## A Modal Deconstruction of Access Control Logics

### Cached

### Download Links

- [www.cs.cmu.edu]
- [www.mpi-sws.org]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.mpi-sws.org]
- [www.cs.cmu.edu]
- [www.cs.ucsc.edu]
- [www.cse.ucsc.edu]
- [users.soe.ucsc.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 35 - 8 self |

### BibTeX

@MISC{Garg_amodal,

author = {Deepak Garg and Martín Abadi},

title = {A Modal Deconstruction of Access Control Logics},

year = {}

}

### OpenURL

### Abstract

Abstract. We present a translation from a logic of access control with a “says ” operator to the classical modal logic S4. We prove that the translation is sound and complete. We also show that it extends to logics with boolean combinations of principals and with a “speaks for ” relation. While a straightforward definition of this relation requires second-order quantifiers, we use our translation for obtaining alternative, quantifierfree presentations. We also derive decidability and complexity results for the logics of access control. 1

### Citations

762 | Notions of Computation and Monads
- Moggi
- 1991
(Show Context)
Citation Context ...iffer in their axioms. A 2003 survey discusses some of the options [1]. Recently, several works [2, 19, 20, 29] have basically relied upon the rules of lax logic and the computational lambda calculus =-=[11, 17, 33]-=- for the operator says. This approach has several benefits, for example validating the “handoff axiom” [2, 26]; a detailed discussion of its features is beyond the scope of this paper. We follow this ... |

749 |
A New Introduction to Modal Logic
- Hughes, Cresswell
- 1996
(Show Context)
Citation Context ...he present paper is to fill this gap. Specifically, we study a class of access control logics via sound and complete translations to the classical modal logic S4. – Relying on the theory of S4 (e.g., =-=[24, 25]-=-), we obtain Kripke semantics for the logics. In the quantifier-free case, we also establish the decidability of the logics and their PSPACE complexity. The translations also open the possibility of r... |

465 | Authentication in Distributed Systems: Theory and Practice
- Lampson, Abadi, et al.
- 1992
(Show Context)
Citation Context ...sing existing decision procedures for S4. – Translating several logics to S4 enables us to compare their expressiveness. In particular, while a straightforward definition of the “speaks for” relation =-=[26, 28]-=- requires second-order quantifiers, we use our translations for obtainingsalternative, quantifier-free presentations. We prove that these quantifier-free presentations yield the same consequences as t... |

375 | A Calculus for Access Control in Distributed Systems
- Abadi, Burrows, et al.
- 1993
(Show Context)
Citation Context ...sistencies, and obscurity endanger security. In response to these concerns, specialized logics have been proposed as frameworks for describing, analyzing, and enforcing access control policies (e.g., =-=[2, 3, 6, 10, 19, 20, 29, 30]-=-). A number of research projects have applied these logics for designing or explaining various languages and systems (e.g., [4, 6–10, 13, 14, 16, 18, 26, 29, 35]). On the other hand, there have been o... |

248 |
Interprétation Fonctionnelle et Élimination des Coupures de l’Arithmétique d’Ordre Supérieur
- Girard
- 1972
(Show Context)
Citation Context ...ls, thus leveraging the work of Sections 3–5.) 6.1 The Logic The second-order logic is the straightforward extension of ICL with universal quantification over propositions, with the rules of System F =-=[12, 21]-=-. This logic is not entirely new. It has previously been defined [2, Section 8] and used [18] under the name CDD (with only minor syntactic differences). Here we call it ICL ∀ for the sake of uniformi... |

217 | Delegation logic: A logic-based approach to distributed authorization
- Li, Grosof, et al.
(Show Context)
Citation Context ...sistencies, and obscurity endanger security. In response to these concerns, specialized logics have been proposed as frameworks for describing, analyzing, and enforcing access control policies (e.g., =-=[2, 3, 6, 10, 19, 20, 29, 30]-=-). A number of research projects have applied these logics for designing or explaining various languages and systems (e.g., [4, 6–10, 13, 14, 16, 18, 26, 29, 35]). On the other hand, there have been o... |

215 | Type systems
- Cardelli
- 1997
(Show Context)
Citation Context ...ls, thus leveraging the work of Sections 3–5.) 6.1 The Logic The second-order logic is the straightforward extension of ICL with universal quantification over propositions, with the rules of System F =-=[12, 21]-=-. This logic is not entirely new. It has previously been defined [2, Section 8] and used [18] under the name CDD (with only minor syntactic differences). Here we call it ICL ∀ for the sake of uniformi... |

191 |
The computational complexity of provability in systems of modal propositional logic
- Ladner
- 1977
(Show Context)
Citation Context ...he present paper is to fill this gap. Specifically, we study a class of access control logics via sound and complete translations to the classical modal logic S4. – Relying on the theory of S4 (e.g., =-=[24, 25]-=-), we obtain Kripke semantics for the logics. In the quantifier-free case, we also establish the decidability of the logics and their PSPACE complexity. The translations also open the possibility of r... |

182 | Proof-carrying authentication
- Appel, Felten
- 1999
(Show Context)
Citation Context ...sistencies, and obscurity endanger security. In response to these concerns, specialized logics have been proposed as frameworks for describing, analyzing, and enforcing access control policies (e.g., =-=[2, 3, 6, 10, 19, 20, 29, 30]-=-). A number of research projects have applied these logics for designing or explaining various languages and systems (e.g., [4, 6–10, 13, 14, 16, 18, 26, 29, 35]). On the other hand, there have been o... |

182 | Authentication in the Taos Operating System - Wobber, Abadi, et al. - 1993 |

167 | A judgmental reconstruction of modal logic
- Pfenning, Davies
(Show Context)
Citation Context ...r definitions, as a special case; however, our translation does not put a � on C, and it is sound and complete.sOther interpretations of lax logic have targeted multimodal logics or intuitionistic S4 =-=[5, 11, 17, 34]-=-. Our translations seem simpler; in particular, they target classical S4. Semantically, those interpretations lead to Kripke models with at least two accessibility relations, while we need only one. F... |

115 | a logic-based security language - Binder - 2002 |

100 | Datalog with constraints: A foundation for trust management languages
- Li, Mitchell
- 2003
(Show Context)
Citation Context ...rtain access-control decisions. More recent systems like RT and SecPAL (where the “can act as” relation resembles ⇒) include decision procedures for useful classes of formulas similar to Horn clauses =-=[10, 31, 32]-=-. 2 ICL: A Basic Logic of Access Control We start with a basic access control logic ICL that includes the operator says but not ⇒. Although minimal in its constructs, the logic is reasonably expressiv... |

94 | Logic in access control
- Abadi
- 2003
(Show Context)
Citation Context ...⇒ Alice. When a server S acts on Alice’s behalf impersonating her, one may also write S ⇒ Alice. Despite these similarities, logics differ in their axioms. A 2003 survey discusses some of the options =-=[1]-=-. Recently, several works [2, 19, 20, 29] have basically relied upon the rules of lax logic and the computational lambda calculus [11, 17, 33] for the operator says. This approach has several benefits... |

80 |
Ein interpretation des intuitionistischen Aussagenkalküls, Ergebnisse eines mathematischen Kolloquiums 4
- Gödel
- 1933
(Show Context)
Citation Context ...fs are available on-line at www.cs.cmu.edu/ ∼ dg/papers/modal-decons-full.pdf. Related Work. Our translations are partly based on a translation from intuitionistic logic to S4 that goes back to Gödel =-=[22]-=-. Moreover, ICL can be seen as a rather direct generalization of lax logic. Nevertheless, our translation from ICL (and, as a special case, from lax logic) to S4 appears to be new. Partly following Cu... |

77 | Distributed proving in access-control systems - Bauer, Garriss, et al. - 2005 |

64 |
Access control in a core calculus of dependency
- Abadi
- 2006
(Show Context)
Citation Context |

64 | Device-Enabled Authorization in the Grey System - Bauer, McCune, et al. - 2005 |

64 | Computer security in the real world
- Lampson
- 2004
(Show Context)
Citation Context ...sing existing decision procedures for S4. – Translating several logics to S4 enables us to compare their expressiveness. In particular, while a straightforward definition of the “speaks for” relation =-=[26, 28]-=- requires second-order quantifiers, we use our translations for obtainingsalternative, quantifier-free presentations. We prove that these quantifier-free presentations yield the same consequences as t... |

61 | Propositional lax logic
- Fairtlough, Mendler
- 1997
(Show Context)
Citation Context ...iffer in their axioms. A 2003 survey discusses some of the options [1]. Recently, several works [2, 19, 20, 29] have basically relied upon the rules of lax logic and the computational lambda calculus =-=[11, 17, 33]-=- for the operator says. This approach has several benefits, for example validating the “handoff axiom” [2, 26]; a detailed discussion of its features is beyond the scope of this paper. We follow this ... |

60 | Non-interference in constructive authorization logic. A version of this paper will appear
- Garg, Pfenning
- 2006
(Show Context)
Citation Context |

58 | Design and semantics of a decentralized authorization language, in: Computer Security Foundations Symposium
- Becker, Fournet, et al.
- 2007
(Show Context)
Citation Context |

56 | Computational types from a logical perspective
- Benton, Bierman, et al.
- 1998
(Show Context)
Citation Context ...iffer in their axioms. A 2003 survey discusses some of the options [1]. Recently, several works [2, 19, 20, 29] have basically relied upon the rules of lax logic and the computational lambda calculus =-=[11, 17, 33]-=- for the operator says. This approach has several benefits, for example validating the “handoff axiom” [2, 26]; a detailed discussion of its features is beyond the scope of this paper. We follow this ... |

54 | Beyond proof-of-compliance: Security analysis in trust management
- LI, MITCHELL, et al.
- 2005
(Show Context)
Citation Context ...rtain access-control decisions. More recent systems like RT and SecPAL (where the “can act as” relation resembles ⇒) include decision procedures for useful classes of formulas similar to Horn clauses =-=[10, 31, 32]-=-. 2 ICL: A Basic Logic of Access Control We start with a basic access control logic ICL that includes the operator says but not ⇒. Although minimal in its constructs, the logic is reasonably expressiv... |

45 | Access Control for the Web via Proof-Carrying Authorization - Bauer - 2003 |

35 | A type discipline for authorization in distributed systems
- Fournet, Gordon, et al.
- 2007
(Show Context)
Citation Context ...htforward extension of ICL with universal quantification over propositions, with the rules of System F [12, 21]. This logic is not entirely new. It has previously been defined [2, Section 8] and used =-=[18]-=- under the name CDD (with only minor syntactic differences). Here we call it ICL ∀ for the sake of uniformity. The addition of second-order quantification provides great expressiveness, as illustrated... |

29 | Audit-based compliance control - Cederquist, Corin, et al. |

26 | Categorical and Kripke semantics for constructive S4 modal logic
- Alechina, Mendler, et al.
- 2001
(Show Context)
Citation Context ...r definitions, as a special case; however, our translation does not put a � on C, and it is sound and complete.sOther interpretations of lax logic have targeted multimodal logics or intuitionistic S4 =-=[5, 11, 17, 34]-=-. Our translations seem simpler; in particular, they target classical S4. Semantically, those interpretations lead to Kripke models with at least two accessibility relations, while we need only one. F... |

23 | Alpaca: Extensible Authorization for Distributed Services
- Lesniewski-Laas, Ford, et al.
- 2007
(Show Context)
Citation Context |

22 | A linear logic of authorization and knowledge
- Garg, Bauer, et al.
- 2006
(Show Context)
Citation Context |

20 |
The elimination theorem when modality is present
- Curry
- 1952
(Show Context)
Citation Context ...reover, ICL can be seen as a rather direct generalization of lax logic. Nevertheless, our translation from ICL (and, as a special case, from lax logic) to S4 appears to be new. Partly following Curry =-=[15]-=-, Fairtlough and Mendler suggested interpreting lax logic in intuitionistic logic by mapping ○ s to C ∨ s or to C ⊃ s, where ○ is a lax modality and C is a fixed proposition [17]. These interpretation... |

16 | A Logical Account of NGSCB - Abadi, Wobber - 2004 |

15 | Do as I SaY! Programmatic access control with explicit identities - Cirillo, Jagadeesan, et al. - 2007 |

5 | A Logical Account of NGSCB - Wobber |

4 | Proof search in lax logic
- Howe
(Show Context)
Citation Context ...relations, while we need only one. Fairtlough and Mendler also deduced the decidability of lax logic from a subformula property [17]. Further, Howe developed a PSPACE decision procedure for lax logic =-=[23]-=-. It seems possible to extend Howe’s approach to obtain an alternative proof of decidability for ICL. We do not know whether it would also apply to richer logics such as ICL ⇒ and ICL B , for which we... |

2 | A linear logic of authorization and knowledge - Reiter - 2006 |

1 | Device-enabled authorization in the Grey system - Reiter - 2005 |