Article

DATALOG with Constraints: A Foundation for Trust Management Languages

Authors:

John C. MitchellAuthors Info & Claims

PADL '03: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages

Pages 58 - 73

Published: 13 January 2003 Publication History

Abstract

Trust management (TM) is a promising approach for authorization and access control in distributed systems, based on signed distributed policy statements expressed in a policy language. Although several TM languages are semantically equivalent to subsets of Datalog, Datalog is not sufficiently expressive for fine-grained control of structured resources. We define the class of linearly decomposable unary constraint domains, prove that DATALOG extended with constraints in any combination of such constraint domains is tractable, and show that permissions associated with structured resources fall into this class. We also present a concrete declarative TM language, RT ₁ ^C, based on constraint DATALOG, and use constraint DATALOG to analyze another TM system, KeyNote, which turns out to be less expressive than RT ₁ ^C in significant respects, yet less tractable in the worst case. Although constraint DATALOG has been studied in the context of constraint databases, TM applications involve different kinds of constraint domains and have different computational complexity requirements.

References

[1]

Olav Bandmann and Mads Dam. A note on SPKI's authorization syntax. In Pre-Proceedings of 1st Annual PKI Research Workshop , April 2002. Available from http://www.cs.dartmouth.edu/~pki02/.

[2]

Elisa Bertino, Claudio Bettini, Elena Ferrari, and Pierangela Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems , 23(3):231-285, 1998.

[3]

Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos D. Keromytis. The KeyNote trust-management system, version 2. IETF RFC 2704, September 1999.

[4]

Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proceedings of the 1996 IEEE Symposium on Security and Privacy , pages 164-173. IEEE Computer Society Press, May 1996.

[5]

Jan Chomicki, Dina Goldin, Gabriel Kuper, and David Toman. Variable independence in constraint databases, November 2001. In final review for IEEE Transactions on Knowledge and Data Engineering.

[6]

John DeTreville. Binder, a logic-based security language. In Proceedings of the 2002 IEEE Symposium on Security and Privacy , pages 105-113. IEEE Computer Society Press, May 2002.

[7]

Carl Ellison, Bill Frantz, Butler Lampson, Ron Rivest, Brian Thomas, and Tatu Ylonen. SPKI certificate theory. IETF RFC 2693, September 1999.

[8]

Jonathan R. Howell. Naming and sharing resources acroos administrative boundaries . PhD thesis, Dartmouth College, May 2000.

[9]

Joxan Jaffar and Michael J. Maher. Constraint logic programming: A survey. Journal of Logic Programming , 19/20:503-580, 1994.

[10]

Trevor Jim. SD3: A trust management system with certified evaluation. In Proceedings of the 2001 IEEE Symposium on Security and Privacy , pages 106-115. IEEE Computer Society Press, May 2001.

[11]

Paris C. Kanellakis, Gabriel M. Kuper, and Peter Z. Revesz. Constraint query languages. Journal of Computer and System Sciences , 51(1):26-52, August 1995. Preliminary version appeared in Proceedings of the 9th ACM Symposium on Principles of Database Systems (PODS) , 1990.

[12]

Gabriel Kuper, Leonid Libkin, and Jan Paredaens, editors. Constraint Databases . Springer, 2000.

[13]

Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. A practically implementable and tractable Delegation Logic. In Proceedings of the 2000 IEEE Symposium on Security and Privacy , pages 27-42. IEEE Computer Society Press, May 2000.

[14]

Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. Delegation Logic: A logicbased approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC) , February 2003. To appear.

[15]

Ninghui Li, John C. Mitchell, and William H. Winsborough. Design of a rolebased trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy , pages 114-130. IEEE Computer Society Press, May 2002.

[16]

Ninghui Li, William H. Winsborough, and John C. Mitchell. Distributed credential chain discovery in trust management. To appear in Journal of Computer Security . Extended abstract appeared in Proceedings of the Eighth ACM Conference on Computer and Communications Security (CCS-8) , November 2001.

[17]

Yuri V. Matiyasevich. Hilbert's Tenth Problem . The MIT Press, 1993.

[18]

Peter Z. Revesz. Constraint databases: A survey. In L. Libkin and B. Thalheim, editors, Semantics in Databases , number 1358 in LNCS, pages 209-246. Springer, 1998.

[19]

Peter Z. Revesz. Safe Datalog queries with linear constraints. In Proceedings of the 4th International Conference on Principles and Practice of Constraint Programming (CP98) , number 1520 in LNCS. Springer, 1998.

[20]

David Toman. Memoing evaluation for constraint extensions of Datalog. Constraints: An International Journal , 2:337-359, 1997.

[21]

David Toman and Jan Chomicki. Datalog with integer periodicity constraints. Journal of Logic programming , 35:263-290, 1994.

Cited By

Andersen MKumar SAbdelBaky MFierro GKolb JKim HCuller DPopa RHeninger NTraynor P(2019)WAVEProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361434(1375-1392)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361434
Liu Y(2018)Logic programming applicationsDeclarative Logic Programming10.1145/3191315.3191326(519-548)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1145/3191315.3191326
Guarda PRanise SSiswantoro HBertino ESandhu RWeippl E(2017)Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information SystemsProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3078879(247-254)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3078879
Show More Cited By

Index Terms

DATALOG with Constraints: A Foundation for Trust Management Languages
1. Information systems
  1. Data management systems
    1. Query languages
2. Theory of computation
  1. Logic
    1. Constraint and logic programming

Index terms have been assigned to the content through auto-classification.

Recommendations

Enhancing Disjunctive Datalog by Constraints

This paper presents an extension of Disjunctive Datalog (${\rm{DATALOG}}^{\vee,}{^\neg}$) by integrity constraints. These are of two types: strong, that is, classical integrity constraints and weak, that is, constraints that are satisfied if possible. ...
Datalog LITE: a deductive query language with linear time model checking

We present Datalog LITE, a new deductive query language with a linear-time model-checking algorithm, that is, linear time data complexity and program complexity. Datalog LITE is a variant of Datalog that uses stratified negation, restricted variable ...
Disjunctive datalog

We consider disjunctive Datalog, a powerful database query language based on disjunctive logic programming. Briefly, disjunctive Datalog is a variant of Datalog where disjunctions may appear in the rule heads; advanced versions also allow for negation ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

PADL '03: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages

January 2003

407 pages

ISBN:3540003894

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 January 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Andersen MKumar SAbdelBaky MFierro GKolb JKim HCuller DPopa RHeninger NTraynor P(2019)WAVEProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361434(1375-1392)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361434
Liu Y(2018)Logic programming applicationsDeclarative Logic Programming10.1145/3191315.3191326(519-548)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1145/3191315.3191326
Guarda PRanise SSiswantoro HBertino ESandhu RWeippl E(2017)Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information SystemsProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3078879(247-254)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3078879
Madsen MYee MLhoták O(2016)From Datalog to flix: a declarative language for fixed points on latticesACM SIGPLAN Notices10.1145/2980983.290809651:6(194-208)Online publication date: 2-Jun-2016
https://dl.acm.org/doi/10.1145/2980983.2908096
dos Santos DPonta SRanise SWang XBauer LKerschbaum F(2016)Modular Synthesis of Enforcement Mechanisms for the Workflow Satisfiability ProblemProceedings of the 21st ACM on Symposium on Access Control Models and Technologies10.1145/2914642.2914649(89-99)Online publication date: 6-Jun-2016
https://dl.acm.org/doi/10.1145/2914642.2914649
Madsen MYee MLhoták OKrintz CBerger E(2016)From Datalog to flix: a declarative language for fixed points on latticesProceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/2908080.2908096(194-208)Online publication date: 2-Jun-2016
https://dl.acm.org/doi/10.1145/2908080.2908096
Armando ARanise STraverso RWrona KBertino ESandhu RKrishnan R(2016)SMT-based Enforcement and Analysis of NATO Content-based Protection and Release PoliciesProceedings of the 2016 ACM International Workshop on Attribute Based Access Control10.1145/2875491.2875493(35-46)Online publication date: 11-Mar-2016
https://dl.acm.org/doi/10.1145/2875491.2875493
Vahldiek-Oberwagner AElnikety EMehta AGarg DDruschel PRodrigues RGehrke JPost ARéveillère LHarris THerlihy M(2015)GuardatProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741958(1-16)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741958
Bertolissi Cdos Santos DRanise SBao FMiller SZhou JAhn G(2015)Automated Synthesis of Run-time Monitors to Enforce Authorization Policies in Business ProcessesProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714633(297-308)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714633
Masellis RGhidini CRanise S(2015)A Declarative Framework for Specifying and Enforcing Purpose-Aware PoliciesProceedings of the 11th International Workshop on Security and Trust Management - Volume 933110.1007/978-3-319-24858-5_4(55-71)Online publication date: 21-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-319-24858-5_4
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents