Information Science and Systems,pages 437-443,1971.Reprinted in ACM Operating Systems Review 8(1):18-24,1974.
[LaPadula and Bell,1973]Leonard J.LaPadula and D.Elliott Bell.Secure Computer Systems:A Mathematical Model.MITRE Technical Report 2547,Volume Ⅱ,May 1973.
[Lee,1988]T.Lee.Using Mandatory Integrity to Enforce "commercial"Security.In Proceedings of IEEE Symposium on Security and Privacy(Oakland,CA).pp140-146,1988.
[Leone and Rossi,1993]N.Leone and G.Rossi.Well-founded semantics and stratification for ordered logic programs.New Generation Computing,Vol.12,N.1,Springer-Verlag,pp.91-121,November 1993.
[Leone and Rullo,1993]N.Leone and P.Rullo.Ordered logic programming with sets.Journal of Logic and Computation,3(6):621-642,Oxford University Press,December 1993.
[Li et al.,1999]N.Li,J.Feigenbaum,and B.Grosof.A logic-based knowledge representation for authorization with delegation.In Proc.of the 12th IEEE Computer Security Foundations Workshop,pages 162-174,July 1999.
[Li and John,2003]N.Li,C.John.Mitchell.Datalog with Constraints:A Foundation for Trust Management Languages.2003.
[Li et al.,2002]Ninghui Li,John C.Mitchell,and William H.Winsborough.Design of a role based trust management framework.In Proc.IEEE Symposium on Security and Privacy,Oakland,May 2002.
[Lunt,1988]T.Lunt.Access control policies:Some unanswered questions.In IEEE Computer Security Foundations Workshop Ⅱ,pages 227-245,Franconia,NH,June 1988.
[McLean,1988]J.McLean.The algebra of security.In Proc.of the 1988 IEEE Computer Society Symposium on Security and Privacy,Oakland,CA,USA,April 1988.
[Moffett and Sloman,1994]J.D.Moffett and M.S.Sloman.Policy Conflict Analysis in Distributed Systems Management.Journal of Organizational Computing,1994.
[Marek and Truszczynski,1991]W.Marek and M.Truszczynski.Computing intersection of autoepistemic Expansions.Proc.of the 1st Int.Workshop on Logic Programming and Non Monotonic Reasoning,pp.37-50,1991.
[Mingyi Zhang,1996]Mingyi Zhang.A new research into default logic.Information and computation,129(2),1996:73-85.
[Nyanchama and Osborn,1996]M.Nyanchama and S.Osborn.Modeling Mandatory Access Control in Role-based Security Systems.In Database Security Ⅷ:Status and Prospects.Chapman and Hall,Ltd.,London,UK,pp129-144,1996.
[Osborn,1997]S.Osborn.Mandatory Access Control and Role-based Access Control Revisited.In Proceedings of the Second ACM Workshop on Role-based Access Control(RBAC '97,Fairfax,VA,Nov.6-7),C.Youman,E.Coyne,and T.Jaeger,Chairs.ACM Press,New York,NY,31-40,1997.
[Osborn et al.,2000]S.Osborn,R.Sandhu and Q.Munawer.Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.ACM Transactions on Information and System Security,Vol.3,No.2,May,pp85-106,2000.
[Osborn,2002]S,L.Osborn.Information Flow Analysis of an RBAC System.SACMAT'O2,june 3-4,Monterey,California,USA,2002.
[OASIS,2005]OASIS.eXtensible Access Control Markup Language(XACML)Version 2.0,2005.http://www.oasis-open.org/committees/xacml.
[Palopoli and Zaniolo,1996]L.Palopoli and C.Zaniolo.Polynomial Time Computable Stable Models.Annals of Mathematics and Artificial Intelligence,17(3,4):261-290,1996.
[Park and Sandhu,2004]J.Park and R.Sandhu.The UCONABC Usage Control Model.ACM Transactions on information and Systems Security,Feb.,2004.
[Pfleeger,1997]C.P.Pfleeger.Security in Computing.Prentice Hall,New Jersey,1997.
[Reiter,1980]R.Reiter.A logic for default reasoning.Artificial Intelligence,13(1-2):81-132,April 1980.
[Robert,1990]W.Baldwin Robert.Naming and grouping privileges to simplify security management in large database.In Proceedings IEEE Computer Society
Symposium on Research in Security and Privacy,pages 61-70,Oakland,CA,April 1990.
[Sacca and Zaniolo,1990]D.Sacca,C.Zaniolo.Partial stable models,stable models and non-determinism in logic programs with negation.Proc.of ACM-PODS,1990.
[Samarati and Vimercati,2001]P.Samarati and S.Vimercati.Access control: Policies,Models,and Mechanisms.In R.Focardi and R.Gorrieri,editors,Foundations of Security Analysis and Design,LNCS 2171.Springer-Verlag,2001.
[Sandhu,1992]R.S.Sandhu.The typed access matrix model.In Proc.of 1992IEEE Symposium on Security and Privacy,pages 122-136,Oakland,CA,May 1992.
[Sandhu,1993]R.S.Sandhu.Lattice-based Access Control Models.IEEE Computer 26,11,9-19.1993.
[Sandhu et al.,1996]R.Sandhu,E.Coyne,H.Feinstein,and C.Youman.Rolebased access control models.IEEE Computer 29,2,38-47.1996.
[Sandhu and Munawer,1998]R.Sandhu and Q.Munawer.How to do Discretionary Access Control using Roles.In Proceedings of the Third ACM Workshop on Role-Based Access Control(RBAC'98,Fairfax,VA,Oct.22-23),C.Youman and T.Jaeger,Chairs.ACM Press,New York,NY,pp47-54,1998.
[Sandhu and Munawer,1999]R.Sandhu and Q.Munawer.The ARBAC99model for administration of roles.In Proc.Of the 15th Annual Computer Security Applications Conference,Phoenix,Arizona,December 1999.
[Sandhu et al.,2000]R.Sandhu,D.Ferraiolo,and R.Kuhn.The NIST model for role-based access control:Towards a unified standard.In Proceedings of 4th ACM Workshop on Role-Based Access Control,47-61.2000.
[Sandhu,2004]R.Sandhu.A Perspective on Graphs and Access Control Models.H.Ehrig et al.(Eds.):ICGT 2004,LNCS 3256,pp.2-12,2004.Springer-Verlag Berlin Heidelberg 2004.
[Sheng et al.,2004]Ke-jun SHENG,Ji-qiang LIU and Xin LIU.Organization Structure Based Access Control Model.InfoSecu04,November 14-16,Pudong,Shanghai,China,2004.
[Vimercati et al.,2003]S.Vimercati,S.Paraboschi and P.Samarati.Access Control:principles and solutions.SOFTWARE-PRACTICE AND EXPERIENCE Sofw.Pract.Exper.2003;33.397-421.
[Vimercati et al.2005]S.Vimercati,P.Samarati and S.Jajodia.Policies,Models,and Languages for Access Control.S.Bhalla(Ed.):DNIS 2005,LNCS 3433,225-237,2005.
[Vimercati et al.2006]S.Vimercati,S.Foresti,S.Jajodia and P.Samarati. Access Control Policies and Languages in Open Environments.2006.
[Vimercati and Samarati.2004]S.Vimercati and P.Samarati.New directions in access control.2004.
[Vimereati et al.2007]S.Vimercati,P.Samarati and S.Jajodia.Access control policies and languages,Int.J.Computational Science and Engineering,Vol.3,No.2,2007.
[Wang et al.,2004]L.Wang,D.Wijesekera,and S.Jajodia.A logic-based framework for attribute based access control.In Proc.of the 2004 ACM Workshop on Formal Methods in Security Engineering,Washington DC,USA,October 2004.
[Wijesekera and Jajodia,2003]D.Wijesekera,and S.Jajodia.A propositional policy algebra for access control.ACM Transactions on Information and System Security,Vol.6,No.2,May,pp286-325,2003.
[Woo and Lain,1993]T.Woo and S.Lam.Authorizations in distributed systems:A new approach.Journal of Computer Security 2,2/3,107-136,1993.
[Xinwen Zhang et al.,2005]Xinwen Zhang,Yingjiu Li and Divya Nalla.An Attribute-Based Access Matrix Model.SAC'05,March 13-17,Santa Fe,New Mexico,USA,2005.
[Xinwen Zhang et al.,2008]Xinwen Zhang,M.Nakae,J.Covington and R.Sandhu.Toward a Usage-Based Security Framework for Collaborative Computing Systems.ACM Transactions on Information and System Security,Vol.11,No.1,Article 3,Pub date:February 2008.
[Yu et al.,2000]T.Yu,X.Ma,and M.Winslett.An efficient complete strategy for automated trust negotiation over the internet.In Proceedings of 7th ACM Computer and Communication Security,Athens,Greece,November 2000.
[Yu el al.,2003]T.Yu,M.Winslett,and K.E.Seamons.Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation.ACM Transactions on Information and System Security (TISSEC),6(1):1-42,2003.
[Zhang and Sandhu,2006]Xinwen ZHANG and Ravi Sandhu.Safety Analysis of Usage Control Authorization Models.ASIACCS'06 March 21-24,Taipei,Taiwan,2006.