he says that his files should be deleted. These ingredients are fairly well understood in centralized systems. This is an extended version of a paper presented.
A Calculus
for Access Control
MART(N
MICHAEL
Digital
ABADI, Equipment
BURROWS,
in Distributed
and BUTLER
Systems
LAMPSON
Corporation
and GORDON
PLOTKIN
University
of Edinburgh
lt’e study from
some of the concepts,
a logical
perspective.
principal
IS making
a logical
language
protocols,
a request, for
and algorithms
W’e account either
access
for
how
on his own
control
l]sts
and
for access control
a principal
may
or on someone
theories
for
in distributed
come
to believe
else’s
deciding
behalf.
We
whether
systems,
that
another
also
requests
provide
should
be
granted. Categories
and Sub]ect
ed Systems; tzon;
D.4.6
vemficatton;
1
Security,
THE
Security
Logic
and
and
Networks]
Protection—access
Formal
Dlstrlbut-
control;
Languages]
authentzca-
Llathematical
Logic
Theory cryptographic
protocols,
security
computing
modal logic
PROBLEM three
ingredients
(1) A trusted pable
are essential
computing
base:
of preserving
the
Authentication:
it should should
a user
the
command
Authorization, the
agent
a user
or that
may
for
hardware and
is his,
and
not
(hence
systems
systems:
software
should
be ca-
made
a statement;
of data.
to determine
that
that,
who
his files
be deleted
and
for
to prove
of an intruder.
access
a statement
be trusted
and
to reqllest
control:
in
integrity
be possible
be able
access
makes
the
secrecy
example, that (3)
[Computer-Communication
Key Words and Phrases: Cryptography,
At least
(2)
C.2.4
Systems]
[Mathematical
F 41
General Terms: Additional
Descriptors:
[Operating
control
is trusted
obeyed)
consists
on this
when
in
deciding
statement;
he says
that
his
whether
for files
example, should
be
deleted. These
This
ingredients
is an extended
the work Center. Digital
are fairly
version
of G. Plotkin Authors’ Equipment
Department
of Computer
Scotland, Permission
UK to copy without
publication for
of a paper
presented while
Science,
Machinery.
at the Crypto
at Digital
CImversity
fee all or part
for direct
in centralized
systems.
’91 conference,
Equipment
August
Corporation
commercial copy
of this
material
advantage,
and notice
To
of Edinburgh,
is given
otherwise,
King’s is granted
the ACM that
or
to
Budding, provided
copyright
copying republish,
that
is by permission
0164-0925/93/0400-0706
A(!M Tmmsaet,cms on Pm~ammIng
of
Center, Plotkin, EH9
the copies and the title
3JZ,
are not of the
of the Association
a fee
and/or
permission. @ 1993 ACM
Part
Research
Research USA, G.
Edinburgh
notice
requires
1991.
Systems
Abadi, M Bl]rrows, and B. Lampson, Systems 130 Lytton Avenue, Palo Alto, CA. 94301,
and its date appear,
Computing
understood
was completed
address: Lf Corporation,
made or distributed
well
$01.50
Languagea and Systems, Vol 15, No 4, Septembei- 1993, Pages 706-734
specific
A Calculus for Access Control Distributed
systems
one would
want
and global
security.
loading,
computing
under
be
lows,
we assume
(e.g.,
[9, 22])
there
are
free
access
control,
The
granted.
Since
form
of encryption
shared-key
available
that
a host
be trusted
nodes
than
when
to be authenticated These
issues
control.
The
their
rise
to
“who
principal
(a user or a host). of answers; and
such
not
to.
Cryptographic
the
key
K
neither It
change
too
often.
implies
the
need
group.
This
— Principals
A
access
control
answer
these
rights
nodes
at need
decisions. and
are,
is the
access
always,
name
“who
of a simple
questions
be extended,
can receive
to include:
Groups for
e; group roles,
under
of untrusted
software on behalf
authority Transactions
most a machine
or before
certificate
A as R.
of the may
time, adopt
of the
Languages
and
form
B for
adopt his
The
manager
a
role in may
role
running
only
a piece
machine.
A may
principal
of A, using Vol.
the powers,
manager
before
A.
of a for
necessary.
to an untrusted
on behalf
and Systems,
registrar
a system the
are
it may
use of groups
the
diminish
role
that
because
is a member
A may
to
same
is required.
The
become
enable
a weak
authority
act
and
when
principal
he wants
the
B is trusted
principals
a principal
For example,
B can then
on Programming
be long
es then
A
signature”
of the
example
The
blunders.
A
mechanism.
for
delegating
of principals, to B, and
would
whether
A as R when
against
normal-user
Similarly,
form
name
role
on occasion.
deciding
straightforward,
of the
act
the list
all
that
B make
that
‘~oint
explicitly
write
K.
with
A and
If
is no formal
it is advantageous
so we may
happens
an indirection
for
membership
the
B.
A
often
and
decrypted
by himself—a
because
provide
always
It
There
and
by keys,
A
form
to list
a scheme
as a protection
in the
of the
both
channels. machines,
in a message
B says s as well.
respect,
and
are identified
inconvenient
is not
in act
cryptographic
s is asserted
A
particular
ACM
more and
control
of
a user may
allthentication
environment can
have users
in access
the
users
A nor B is trusted
in some
is remet
and from
channels
is often
trusted
delegate
devices
of principals,
Groups.
— Principals
Typically
and
or on behalf
Moreover,
he may
of
is an authentic
behalf
both
nature and
of principal
channels
s, then
on s, but
R and
the
In a distributed
says s when
statement
group
considered in
the
a release.
own
nodes;
the
across
on authentication
extents.
Therefore,
of authentication
as input
to distinguish
— Conjunctions
—
at certain
identities
notion
make
on their
addition,
instance,
machines
— Channels, reason
the
act
In
For
software
fol-
encryption
frugally.
rely
can
what
a repository
this
secure
In
public-key
from
location
communica-
physically
of software.
to different
terminal.
a change
and
inevitably who
secure
required.
we use them
that
will may
is trusted?”
a variety
[8])
loading
to restrict
public
and
provide
to
is typically
be obtained
one another
questions
and
space
booting,
in a single
is hard
guarantee
he is working
give
basic
is speaking?”
Users
to
reside that
but
may
system
trust
at a remote
name
communication,
not
(e.g.,
and
mechanism
of a distributed and
only
his office
runs
is needed This
need
it
needed,
booting
as it is necessary
nodes
with
as ultimately
a global
in particular,
encryption
where
of secure
of viruses,
Users
system
implies,
for
a mechanism
release,
This
some
are
an issue,
with
707
authorization.
of a distributed
that
becomes system
are difficulties
taken
system
network;
Scale
distributed
lines,
problems
operating
problems.
there
management.
communication
users.
and
base
a single cannot
new
a global
In addition,
authentication,
The
tion
pose
to envision
.
the
identity
15, No. 4, September
1993.
708
M. Abadi et al
.
A. In the most
B & possible
for
cascaded This
and
they
should
should
provide
simple,
are
fairly
else’s
behalf.
another
import
that
possible
to
we avoid
the
are
for
delegations
of principals to
of principals
be
and
programs
goal
need
how for
should can
should and
control.
access
differ
from
for
treatment
some
is
useful
may
and
come
to
or on someone
control The
one
for
algorithms
Our
on his own
be granted.
and
and
be granted.
a principal
either
analyzed.
groups
of authority
is to isolate
for
language
and
joining
protocols,
account
which
for
a request
on access
main
requests
analysis
digital
signatures
protocols for
ad hoc
lists logic
another
(ACLS)
enables
us
in subtle
but
accounts
6, we appears
paper
mentioned we do not access
4 and
control.
[17] and TransactIons
We
5 extend
the
Other
architecture,
and
in particular
[II];
formal
clarifies
describe
treatment
delegation
schemes discussion
some
explanations of the
issues
of that
the
basic
with and
roles
logical and
algorithms
of additional
framework
delegation. for
in Then,
making
constrl~cts.
access A short
end. cover We
many study
particular Most
to future
(DSSA)
address.
overview.
7 is a brief
in passing.
This
environments,
of a security
work
Section at the
it
abstraction;
implementations. distributed
Architecture
this
of
for make
coexist. parts
consider
does not
examine
may
is an
that
logics
level
particular
implementation.
hope
implementations,
a reasonable
may for
Security
under
for
Moreover,
of heterogeneous basis
Systems
at
ideas saved.
about
context
of a design
We
be
policies
as a formal
is currently
decisions.
suggested
could
arguments
in the
Distributed
section
has
and
implementations
3. Sections
Section
This
and
be amenable
be designed
loading,
a request,
a logical
of protocols
conceivable.
next
glossary
We
whether
must
concepts,
Our
is making
formal
alternative
control
theory
theory
and whether
a focus
on logics.
the
architecture
Section
of the
with
provide
is intended
for the Digital
The
deciding
some need
study
security
algorithms
roles,
concepts.
is important
several
Our
also
describe
abstraction where
laws
are equivalent
it should
on resources
as
(A A A’)
principals
the
is
viewed
ask what
B fo~
resulting
there
be
one may
and that
First,
ways.
occasion,
example
ACM
Then
to be
A).
(B jor
should
principals
The
booting
for
of some
deciding
a variety
ant
On
adopting
principal
We for
explain
for
as it is based
theories
and
secure
systems,
tractable
that
as C jor
if two
essential
delegations
importance.
the
permissions
for
and
is a study
mathematically believe
these
of protocols
required
in distributed formal,
for
principals
others.
requests.
to specify
delegations,
paper
security
paper
such
of expressiveness
is also
and
decisions.
membership, such
This
need
a variety
certifying
tory
the
whether
same
It
users
proving
the
justification.
control
Further,
in
on
from
degree
access
Mechanisms
this
practical
example
be granted
because
to make
to
of some operations
be defined
as for
a reasonable
a mathematical
and
of the
expressions
B. It is also
to a machine
machine
A) A (B for A’) are in some sense equivalent;
(1? for
for
questions
can
satisfy,
to another
we encounter
which
which
operations
then
formal
determine
primitive the
raises
to
then
A delegates
case, a user
to delegate
(iterated);
list
a need
common
a machine
issues only
security implementation
in the
area;
authorization policies
nor
some
of these
mechanisms matters
considerations
issues
are briefly
based
on ACLS;
connected are
left
with to
work.
on Programming
Languages
and Systems,
Vol. 15, No 4, September
manda-
a companion
1993.
A Calculus for Access Control
.
709
OVERVIEW
2.
Composite
principals
often
about
“A
formal
not at ions
talks
introducing Some
classical
disjunction
play
a central
and
B“ for
constructors
come
to mind
the
dual
informal
for
reasoning; of A.”
for
example,
Therefore,
we
one
start
by
principals.
composite
principals
such
as conjunction
and
first:
A and B as cosigners. B make. (It is not implied
— A V B is the
in
on behalf
“B
composite
— A A B: and
role
and
that
A
notation;
from A A B is a request that both A A and B make this request in concert. )
A request
B represents
V
the
group
A and
of which
B are
sole members.
Conjunction cation,
is important
in
member other
particular
of the group
principals;
such
as A +
form
A ~
in our
designs.
in dealing
it need
not
been
As
A +
be given
membership
Disjunction
groups.
G“ can be written
G. The
G have
with
asserted.
G’. The
a definition
of G can We
is often discussed group
beyond
implicit
from
include
with
below,
impli“A
G can be named, that
be deduced
do not
replaced
further
what
a
in formulas
formulas
disjunction
is
as all
among
of the
our
basic
primitives. There
are also
— A as R: the
new
connective,
principal
A
in
in particular: role
B [A: the principal obtained that A has delegated
—
delegation
Of these,
only
are
coded
in terms
for
encoding In order
calculus.
for
and
to define
and then
their
with
logic
informal
this
extends
statement (“t he file
modalities
are not
The
modal
is possible Rd
for The
appropriate and
B
B
says
and
as are
than
important
1, we tend
but
they
to use
I only
that should
Since
algebra,
the
we develop
such
we can
an algebraic
as
A is the standard
and
meet
in a semilat
use a partial
in the
logically
for
A says s.
principal
be deleted”)
is a basis
to explain
e principals,
equations
order
+
t ice,
among
for A = A A B and means that A is at least as powerful “A implies B“ or “A speaks for B .“ the algebra of principals. In this logic, A says s represents
explicit
logic
for
oft hese composit
consequences.
B stands
imperative
to
s is reasonable.
is stronger
one can express
an ordered
as B; we pronounce
A modal
of A, with
as.
calculus,
A b
principals:
for
with
A,” on behalf
that
approach;
necessarily
B IA says s if B says
A has delegated
checking
1. Since
the rights
examine
dealing
some
in our
of A and
B speaks
when
A says s when
after
I is primitive
In this
we are
the
B for
certificates;
A says s, possibly
that
B 1A as “B quoting
obtained
of A, not
on behalf
to B; by definition,
authority
A says s; we pronounce
that
B speaks
when
a proof
— B for A: the principal
R.
or not
( “C’s
Here
s may
public
function
key is K“
as an
); imperative
formalism. various
how
two
algorithms principals
and
protocols.
A and
For
establish
B
example, a public
it key
B for A. logic
implication ACM
also
underlies
connective Transactions
and
a theory
of ACLS.
A controls
on Programming
We
write
~
s as an abbreviation
Languages
and Systems,
Vol.
for for
the
usual
logical
(A says s) o s,
15, No. 4, September
1993.
710
M. Abadi et al.
.
which
expresses
a list then
the
that
A will
s may
ACL
So far
we
have
a separate
ACL.
dependencies writing
and
In
a file
It
might
our
ACLS
for
For
be related,
ACLS
and
trivial
be ACLS
that
to itself.
ACL
for
ACLS
may
not
should
to
be granted
decide
whether
a
issue. with
command,
the
an ACL
modifications
access
this
could
example,
hence
the
on s.
formulas, or
s is
to a server,
context,
Therefore,
entirely
logical
a formula
A on s, and
in
from
trusted
addresses
assertion
these
them.
trust
s as well.
for
a command
B is listed,
always
theory
a separate
also control
server’s
when
is not
and
practice
between
might
B.
an ACL
5 is clear
controls
explicitly;
discussed to
the
of principals
A
s, then
be granted,
corresponds
list
logic,
If s represents
s.
s records
as the
A +
of s; in the
he says s. When
principals
that
should
formula
ACL
when
be presented
A such
any
truth
A controls
A controls
entry
all trusted
request
form
B and B controls
mention to
of the
be obeyed
simply
If A +
in A on the
trust
of assertions
the and
combined, that
view
and
it
model
have
may
be
to reading
modifications
We do not
each
can
there
pertain
controls
that
that
and
to another
these
combinations
dependencies.
Secure
channels,
principals; not
consider
fore, and
the
not
and
how
proposed
here
in
fairly
with
The
the
to
and
either.
protocols; and
There-
the goal
recent logic
of
describ-
in contrast,
applying
does
are
than
has as its
as
logic
messages
abstract
of authentication
in developing
represented The
lifetimes, that
is more
authentication
as an aid
are
functions.
believe
logic
logic
low-level
is intended
cryptography,
timestamps come
respects
[4].
by
of encryption
principals
In these
debugging
discussed
secured
treatment
associated
explain
replays.
authentication
those
no formal
problems
we do not are
ing
including
we have
the
a general
logic
design.
THE BASIC LOGIC
3
This
section
mantics. This
laws
section
ematical we
describes
The
not
3.1
A Calculus of Principals
We
study
a calculus
suffices
Principals usual
for form
semilattice
A is associative,
As
usual,
A ~
Implication
subgroups write
A +
TransactIons
used
peculiar,
is rather
may ACM
commutative,
is often
with
is in
main
the
a minimal the the
and
bodies
As
delegation
operation
of relevant
interesting
syntax.
needed
and
se-
nlath-
axioms of
Sections
discussed
later,
that 3.1
this
connective.
of conjunction,
and
obey
the
and
idempotent.
as an abbreviation
for
A = A A B, or = can be
of +.
is slightly
transitivity
in and
under
B can be taken
in terms
bership
a semilattice
some
axioms,
5.
approaches
3.4 presents
material
roles
syntax,
4 and
axioms:
—
defined
of alternative
of principals
expressing
with
in Sections
Section
essential
3.2.
framework,
appear
discussions
The
adopt.
logical
for
in particular,
and
syntax
basic
as and
includes
concepts;
do
the
for
). For G and
to represent and
convenient
on Programmmg
for
membership. it
reasoning
if A is a member
example, G +
group
in particular
F,
and
Languages
then
about
We
hierarchical
of G and
it follows
and Systems,
This
is transitive.
that
notion have
of memfound
groups
of F, we
G a subgroup
A +
F, which
Vol. 15, No. 4, September
that
(groups expresses
1993,
.
711
with
the
A Calculus for Access Control A is a member
that other
connect
However, group
of F.
ives our
of our
treatment
subtraction
naming that
in
G.
of logical
we do not
include
discussed
in Section
The
has
name
Most
is incomplete.
pleasant
interaction
there
G to obtain
the
these
and would
operations
form
a semigroup
under
is the
multiplicativity
be desirable
to provide
also be desirable
to provide
would
group
mix
would
with
here;
be a standard
of principals
operations
not
additional
It would It would
that
probably
formulas,
these
principals
a fairly
operations.
subgroups—so
to a group
or job level
of groups
for usual
one applies
position
+
and intersection
support
lowest
Moreover,
calculus.
other
operation
with
appear
a certain
only
constructs.
intersection
at
the
Therefore,
and subtraction
are
7. I:
I is associative. The
final
axiom
I distributes
over
Multiplicativity
plicative with
the
some
sort
and
The
syntax
symbols
the
usual
tures
axioms
of
choice
Section
On
and
1. We from
Now
of the paper
semantics
may
wish
t ions
is called
(e.g.,
[3, 21]).
semigroups
This
Equational appealing
sernigroup She has
B’ ACM
all references
that that
do not
studied
~
the
suffice
assumptions
are
it is then
natural
the
Andr6ka
additional
A then
there
exist
detail; not
semilattice of union
we use them
interested
in
in formal
of binary is common
t ice semigroup
relain a
is representable
of multiplicative
about
access rights,
the
that
every
has recently
proved
multiplicative
B’
otherwise).
operations
example
Since
to hope
distributivity
stated
struc-
semilattice
algebras.
for reasoning
distributive
adopt
algebraic
to an algebra
theory
needed.
. . . with
then
relations.
semilat
equational
the
readers
binary-relation
of binary-relation
the
Az,
of principals.
in some
isomorphic
the
and
of a multiplicative
to binary
semigroup
We nlaniPu-
Al,
formulas
a set, with
Those
free multiplicative
with
one,
by the
— if B A ~
discussions.
In fact,
is representable. also
are defined
A=
relations
one.
not
of union
below.
A.,
for
additive
semilattice
operations
further
when
an example
binary
term
the
the
axioms
as multi-
then
obvious
calculus
we discuss
every
theories
the
over
implies
coincides
the
relations
to skip
group-membership clear,
mentioned,
semilattice
sense:
for
known
for structures
atoms
boolean
of binary
representable.
mat hematical
into and
the
from
semigroups,
issues
in semantic
A multiplicative
built
logic
semilattice
As
relations.
a set, with
is much
equations
decidability
is an algebra
composition.
means:
are taken
of a multiplicative
are discussed
principals
propositional
of A, and
over
relations
combine
axioms
example
expressions,
(multiplicative
binary
the rest
about
principal
6 discusses
semigroup
which
of structures
same
instead
relations
of binary
for reasoning
A and
these
A common
of binary
between
are those
(Often, )
algebras
equations
principals
or disjunction,
is an algebra
the
for
semigroups.
of union
composition;
late
given
to multiplicative.
semigroup
arguments,
monotonicity.
axioms
semilattice
is preferred
of its
A.
implies
In short,
of I in both
as for example
binary-relation
model
multiplicative that
this
semilattice
is a
semilattice
is not the case [3]. semigroups,
which
axiom: and
C’
such
that
B
+
B’,
C
+
C’,
and
AC’. Transactions
on Programming
Languages
and Systems,
Vol.
15, No. 4, September
1993.
712
M. Abadl et al.
.
Every
distributive
multiplicative
of distributive a variety
nor
The
algorithmic
finitely
with the
Other
on
but
class
neither
distributivity
axiom
in the remainder possibilities.
semilattice
models.
We tend
semigroups,
Moreover,
are hard
of the paper,
to work
but
Section
to see because
we examine
rely
on binary
6 describes
both
axiomatically, relations
an algorithm
for
model.
algebraic
erators
of the
of multiplicative
binary-relation
The
is a quasi-variety,
izable.
Therefore,
of constructing
is representable.
semigroups
and the model-theoretic
the theory
as a way
axiomat
nature.
axiomatic
semigroup
semilattice
applications
of its existential the
semilattice
multiplicative
mathematical
It is possible,
structures.
principals
and
beyond
A and
1. Here
These
operators
are
origin.
somewhat
we
used
natural,
consider very
to consider
a few
seldom
operators
elsewhere
op-
with
in this
a pa-
per. A
unit
honest
1 turns
principal.
and
the
unit
is idempotent,
Thus,
The
unit
are not
representable,
it
particular, models
free
it
ones
this
is possible
that
infinite
the
add
the
into
the
monoids. fragile.
a distributive
lat-
distributive
meet
logics
(1, in our In our
lattices
we have
lattice
a quan-
operations;
O is absorb~nt
[13,
case)
setting,
26].
is often
I is in fact
In
for
the~e
\.
logics
understood
as a
a special
form
of
one.
remaining ( )*.
intriguingly
one of the
empty
a noncommutative
operator
than
semilattice
case, then
over
linear
connective
to
iteration
axiomatic
are representable. to the
[1, 7, 25].
though
seems
the
smaller
semigroup
distributes
says
relation
semilattice
(intuitionistic)
conjunction
Kleene’s
result
as a perfectly
between
any
multiplicative
fully
for
composition
composition,
Finally,
the
product
In
of parallel
namely
some
viewed
of multiplicative
distributive
are generalized
the
multiplicative
parallel
but
provide
is A.
Quantales
that
be
distinctions
a theorem the
1 can
example,
representability
operations
here
further For
is not turns
has proved
In a quantale,
form
this
remarkable
tale.
a monoid;
introduces
operation
If the lattice
into
viewpoints. but
Andr6ka’s Andr6ka
the
semigroup
binary-relation
A disjunction tice.
the
operator
We have
not
of
yet
Kleene
found
algebras
a need
for
[16],
this.
A Logic of Principals and Their Statements
32 Here
we develop The
Syntax.
formulas
— a countable — if s and
a modal
A and
B are
if
if A is a principal
use the
t rest
usual
equality
stands
for
Axioms.
(A
on the inductively,
so are
--w and
and
abbreviations
for
principals
then
PO, pI, 132, . . . are formulas; s A s’; A +
s is a formula boolean
(=)
of principals.
as follows:
propositions
expressions
expression
calculus
B is a formula; then
A says
connective,
as an abbreviation.
such
.s is a formula. as ~,
In addition,
and
basic
— if s is an instance
axioms
are those
for
of a propositional-logic
+ (s > s’)
then
on Programming
normal
modal
tautology
logics then
[14]:
+ s;
F s’; Languages
and Systems,
Vol. 15, No. 4, September
we
A controls
says s) > s.
The
Transactions
then
principal
between
— if t- s and ACM
of primitive
s’ are formulas
—
based
are defined
supply
—
We
logic
1993.
also s
.
A Calculus for Access Control
says s’);
— 1- A says (s > s’) > (A says s 0.4 — if t- s then The
t A says
calculus
of principals
if s is a valid Other
axioms
says
— E (B IA)
The
+
last
tivity
says B)
Other
s ~ (A
Let
relations
than
says
A says
s) J
to the
k s.
modal
logic:
s;
(B
to
then
says s);
sags s)).
(A
= B)
B
any
>
((A
says
adding
s) ~
(1? says
similar
to +
in giving
a substitu-
s)),
A H
do (say jalse)
~ake).
Thus,
A +
B implies
constructs, for
mention
s.
Although
It may
+
use +,
Second-order
sake of minimalit and
the
is and
also be convenient
principals.
says z) ~ (B says z)).
the
them,
says
we currently
and over
for
A++
(B 1A) (since
B.
the
of principals;
says fake)
> (B
Intuitively, yields
that
We
proof
We do
y. However, rules
needed
in
have
relation
B
a careful
serves
study
converse, this
as a point
of w
formula
that
may
there
statement
is something by B
(in
as B in practice.
and actually
(B 1A) is valid
to say s without R
means strong
as powerful
the
B H
by the
says false)
A H
A is at least
do not
wish
is defined
an arbitrarily
as for example
B may
Nevertheless,
principals
B.
B means
A +
between
that
does not seem attractive,
algebra
formalism.
B as Vx. ((A
A +
B
where
formulas
a semantics
relation
we abbreviate
B +
deserve
be simple.
important
A can
s then
situations
it to the over
additional
(A
that
relations
s, if A says of the
us to define
of these
would
Another
which
Two
every
quantification
is no difficldty
examples
for
in many
contemplated
enables
adopt
if,
it suffices
second-order
quantification there
between prmczpals.
A +
+,
we have
to have
being
but
of reference
be of some
the converse
we would
taken
fact,
Clearly, not
want
as a quotation
in axiomatizing
of the
interest.
Semantics
3.3 The
simplest
semantics
A structure lV
M
is a Kripke
is a tuple
is a set (as usual,
— I is an of
W
J
is an
relation ACM
element
interpretation
(the
set
W
where
function
(theaccessibility
Transactions
based
on accessibility
relations
[14].
where worlds);
of W;
function
of worlds
interpretation over
semantics,
(11’, W., 1, J), a set of possible
— W. is a distinguished
—
of principals
says s) A (B
is equivalent
us write
hence
—
of principals
point.
weaker
A).
calculus
calculus
s E B says
axiom
A.
property.
at this
not
of the the
~ ((A
every
is included:
formula
connect
— 1- (AAB)
— E (A
s, for
713
on Programming
that the
maps
each
proposition
that
maps
y relation Languages
proposition
symbol
to
a subset
principal
symbol
to
a binary
principal
symbol).
symbol
each for
the
and Systems,
is true);
Vol. 15, No. 4, September
1993.
714
M. Abadl et al
.
The
meaning
function
%? extends
J, mapping
R(A, R(A
) =
A B)
~(~1.~)
There
is no difficulty
as infinite This
simple
cipals.
its.
For
associativity The
=
model
7?(B),
meaning
function
where
S(A ‘R(C)(W)
A formula
= {u’
In the
s is valid
For
+
not
Y.
for
A =
B,
the and
axioms this
for
holds
a justification
prinin the
for the
The
The
extension,
and
that
is, to the
set
0 otherwise
and
it holds
say that
this
>
for
our
useful
~
((A+
B)
A more
interesting
underly
the
M
s. The
in M
satisfies
axioms
application,
if it holds
s.
Moreover,
are sound, the
axioms
A
model first
become (the
J and
semantics
A 1?)
of incompleteness
(We
may
step
is that
representable,
do obtain
be desirable
would
a tuple
7? map
be
to
in order modify
and
principal binary
3
where
being
not
J(.4Z)
=
R(A)
A R(B)
7?(A)
O%?(B)
says +
s) B)
ACM TransactIons on Programmmg
=
{w
I %(7?(A))(w)
=
W
if %?(A)
+
Q 2(s)} 7?(B)
and
T
is a
to binary
still
is
=
notion
is a homomorphism
expressions relations
to avoid
the
...
S(A
the while
a completeness
(W, W., 1, J, P, 5),
principals)
corresponding
7Z(BIA)
says jake))
are obviously
are not.
abstract
semigroup
%L(A, ) =
t(A
in the are not
6.)
would
functions
v (C
source
semantics
semigroups
A more
corresponding
s, and
we write
B))
to principals—the
7?(A
~ R(A)
+
of representa}~ility.
W2.
but
to its
formula
(A+
models.
semilattice
via
have
w if u! ~ t(s),
M
in Section
multiplicative to
11’ if R(B)
semilattice
A structure
P
justification
to
{W I ~(.~)(111) ~ 2(S)}
at a world
that
of structure.
relations
such
n2(#)
we write
the
a sublanguage
requirement
from
1$” – t(s)
=
provable.
multiplicative
abstract
I(p*)
s. Although
says
of principals
Llore
on principals
I w%?(C)W’}.
example, (C
the
operations
1.
formula
=
in all models;
complete.
for
B)
case,
if R s then
result
each
= t(s)
in M
latter
if it holds
but
s’)
+
s holds
sense that
some
to other
some
=
SCL7JS S) =
&(.4
algebras
O R(B)
is natural
~ maps
~(SA
is valid
U 7?(II)
it is true: t(p,)
W..
7?(A) 7?(A)
7?( Cl (B ]A ) ) = 7?( ( C IB ) 1.4) provides
t(ls)
at
to a relation:
of I.
of worlds
where
=
O, and
it
expression
)
=
provides
then
example,
J(A,
a semantics
disjunctions,
relational
If 7?(.4)
semant
in giving
conjunctions,
a principal
@ otherwise
Languages and Systems, Vol. 15, No. 4, September
1993
available
.
A Calculus for Access Control Now
it is consistent
to have
two
different
principals
with
the same
associated
715
binary
relation. This but
semantics
not
of structures dynamic
The
operator
algebras
operator
says
[ ] of dynamic and
that
an abstract
balanced,
to dynamic
algebras).
of principals
as it gives
A more
similar
correctness that
is imbalance,
of propositions.
semantics
(see Pratt
[21] for
is directly
logic.
interpretation
abstract
a recent
analogous
It connects
the
of principals
is possible to
two
the
sorts
in terms
discussion usual
of the
of
partial algebras,
of propositions.
On Idempotence
34
Idempotence
postulates
to be little quite
artificial.
that
A says
idempotence
of
I and
same
arguments
The For
most
idempotence
sent
members
principal
does
is no need
in the
ACL
pleasing,
making
access
whether
either
but
seems these
rely
includes
all
A,
and
discuss
of the
of
hence
\ implies
idempotence
\, but
means and
GIG
that
should +
handling
chains
of nodes,
that
GIA.
Thanks
multiple
exactly
not
reduce
of
the
principals.
B and
C repre-
to idempotence, “hops”
G, or to make
(AAB)
+
(BIA),
(A A B)
+
within
security. sure
(A
When is trusted
since
(B
for
the
a collec-
In particular,
that
A II)
and
GI GI A appears
condition
on binary
by both
union
less compelling
reasons
to
of the
that
complex
GIG
than
idempotence;
+
G,
one
must
or write
of
check
is trusted. We have been
force
A related
principals
do without
form
problem
if either
would
are
the
idempotence.
and composition.
for
we prefer
relations
implications
a request,
access
3.3 does not validate
= (AAB)[(AAB)
These
complicate
makes
grant
(AAB)
A).
They
of Section
on assumptions
give
Although
a similar
treatment
it is often
A controls when
can add
members
A controls
to
reasonable
idempotence
symptom
is that
for
simple
to
compensate
less elegant
other
possible
axioms
to assume
formulas
of the forms
(t > A says s), this
particular,
4.
for
terms
seems seems
ones. we
but
more
ACLS.
We
nor
for
necessarily y intuitive.
a sensible
idempotence
and
rights that
(1? 1A) or (A[B)
be preserved
explicit
A,
there
distinction
idempotence
we
in
a collection
This
decisions.
the semantics
all
Here
written
convenient
similarly
not
control
to find
For
=
The
details). are
an ACL
yields
and
and would
often
rather
reduce
idempotence
rat her
unable
is
to postulate
I is monotonic,
Finally,
AIA
this
explicitly.
In addition, and
5 for below
access.
not
that
A is a user
in fact,
equivalent.
G represents
that
1A obtains
of nodes
there
and
when
A;
for.
that
of G,
CIB
Section
axiom
suppose
s are
remarks
to
and
postulate
A says
(see the
apply
instance,
tion
of
example,
AIA
we may
s and
of for
for;
For
in distinguishing
Therefore,
A says
the
are attractive.
advantage
to A.
does
if A controls
A is a group,
Therefore,
not
we choose
(t o A says s) as general
seem
(B *
related
well
to
founded
A) for all B then
to adopt
neither
idempotence.
A controls in
(B
+
general.
In
any member
A controls
(B
A)
of A +
A)
axioms.
ROLES
The
formal
or delegation. start
system We
we have discuss
wit h an informal ACM Transactions
presented roles
argument
in this
so far includes section
on the nature
on Programming
and
no exotic delegation
of roles
and then
connective
for roles
in the
one.
next
describe
their
We logic.
Languages and Systems, Vol. 15, No. 4, September 1993.
M. Abadi et al,
716
.
41
What
There
are many
now
describe
of the the
Roles Are For
principle
An
and
of the their
own,
When
normal a principal
to invoke
capability spaces
systems
untrusted
are used
for
no other
Analogously,
when than
These
situations act
Thus,
A can
decide
adoption the
is not
full
does full
not
powers:
for
the
they second does
time not
In
this
or
the
sense
users
This
them
with
mistakes. be able
code
initially.
passing
run
he should
should
is done
across
In timesharing
way
want
his
powers
to limit
the
rights
use of roles.
in
address
systems
user
accounts
to
a machine
it is that
of the
relied of the
user
such
to
powers.
Our
implementation
it.
again
only
But
this
exercise
on to the
his
credentials
instructed. only
be forced
extraordinary
Role
recover
granted
invoked
hold
use when
own,
has been
can never
for users to have could
A as R as R’.
that
may
adopt
his powers.
on his
that
on roles
it could
users
perhaps
user
A may
to diminish
as R cannot,
software
rights
be best
later
A
less
passed.
A principal
he wants
then
that
has once
a usable
delegate
untrusted full
which
preclude
in building
to
on behalf
it may
they
require
important
the
who
identity,
matter
by
the
original
when
of the
untrusted
unprivileged
.4 as R when
prevents
a user
in.
with
A as R and
in
acting
log
before
be able
identity
a process
user’s
first
the
obtaining
that
As a practical
granted
as possible.
wishes
to become
from
mean
the
most
costly
software,
that
those
to be tested
be handled
with
of .4. This
rights
only
example,
typically
to avoid
of untrusted
beyond
user For
privileges
is important
he should
reversible,
powers
limited
a piece
capabilities
a principal
can
R and
have
purpose.
his own,
a role
We
are all examples should
needed.
in order
capabilities
software
his powers.
They
of a normal
when
suffices,
It
to reduce
a principal
powers only
that
powers
as few
the
system-manager
restricting
by passing
for
to which
with
powers. its
by
common
trustworthy
have
to run
reduced
wish
of roles.
task.
powers
when
to increase
and
its
to
system
wishes
it with
be able
want
identity
may
treatment
according
his extraordinary
operating
UNIXTM
our
to accomplish may
exercise
a principal for
privilege,”
it needs
administrator
time,
in which
as motivation
of “least
privileges
not
situations
a few,
restricted
powers
authenticate general
treatment
decisions,
when
themselves
which
a
of roles
are
however
system.
Roles, Groups, and Resources
4.2
A principal
A may
say R or R!. vice
versa.
There
uses of their two
roles
two
independent site;
In practice, may
be a role
the
role
the
privileges
Without ‘NIUNIX ACM
would
were
this
grant
swapped
policy
Thus, many
GrO1e associated of G.
associated role,
the
consistently
in the
with
trademark
on Programming
in all
writing
of ACLS.
to be related
with
it,
one,
so that
say
G,
of LTNIX System Languages
by
with
groups
adopting
Laboratories,
and Systems,
R’;
F,
that
effects
be used
to groups.
an entry
different
roles,
to .4 as Rf,
be a matter
a member
.4 of several
ACL
the
may
could
not
R and
ACLS, R’
of roles
roles
any
by adopting
between
R and
meaning
A member
A matches
ways
to A as R but
difference
Moreover,
is reflected
we expect
in different permissions
no intrinsic
be swapped.
sites.
is a registered
TransactIons
his powers may
is however
of member this
ACLS
names
the
at each
reduce
Some
of adopting differently
of local
at policy
If G is a group, of a group F,
G’, H,
G can ..
there act
can
the
corresponding
but
A as GTO1e need
Inc.
Vol. 15, No. 4, September
and
is, if the
1993
in
select G.Ol,. not.
A Calculus for Access Control However, the
A as GTOle matches
rule
entry
that
G =
any
ACL
as GVO1,, then
with A
an entry
as GTOl,
G as G.Ole,
also
matches
and any
717
if we accept ACL
with
an
G.
It
is tempting
to
corresponding and
relation
be a useful
to act idea
this
identification
is not
formal;
a formal
of our
act
as G-role
only
only
that
in the
system
no ACL
G as G-role
does
not
all roles roles.
writing
role
not
interact roles
the
group
we do not
somewhat
related
operator
G and
identify
strangely
to groups
for relating
G-role,
make
For
if he is a member
on the judicious in the
between
simplicity,
with
(such
groups
a
roles our
as G.role
and
),
roles
may
and
that
calculus. that
in certain
A can speak
for
would
We do allow
to expect
can
identification
follows,
below.
extension
relies
In what
given
It is reasonable a principal
a formal
G.role.
In fact,
of roles,
this
establish
role
groups.
encoding but
G
.
of G.
The
of ACLS.
with
grants
the
can
be allowed
implementation
A as G-role.
of G.
may
be adopted
to A as G-role,
a member
all principals
a principal
simplest
Roles
identity
access
if A is not
sense for
example,
and
However,
and
It is this
of this
freely,
for
any
it may
example
the
implementation
be
ACL
that
we
choose. Not
all
roles
be a role in the than 4.3
file
The
the
view
In many
requests
that
and that
powers;
roles
Since
should
A makes
this
R’
in both A +
A and
A’
Similarly,
may
directory
(files)
rather
of I yields in role
of these
ACM
define
exploit
properties
are quite Transactions
role, and
and
restricted
(A
from
the
formal
A be
The
role
ojlware).
R says
analysis
The A with
role.
untrusted-s
A says that
s.
This
is
we can
above.
advantages,
thanks
to the
of 1.
if R is a more
trusted
A as R is more
then
emanate
(e.g.,
let
R is one of his positions, apply
offers
example,
A is running.
as R)
+
(A’
role
trusted
as R’).
than
than
Thus,
R’
and
A’ as R’;
it is possible
the
that
A A ~
in a role
R is identical
to the
con-
R: R=(Aas
R) A(Bas
conjunction
Aas(RAR’)
they
to
of roles.
B both
we can
then
not
its class
associativity
A’,
should
A in some
s in this
For that
from
arguments, than
(A AB)as
Both
there
a certain
satisfactory
sense.
or after
of roles and
and
software
A is following
principal
multiplicativity
junction
is quite
of software
if A is a user
that
a hierarchy
this
a request
multiplicativity,
is, if R +
to exploit
it
intuitive
piece
emanate
presentation
trusted
some
of software
says s. Similarly,
I is monotonic
A a more
makes
running
piece
of R as a program
monotonicity,
and
example,
only
to a set of resources
adopted,
untrusted)
while
the
when
Furthermore,
— The
naturally
be freely
encoding
they
after
AIR
can
R a (possibly
rather,
case,
precisely
that
corresponds
For
to access
AIR.
A makes
can be named
—
role
to groups.
it possible
of principals.
cases this
a machine
think
are related
it makes
Encoding
the
In any
naturally
adopting
group
A as R to equal
full
arise
that
system;
to any
Given
that
such
=(
operation Aas
seem reasonable
for
R) A(Aas
for roles
R) roles: R’)
as we conceive
them
informally,
handy. on Programming
Languages
and Systems,
Vol.
15, No. 4, September
1993.
718
M, Abadl et al.
.
— Associativity
yields
particular,
the
machine
B,
a satisfactory
user
with
A in role
the
interaction
compound
in role
BI(A and
then
the
encoding
of for,
special
— We
properties
sometimes
and
rely
commute
for
roles
on the
with
(A
as R)
next
section, A)
user
In
A on a
yields
as R
be expected: that
all
roles
(R’ I R = R]R’).
Aas
delegation.
to the
as R
= (B for
postulates
one another
and
R:
in the
can
roles
B is identical
as 1?) = (B IA) given
El jor Some
between
R on a machine
Ras
R=
are
This
Aas
idempotent
(R/R
=
R)
yields
R
and Aas (We
make
We
it explicit
assume
1 +
R.
the
A
In
the
identity
when (A
these
us R)
for
follow
note
from
R’=Aas
R’as
properties all
binary-relation
relation;
properties 5
+
Ras
are assumed.)
A.
With
model,
1 +
that
the
R
a unit,
this
R means
previous
could
that
just
roles
idempotence
be written
are
and
subsets
of
commutativity
this.
DELEGATION
Delegation is a fairly some
example
am encoding
ill-defined
schemes
for
term.
Here
delegation
we explain
illustrate
the
our
approach
use of the
to delegation;
logic.
Then
we give
of delegation.
5.1 The Forms of Delegation Delegation
is a basic
of a principal When
primitive
.4 to give
B requests
are supposed
for
secure
to another
a service
from
distributed
principal a third
computing.
1? the
principal,
to demonstrate
that
B is making
access control
decisions
need
authority
It
to act
1? might
present
the request
is the
ability
on .4’s behalf, credentials
and that
that
A has delegated
to B. Naturally, of designs
In the simplest will
be granted An
certain
this
containment
not
transferable,
the
These server
in the
cascaded
of the
for
may not
ACM Transactions
let
server.
case where
any
into
expected
on
the
a known
on Programming
checks more
identities malicious
are
only
account.
A range
some
request,
a service
workstation
(e.g.,
as A to B
and read
B.
such [10,
may
be transferred; have
to In
delegate where For
a user’s
as the 18, 23])
certificates
in advance.
designs, A
can
If delegation
B is a reasonable
sophisticated
it directly.
of his rights,
systems
hampered,
of both
B‘s
A requested
certificates
concern.
collaborators that
Upon
Capability
delegation
is a serious
never
to B.
to A, had
A to delegate
a file
suggest
depend
granted
delegations
service
considerations may
from
of capabilities
certificates
provider
decisions
delegations
all of his rights been
is for
files
approach
the
adequate
have
improvement
to read
embody
case, A delegates if it would
obvious
right
to take
is possible.
all
for
access
example, files,
are
prepare
even
Languages and Systems, Vol. 15, No. 4, September 1993.
cases
A. control the
file
if the
A Calculus for Access Control
user
was unlucky
a trusted
node
enough read
that
these
acts
as a protected
files
form
in
DSSA
Different user (The
be shown
and
We believe
that
rely
spaces
Similarly,
credentials
channel
distributed
delegation
Delegation
be combined
to B,
who
powerful
not
from
node
exists
in some
It
component
of
in different
from
at ion,
operating
all these
support.
of delegation.)
cryptography
at all when
or with
a secure
variants
A
delegation
system
view
shared-key
be signed
settings.
while
physical
as mere
control
throughout
which
is often
achieved
through
instances an entire
for
sequence
all
for keys
The
formula
written
A certification The KS
{X}~authority
three
principals,
delegation
is delegation
When
(7 receives
r, but
not
determines logic
access ACM
that
serves
a sufficiently
simplicity,
the
au-
class of requests
and
and
all
algorit
hrn
certificate
that
1 and
principals [22].
KB1
X
appropriate
fields
We
the
included
can
perform
denote
by
matching
encrypted
times-
are
and digi-
K~
and
secret
under
K–
keys.
1, which
is
certificates KS
for the
says
A’A
principals’
=+ A and
public
KS
says
keys
KB
+
as B,
for
the
in describing decision.
In each case we are led to ask whether
appear
on C’S
ACL.
The
simplest
instance
of
certificates: a request
r on A’s
example
in the
the request
TransactIons
us to de-
A delegates
with
For
type
that
of delegation.
behalf,
format
r, he has evidence
A has delegated
whet her
control
available message
the
are
without
name,
When
enables
delegation.
by K~
as B [A,
to make
A’s
for
study,
key.
such
B wishes with
RSA
S provides
instances
composite
particular
and
certificates
is S’s public
to any
assume
the
B,
in our
1.
necessary
We consider
along
with
A and
messages
follows,
be a user
server.
are and
also
h’ says X represents
commonly needed.
We
example for
the
clocks
so far what
C a file
limited
before
In
A may
and
numbers,
messages.
the
public
role
authentica-
of the
However,
outlined
delegation.
instance,
it to B is not
some
authentication.
framework for
For
synchronized
lifetimes,
for
In fact,
as independent.
The
to C.
a special
that
KB
The
the
provide
of access
delegation
B a workstation,
t al signatures,
the
let
belief
cannot
view
those
schemes
requests
adopt
assume
checked
(2)
treating
with
various
makes
delegated
where
and
certificates.
compare
smart-card,
tamps,
either not
here
y.
a simplistic
[4, 5, 15, 19, 20]).
to view
without
and
(1)
with
also
widespread.
to a workst
benefit
in the
is a prominent
become
[2], with
may
clients
flexibility
it
server rights,
executed; its
of delegation
might
on authentication,
convenient
scribe
We
delegating
be signed
(see for example
can
it is often
A does
concept
for
a uniform
just that
and
will
in
possible
relies
protocols
thority
and
file
719
system.
Delegation tion
24],
might
or they
but
a desirable
[15,
the
Recognizing
makes
user,
illustrate
it should
The
has execute-only
guarantees
is discussed can
is available.
the
of a machine
cryptography,
of delegation
user
offers
systems
embody
use of smart-cards
public-key
to
on a smart-card
the address
workstation.
the
and
examples
designs
mechanisms
might
across
not
the
which
subsystem These
a few [12].
over
will
by themselves.
to log onto
files
.
request
to B; then should
on Programmmg
assumptions
that
Languages
B has said the ACL under
of the service are
the
signed
request
says A says r.
C consults
be granted
the reasoning Some
B sends
KB
provider,
needed.
and Systems,
these
First,
that
A requests
for request circumst
r and antes.
C, who C must
makes believe
Vol. 15, No. 4, September
1993.
720
.
M. Abadi
et al
that
Ifs
is S’s public
key: K5+S
and
C obtains
a certificate
encrypted
under
These
two
formulas
We should
assume
of K,s:
B)
yield
that
L’ trusts
S for
such
S controls and
inverse
(KB +
says
KS
the
we immediately
obtain
that
statements:
(KB
C’ has B‘s
+
B)
key:
KB+B In
addition,
C sees a message
A; in other
under
the
inverse
KB Immediately,
C consults
on r, then
in general.
the
After
delegation mutual
certificate
A says r
When
B
this
For
the
delegate
point
time for
delegation
that
wishes
the
The
to
for
(But
A issues
request
C has ACL
certificate
usual
protocol
A has delegated r on
A’s
evidence
for r and let from
that
checking
A on this
the
need
A for
Transactions
ACL,
that
described
A to issue
is, if B 1A is trusted
can hardly
be considered
a delegation
statement,
on Programming
a certificate
behalf,
no
to C,
along
has
requested
whether
B can says
be
to
authority
notation
not
of public-key
certificate
that
further with
B
under
A’s
serves
key.
This
interaction
with
A is
h’B says A says r. r on behalf
the
primitive;
B
to B.
request
should
A
mean
to
see Section
of A;
5.2.)
that
serues
certificates (B
A) from
serves
says r) A (~
Languages
S yields
A)
serves
and Systems,
A)
Vol. 15, No. 4, September
B
Then
be expressed: (B
now
C
be granted.
C gets
((B/A) ACM
B
determines
us use
serves
A’s
A says If C trusts
just
some
certificate
KA the
in this
is granted.
is preferable
present
being,
A.
If B IA appears
authentication,
B can
consults
It
says r
to B:
states
needed:
(3) At
for r.
r—access
certificates.
with
satisfactory proves
an ACL
L’ believes
Delegation
and
of
is,
Now
(2)
r on behalf
C obtains
(BIA)
(1)
requesting
says A says r
B says that
of KB,
words,
1993
is a the
.
A Calculus for Access Control
In our
theories,
this
implies (1? for
Again In
C can consult
particular,
may
be
B solely (1)
without
mutual
secret
At
this
the
for
secret
a DES
of the
efficiency
items obtains
other
hand,
two
and
egation
the laws. 5.2 The
DES
these
this
subsystem.
A. but
6.
consists
in omitting
of authenticating
hopefully
not
It
A
on B
that
The A
since
problem
on for
of how
to use for advantage
Kd
K;
present
A’s
certificate
nor
The
1 remains
a
but
and
does
not
C to make
is a distinction
that
of the
a shared
session
optimization
ital.
security. In
request.
access
the
previous
In this
scheme,
which
includes
certificate,
different for
key
however,
compromise
the
C
simply
on behalf
efficiency,
under
ident
by A’s
is necessary,
can
is a significant
deceptively
only
For
rather
key
delegate
of acting
keys.
now
be granted.
of a delegation
the
power
Kd,
to C
of A;
should
introduction
B is making
want
request
is that
of a session
are
r on behalf
the
is the
compound
control the
decisions
example
in
a theory
of delegation
principal
to assume
speaks
for
that
A on B.
A) ); the definition
B
between
may
could to
fail
choose
case
when
of simplicity—the
to
choice design
discuss
property
where
some
one
is obtained
on B)
suitable
appeared
This
we do not
This
(A
on and for
where
have
that
A +
yields
in a world
interaction
throughout.
Therefore,
key.
A’s
key
requested
up the
KB use
that
the
is sensible
= (A V (B for
from
under
in
which should
clarify.
by
A on B.
B
inverse
Kd.
whether
is provided
It
key
use of delegation
evidence
we may
to
B can
has
encryption,
evidence
This
B
descriptions
use of on is problematic
The
variant
The
behalf,
scheme
The
distinction
unpleasant, the
Section
responsibility
is significant
neither
[8].
cases.
he claims
a request
best
in
a certificate
to give
this
Accordingly,
scheme.
on B)
but
the
delegation
that
this
under key
direct
L~s denote
the
m order
of
in
C
name.
The
B for
principal,
B.
in this
6 discusses
B is a protected
(A
includes
a weaker
example
name.
determines
why
K~l
key
be made
schemes,
when
novelty
would
final
Let
if the list
B 1A,
Another
B’s
r on A’s
evidence
reasons
example
because
allow,
an
leaving
and
under
for r and
obvious
Section
requests
B’s
request
ACL
of the
delegator;
in the
C,
to A and
C’ has
the
most
on the
by
A issues Kd
to request
the
point
one
The
detail
and
a key
at most
with
consults
key,
be granted
mentions
authentication, B
authentication,
B wishes
along
forget
more
delegate
includes
known
(2) When
The
list
to A:
After
Kd.
if the
in
between
certificate
(3)
says T
otherwise.
is illustrated
authentication
A)
for r, and r will
be granted
even
scheme
Delegation the
the ACL
r will
granted
This
721
suggests properties
ACLS
may
from
B for
A would
request
instead
use
on
and
when
be made
requires
fewer
to
del-
the
definition
for
on.
allow
is unfortunate.
in the
can
by this
A to be believed
for
B for
A
In particular, succeed; of on.
use for.
affordable,
and
credential
formats
this It It
is
poses seems
it also
offers
and
fewer
to B
when
on further.
Encoding
delegation
A says that ACM
of all B speaks Transactions
powers for
can
A (that
be defined is, when
on Programming
convincingly: A says
Languages
(B
+
and Systems,
A delegates A)
holds).
Vol
The
concept
15, No. 4, September
of 1993.
722
M. Abadl et al.
.
delegation
that
on behalf
interests
of A depend
be more
reckless
with
of the
ACLS
There
is a circularity
of the
contents
delegates.
us here
delegations
depend
on how here.
of the
Hence,
is subtler.
on the contents
if these
their
The
A(3Ls
When
meaning
that
are
small.
understand of delegation
system the
to B, the powers
in the distributed
powers
writers
in the
we conclude
A delegates
of the ACLS
and
In turn,
the
meaning
results
from
of the
meaning
system; the
contents
of delegation. the
behavior
of B A may
combination
of delegators
of delegation
is a matter
and
of policy
or convention. These
remarks
we now The
sketch
operator
axioms and
principal than
to
if B,
mind,
to which
and
this
the
We have We
not
principal
D
in
tell
D
makes
the
previous It is not
that
have
-yield ([B
A
says
primitive;
that
who
D
we can
s, then says that
take
is a striking
(B
properties
of for;
second
the
following
there
should
server.
between
this
The
it suffices
B.
s when
Thus,
if
a delegate
A D) 1A as a formal
similarity
thought
to B, back
A says
for
argument.
is a distinguished
to delegate D
stronger
to be E~ (A) 1A,
as a delegation
A wants
B
weakest
principal
in its
that
operates
.4 says
necessary
for
users
machines.
(BIA
that
ancl
(BIA
~
D/A),
or not.
(It
DIA).
The
delegate and
s.
D to be implemented,
In
When
A says s then
+
A can
A D) 1A) says
server
associativity.
in
be the
of
encoding
for
of for
and
encoding
formldation.
to real
represents
yield
to obtain
s. Intuitively,
for all s, if B says that
to
delegation
When
E(A)
be defined
as a logical
system
Thus,
Let
be the weakest
Imagine
straightforward
A is antimonotonic
is multiplicative
approach.
says
there
actually
correspond that
if B
assertion.
Notice
way
is available.
Some
A.
A can
is primitive;
disjunction
serves
serves
B for for
delegations.
D IA says
B
Bz)
jor
delegation
distributed
that
this
A.
that
of delegation that
axiomatized.
that (V,
Axioms
yield
an alternative
the
and
Then
IA.
given
notion
and let EB (A)
delegated.
of D is to certify
A to
B for
~, then
having
B IA sa~s s then A’s
particular
A E(A))
inspires
function
in all
a satisfactory
not
experiment
for
(B
found
prefer
and
the
a moment
as primitive
A has delegated
axioms
for
A for
A has
equals
where
assuming
is taken
serves
1? to which
example,
an approach
approach,
serves
come
that
suggest this
to
when this
B.
is perhaps
even
D says that
These
assertions
says
better
controls
s, we obtain
derivation
it
(BIA
do not A says
(lI/A)
a real
it suffices
a
immediately
says
s, and
whether
server,
then
DIA)
together
is irrelevant
if D is not
roles to B,
A says s; formally,
A
two
as typical
to delegate
statement
(BI.4)
formal
just
A wishes
D
for then
then
is a real it cannot
be attacked.) Thus,
we
fictional B
sem,es
“plus
can
take
principal. A
then
delegation
Our for — for
the
of / and (B
Transactions
A D) IA,
This
A delegates
where
represent
expresses also
only
the
allows
D B
is a distinguished serzes
intuition
the
some
of these
fact.
This
.4;
hence,
that
possibility
rights;
for of
if is
weaker
we prefer
the
of delegations.
formal
consequences:
arguments.
in the
(B
D 1A) can
framework
power
in both
is multiplicative
mean .4).
logical
has sensible
is monotonic
to
1? for
where
limiting
encoding
plicativity
A
(B 1A +
+
The
statements,
for
for
(I3 IA
a delegation.”
use of roles
ACM
B
Similarly,
both
arguments,
definition
AB’)
on Programmmg
for
in
follows
from
the
of for:
(~A~’) Languages
=
(B
A13’AD)l(.4AA’)
and Systems,
Vol.
15, No
4, September
1993
multi-
I
.
A Calculus for Access Control
=((I?A~) =
=
— B for
A(~’A~))l(A A D)/A)
((~
A is always
A~)lA)
(11 for
A) A (1? for
hence
somewhat
(which
A (C for
surprising
the means
that
for
theorem
A (1?’ for
delegated
+
((B
A)
+
if A
is the
of for
delegates
to B.
A’)
In fact,
we have
for A)
A ~)
C,
A)
consequence
and
to
(B for
the
of two
desirable,
antimouotonicity
then
it
also
+
D then
of D yield
further
consequences:
possesses
a weak
associativity
for
C for follows
from
the
(B for
(B for
(CIBIA)
+
(C/B124)
+
(CIBIA) for
= (C for The
other
direction
is that
C for
of
delegates
to
basic
delegation
the
stronger
Intuitively, evidence If A +
this that DIA
A)
property
+
implies
means
that
a corresponding DIA the
and
A
idempotence
=
B)
,1 (DIBIA)
A (DIA)
is not CID
IA,
in (C jor
valid.
B)
(C
for
that
(B for
because
A), (DIA)
=
(( BAD)
=
Bfor
A makes by the
AIA
A
=
essential
for
B)
A need
not
for
reason A does
involve
for not.
checking
A exists. I is multiplicative:
A (BIA)
+
statement
The
while
A, or even
then
IA)
A (DIDIA)
A
(BIA)
when
of I:
A (D\A)
for
+
A
AD)
AD)I((B
A (DIA)
for
for
multiplicativity
A (DIBI.4)
implies
(A A (BIA))
for
A (DIBIA)
C’s part
AA
to find
the
= (C
B) IA)
B is a delegate then
and
implication
for
is because
(~
property:
A (CIDIA)
B)
of the (B
A)
+
A (CIDIA)
=
= ((C
this
A)
associativity
C for
If A
A)
A (c
rnonotonicity
properties
If DID
This
A (1?’ ~o~ A)
B A C).
Additional
which
A’)
also
properties: principal
All)lA’)
if A has not
(BIA) This
A D)IA’)
A ((l?’
even
(BIA) and
AA’)
/7 ((l?
A ((~’
defined,
723
IA) A
a statement delegation
A for
A,
himself,
there
is no need
server. that
is,
the
idempotence
of
of for: A for
A
=
(( AA
=
(AIA)
=
AA
D)\A) A (D]A)
(DIA)
=A ACM
Transactions
on Programming
Languages
and Systems,
Vol.
15, No. 4, September
1993
I
724
M. Abadl et al.
.
The
additional
erties these the
properties
are reminiscent properties
for
of D and
associated
D
of those
binary
are reasonable,
for
those
roles.
for
relations
and
In the
roles
we adopt
all amount
are subsets
them.
binary-relation to saying
of the
These
model, the
for
same
prop-
example,
thing,
that
identity.
PROTOCOLS AND ALGORITHMS
6.
In this
section
decisions.
we consider
The
last
some
subsection
mechanisms
for
delegation
presents
an example.
semantics,
substantiality
and
for
access
control
6.1 Delegation While
delegation
has a single
recommended
for
Delegation
from
do
not
seem
problems.
card,
relatively
difficulty
delegation
key that In
the
more
node
long
the node this
node
remains
over
but
the
certificate seems
many
pose user
(~~
node A ~)
has
the
deliberately becomes
inverse
users
nodes to
in Section poses
refresh
delegation
reintroducing
that
delegation
threat
because
5
special
a smart-
certificates
be
has stopped time
using
period
the
and abuse
to introduce
when
the
a delegation node.
user
An
the user’s
an auxiliary
leaves.
The
cer-
attacker delega-
delegation
delegation
cer-
useless.
goes
as follows.
provided
of the
to
require
a security
long
A says The
for
desirable
it is best
~d
discussed
users
may
a relatively
key
are
hours).
the
protocol
to a public
from
happening,
can forget
implementations
for delegation
is inconvenient
it
after
from
valid,
detail,
B and
it
certificates
be valid
To prevent
tificate
is that
for
schemes
Delegation
a delegation
(valid
subvert
The
users.
long-lived
different
nodes.
to nodes. for
Therefore,
may
tion.
for
example.
Long-lived
may
users
Refreshing
for
tificate
and
adequate
One
certificates.
users
First
by the
((Kd
A B)
public
key
the
user
A delegates
to
the
a channel
Gh
for
node:
serves and
A) it
can
set
up
~0~ A: Kd
says A says
( Ch +
A B)
(Kd
for
.4)
and B says A says
(Ch
+
(Kd
(C’h
*
A B)
for
A)
A B)
for
Hence ((Kd follows
logically.
When
A 13) for
this
A)
statement Ch
and
then
monotonicity
says
leads
is believed,
*
(Kd
to the
A B)
desired
channel
B may
this
longer-term
ACM
Transactions
can
make
requests
be obtained channel
by may
on Programming
for well
be a DES
Languages
it yields
for
A
A
A through
multiplexing
A)
result:
Ch+Bfor Hereafter
(Kd
the
channel
a longer-term
Ch. secure
In
practice,
channel
channel.
and Systems,
Vol. 15, No. 4, September
1993
from
the B;
A Calculus for Access Control
The
delegation
from
to be renewed
frequently.
to refresh
certificate
the
Delegation
nient secure,
The
and
The
can
same
to node
for
efficient
work
for cascaded
to a node
C, the
to B,
is believed,
to
with
(C
C can
make
a request
then
the
delegation
says
(C
Access
Control
Unfortunately, for any
by a reduction
On the
hand,
A
two
parts
general
the
discuss
the
account
in
presented
A)
of B for
A:
derive
is an
that
this
says r
calculus
problem
cent rol
The
is not
enumerable.
Undecidability
problem
of making therefore
all
for example.
are not
arbitrary;
access control
to
the
decisions
understand
the
precise
are: represents
appropriate
expression.
systems,
control
recursive
problems.
of principals
particular, this
of principals for Thue
in access
of an instance
what
by the
The
from
is being
requester,
other
the
principal
delegations
various
state about syntax
proposition
implications
are
relevant
that taken
is into
certificates
are
memberships.
expression
in the
is liberal
ACM Transactions
some
enough of the
service
provider
The
precise
nature
principals; They
these
have
the
calculus
of principals
to write
GIG
benefit
on Programming
or asserted;
the
the does
statement not
is
need
to
of s is ignored—it
symbol.
among
group
obtaining
requested
and
statements.
as an uninterpreted
arbitrary
interest,
A))
is important
calculus
In
s represents
— Assumptions
says r
checking.
it logically
sumptions
It
P in the
explicitly
is treated
A)
arise
access
parts
constructing
— A statement
A))
it is recursively
the word that
problem.
The
request.
for
presented
from
complex.
expression
making
A))
(B for
(B for
of the
but
decidable
of its instances.
— An
formulas
formulas
control
access
is computationally form
delegation
is
that:
serves
(B for
of validity,
can be proved
next
user A has delegated If a further
Decisions
definition
other
A.
A yields
the set of valid
useful
conve-
reasonably
yields
(C for 6.2
needs
5 are
is simple,
that
B for
(B for
logically
r on behalf
from
and
it loses the ability
at ion.
Suppose
statement
C says (B for and
implement
serves
C serves Now
lifetime
of Section
operator
the identity
it follows
and
for
schemes
for
delegation
says
A)
the
the
delegations.
precise
(B for statement
nodes
enough
B can operate
A has delegated
This
For
nodes.
short
K~ deliberately,
725
Ch.
corresponding
be made
ideas
has a relatively forgets
channel
(BIA) Since
channel
the node
the
to
one
B and that
is needed
to the When
nodes
from
enough.
Kd
.
of the
+
G for
idempotence
typically
form
P,
and
represent -
G,
every
G,,
as-
where
an atom. appropriate
P,
Note G of
axiom.
Languages and Systems, Vol. 15, No. 4, September 1993.
726
M. Abadl et al.
.
Certain
atomic
be obvious An
ACL
these The
is a list
problem
the
the problem,
of access
interactions
are
both
that
ignored.
convenient
the
model
both
R’
access when what
becomes this
and
is:
given
expressions
G,) P,
+
ACL,
This
may
G,),
server
implies
two
P +
Ej
different
R and
for
other
lead
problem
is
example,
when
controls
s and
R’
R’ are considered
j.
possible
cannot
hand,
the
requester
separately.
one has completeness;
s,
some
of the For
from
simplify
their
users
s and
controls
s; on the
We
and
simplification
if R
derived P controls
D.
one by one,
by
controls
of principals;
imply
cases it is incomplete.
conditions
however,
We do we prove
sl~bsection.
an
+
G,)
The
relations,
next
the
delegation
written
the entries
in the
A, (P,
of the
in some
introducing
whether
roles.
calculus
A, (P,
from
foresee.
(R’ IR)
general
result
a j
entries
then
(R’ IR) is denied
Fixing
denote
the
whether
are considered
could
of binary
in
A, (F’, +
entries
but
not, know
a completeness
whether
sound,
are roles,
under
and
ACL
is a monoid
R and
to
on s.
derived
of roles
of them
and
is deciding s),
ACL
neither
known
are trusted
controls
ask instead
simplification,
to results
. . . are
-EO, . . . . E,, that
control
AL (E,
properties
and
. . . . R,,
principals
and
special
In this
R., names.
of expressions
the
assumptions,
given
their
represent
basic
the
symbols
from
auxiliary
and
Qo,
Ej
atom
+
. . . . Q,,
A,
the
A imply
P +
. . . . and
atoms
access
A.
control
After
question
some
.4, Bo,
renamings,
. . . . B,,
. . . . does
A,(Q + B,) imply This the
P + .4? has a few interesting,
problem
time
Horn
being
clause
problem
and
from
other
of deciding
corresponds
to P,
implications
(Q,
It is the us ignore
+
from
choosing
sketched to the
follows and
cases. ) that
our
for
A serves
fairly
D does all
algorithms
not
problem
general
We believe
Althollgh
the
problem that
worsen
of the would
for
the
this
not
run
the
encoded
hard.
the
can still
More
theory
a the
word
from
the
precisely,
let
of multiplicative
be encoded,
but
Using
access
problem (We
in practice.
decisions
is
[6].
we posed
requires
that
likely
ideas,
automata
reasonable
have
seem
that
these
control
pushdown
of various
in addition
branching”
grammars.
control
enough
The
comes
“existential
of making
involved
D for
is 1, we have
language.
problem
with
complexity.
fast
operator
and
of deriving
symbol.
alternating
access
roles
problem
language
assume
the inclusion
expressions
only
as initial
grammars of the
the
a context-free
A, and
rules
that
If we ignore
context-free
makes
/ and
the
in
the
due to ~ alternates
between
the
I that
both
Context-free
a proof
time.
of a word
atom
acceptance
that
exponential
If instead
for
allow
cases. A, we have
grammar
of A and D,
operator
clauses.
the
branching”
equivalent
roles
B,);
semigroups.
we have
It
the
tractable
the
membership and
and
“universal
comes
only Horn
combination roles
semilattice the
allow
properties
considered to
some
be small,
Further
for of the
we fear
restrictions
are
wanted. A more on some
tractable
further
— The for
operator
one would A and ACM
takes
want
1, with
Transactions
A second
problem.
version
of the access control
problem
is based
simplifications:
a more
an algorithm
an exponential on Programming
prominent
role.
that
not
does
Since treat
it is expected
to be common,
it by expanding
it in terms
blow-up. Languages
and Systems,
Vol
15, No. 4, September
1993
of
.
A Calculus for Access Control
— In
effect,
that
for
all
ignore — The
is treated
ACLS the
occurs
encoding
— Roles
where tions
of the
precisely,
we assume
This
enables
us to
of for
other
principals
and
as, and
D occurs
only
in
form
roles
GIG
~
proper
for
principals)
proper
and occur
principals
is P;
the
is Q.
memberships)
are either
(called
symbols
are
restricted
to
the
in P or in Q. In particular,
G, which
would
give
form
this
us some
atom
forbids
benefits
+
the
atom, assump-
of idempotence
appropriate. necessary
positive
number
met alogical the
list
ACL
F for
of ACL
of A, called
form
P.
in roles
is of the
a construct
entries.
form
purpose;
In turn, where
in
allowed.
for example
F for
an ACL
entry
is a list
connected
each
as . . . Rn,
Q as RI
writing,
are
an
ACL,
We G+
that
introduce
a
is a shorthand
G, . . . .
A for-list
Pm,
for
of a principal
G) for
for-lists.
. . . for
for
include
( )+ for this
G, (F for
is a list
free
to
of iterations
construct
has the Rj
encoding
set of atomic
for
(group atoms
is therefore
An
The
symbols
both
where
More possible.
requester.
in the
from
positions.
— Assumptions
entries
of the
only
operator.
parenthesization
of for.
set of atomic
for
weakest
are differentiated
in special
any
as an associative
the
parenthesization
[ operator
the
— It
have
727
Pi
is a conjunction
is a principal
where
of ACL
by for’s,
that
in roles.
Q is a proper
is, it
A principal
principal
and
each
is a role. This
definition
is summarized A CL
=
list
Requester
=
Entry
Entry
=
conjunction
=
Prmczpal-in-Roles
= =
for-list Principal-in-Roles Membership The
syntactic
can be obtained Conjunctions
is the
be unimportant be pushed With
conditions by two
Proper-Principal
~ Princzpal-in-Ro
les as Role
Proper-Princtpal
+- Proper-Principal
can
only
inwards,
source
into
the
~for-list
be loosened,
as this
transformations
outwards,
common
synt attic
of for-lwt Principal-in-Roles
syntactic
in the
these
of Entry
for
can be pushed
normalization
by a grammar:
since
of exponential examples
delegator
restrictions,
normal
justified
both
behavior,
argument
form
and
of for’s;
this
Role
ACL
laws
entries
of the
logic.
over
A; this
distribute
it can be expected
conjunctions
efficient
+
for
by the
as and for
where
a more
~ Role
are rare. step
access
Roles
to can
is efficient.
control
algorithm
is
possible: — The
request
— Each
ACL
requester entry
there
—
A principal
an ACL
another
if
and
Transactions
entry,
conjunct
requester
Q’
requester
some
in roles
if Q implies ACM
exists implies
of the
if the
is a conjunction
to imply
— A fo7 -list roles
is granted entry
they
implies
the
Q as RI
as .
for
each
implies
one of the
of for-lists, it must of the are
of
and
be that
requester the
same
corresponding
as R.
for
each
that
on Programmmg
Languages
conjunct
another
and Systems,
Vol
For of the
the ACL
it.
and
of the
R] there exists R; such that
entries.
requester.
implies
length, one
implies
ACL
so is the
each
principal
in
entry.
Q’
as @
as . . as R~,
R~ implies
Ri.
15, No. 4, September
1993.
728
M. Abadi et al.
.
An
atomic
symbol
assumptions This The
algorithm
speed
might
well
major
algorithmic
model. they
Note
for
the
that
the
with
one
AND
~, (Bz
+
all
+
prove
that
B:)
Moreover,
the
P controls
p.
The and
treat
obtain
truth
true,
and
that
E,
suffices
to
A ~(Ez
the
not
where
complete
treats
for
all
Let oj
controls
p)
is simple.
~
Et implies
the
that
is clearest We
for
algorithm
introduce
any
as it is standard
in
we take
to
the
roles
all roles
binary-relation
as idempotent,
Eo,...,
E,,..
and
be an ACL,
assumptions.
(P
The
controls
algorithm
p)
that
says p be false some (wo)
for
all
there
are
algorithm
model
where
requires
that
holds,
p)
no
by
attempting
does
so soundly. then
assumptions, does
not
At (E, p be
and
grant
controls
false,
so does
holds
p)
that
hence
a request but
P says p be
all i. model
i. Then
p true
works and
controls
the
binary-relation
for
symbol
This
p.
algorithm
assumptions,
if A, (E,
when
suppose
some
The
i from
is a binary-relation
not,
find
proposition
does
models.
some
proof
7Z(E, ) ( W. ) ~ R(P) the
for
case.
there
p does
model,
is also
a conjunction
proof
E,
of P +
that
that
P controls
It
=+
completeness
we first
to implement.
that
understood,
COMPLETENESS).
bznary-relatton
soundness P
simple
%
over
The
PROOF.
to
of
only if
if and
p
it is also ( )+
is well
algorithm
B;)
1 for
is a chain
another.
(SOUNDNESS
A(B,
is valid
if there
suggests
binary-relation
in particular
the request
P’
languages. algorithm
and
and
construct
treatment
The
a requester,
grants
to users,
identity.
all commute
symbol
implementation
metalogical Its
is sound
of the
THEOREM P
The
atomic
= P!.
to describe
difficulty.
algorithm
P.
of a prototype
of regular
be subsets
another
... +
be practical.
context The
implies
is simple
adequate
the
P
P = PO *
at all
we can
w such
where
define
that
l(WO%?(P)WO
) and
where
that
makes
an interpretation
W07?(P)W,
and
false
at all
other
worlds. The
binary
relation
T = P x 2 Q and worlds;
the
model
let
empty
If AZ ~ Q, then
string its
roles
from
set of st rings
over
strings T.
in a fairly
The
usual
set S is our
way.
Let
set of possible
is W..
interpretation
I(AZ)={(X Hence
is constructed
S be the
(A3,
are interpreted
J(A,
B),
X.(
) is defined
AJ, B))
by subsets
by
● P,Az
1.4J
of the
identity,
•B~
Q}
as required.
If Ai
E ‘P then,
instead: J(A, with
the
exception
of the
)=
{(z,
special
z(A,,
constant J(D)
Thus,
in this
The
model,
for
interpretation
and
B))
Q}
= 0
I are equivalent;
of a principal
IBc
D:
this
expression
is merely
Q relates
a convenience. the
empty
string
strings (Pn, ACM
TransactIons
{R:,...,
on Programmmg
PL})}(P,, Languages
{R],,, and Systems,
Ry]}).., Vol.
Ry’}) 15, No. 4, September
1993.
to
all
A Calculus for Access Control
such
asR~
as...
is one of the for-lists
as R)
in Q, and
by enlarging to itself,
the
Suppose Then
that,
there
sets.
for
must
algorithm)
implies
the
the
This
proves
Without both
{R;,...,
initial
Let
*
Aj
and
us replace
that
A% +
this
replacement
algorithm
Al
each
additional
the
if it grants
and
PI
do
without
Now
it
suffices
a model
construct
to M’
a model
M
P controls
imply
functions,
JM
show
assumptions—as
and
that
where
all of the
p. The models
that
all roles
are still
of P’
in M’
the
meaning
of P
in
of the
A%(E% controls 6.3
M.
Et’s in M p).
This
+
interpreted
meaning
meaning
the
the
the
assumptions. that
is, if
of the
M’
differ
such after The
P’—the
assumptions. if and
conjuncts
P obtains
only in P’
access
with
them.
not
hold
to
assumptions
holds
p) does
Al
outwards). request
additional
without
assumptions
(A2 ) I A,
The to
that
at
the
semantic
P’
controls
A, (E,
controls
imply and only
in their
level. p,
we
p) does
interpretation
JMI:
J,w (A, ) = U{JM Note
P
obtained
moved
presence
equivalence
and
with
of all symbols
In short,
access
M
in (zoo).
expression
are
using
assumptions.
controls
deal
grants
in
to P’
a similar
~, (E,
where
if it
the
the
conjunct
to be transitive,
be the
strength
obtains
the
is
is no
we
A‘s
only
add
with
only
E,.
to
. as R~n)
conjunction P’
request
if P’
Given
the
the
to dispense
P *
so is At +- A~.
not
if and
assumptions
there
(after
can be exploited
that
(according
7?(E1 ) (w. ) ~ R(P) Next
Let
the
related
) holds.
R~’})
assumptions then
P if and
grants
request
the
in P with
to
is never
to prove
as
R~...,
claim.
take
string
implied
asR~
hand,
normalization
request in
strings
1( W07Z(P)W0 manage
satisfies
assumptions.
after
the
algorithm
the
A,
the
the
to
other
model
are assumed,
symbol
conjuncts
Moreover,
Ak
from
empty
is not
{R+,{,
the
we can
is among
grants
is related
the
not
that
for(Pn
completeness
AJ +
R~n]
Suppose this conjunct
in P.
On
Thus,
case the
E,
R;n}(Pl,
of E,.
our
obtained
does
in
string
loss of generality, A,
algorithm
conjuncts
relation.
RasR~n]as
so in particular
conjunct
empty
interpretation this
in any
as . . . as R~’)for...
(Pn,
establishes
that empty,
z, the
some
of the
asR~ that
Note
some
(PnasR~as
R:~}(P,, {R~,,, R~~}).., R~’})
are not
be
by any (Pl
This
role
as the for-lists
forofor
also to all strings
(Pn,{R:,...,
not
729
that (Pl
by
.
shows
to the
Moreover,
meaning
of P’
in M,
all of the assumptions
than
in &l’,
&t
has the
that
the assumptions}
as roles.
is equal
is larger
AJ is among
thus
making
desired
and
hold
weaker
the
it is equal
in M.
The
assumption
❑
properties.
An Example
The
most
and
the
typical, workstation
complete making
ACM Transactions
example
is that
requests
on a server.
on Programming
of a user
logging
into
a workst
at ion,
Languages and Systems, Vol. 15, No. 4, September 1993.
730
M. Abadl et al
.
— The
user
in role
A
authenticates
RB.
The
delegation
outlined KA
The
workstation
two
statements:
may
the
says R~ sets
(For
— The
server
needs
The
((~-~
A (B
as R~))
channel
to
says
(A
is,
from
as R,4)
this
that
K~
+
needs
certification these
use the
+
((B
sags
(Ch +
to
a workstation
certificate serves
scheme
(A
for
user
is as R,4))
Logically,
as RB)
B
for
(A
this
requires
as R~)))
acts
in the
~,4
is the
((B
role
as R~)
R~,
but
foT
any
(A
as
R..
stronger
i)))
role
would
A and
as R~)
says
and
that
Typically
it is possible as there
keys,
it follows
((Kd
A (B
A (B
The
may
from
channel
((B
the
as RD))
as R~))l(A (C’h +
((B
key
B.
authority;
is believed. ((Kd
leads
+
to be involved,
of the
statement
this
user’s
KB
l{B
is the
work-
this
requires
looking
that
a chain
of certi-
be no single
universally
authority.
properties (A
delegation
serves
set-up
(A
as R~))
says (A
that
as RA))
certificates
as R~)for
certificate
yield
as R~)))
to
as RB)fo~
(A
as R,4))
says
(Ch
+
((B
as R~)for
(.4 as R.1)))
then C’h ~
~S (B
— The
R~
and
a server.
(Ch
a certification
authorities
trusted
and
delegation
role
and
to check
that
at certificates
and
some
6.1.
the workstation
key,
fication
and
in
a smart-card,
as well.)
station’s
— With
as RA)
says
on
a secure
key,
says RB
simplicity,
do just
says
up
delegation
KB
delegates
rely
in Section
Ii”d sags (A under
and
user
as R~]
user
for
may
and
adopt
may
do this
(A
((B
indicate
as R~)
is trusted
as R.4)
jor
to the workstation
a further
role
on behalf
R~,
in order
of the
user,
(A
in this that
he wishes
to make
on its
own
as ~,4))
matter. to reduce
a request
r;
his privileges
or the
workstation
initiative:
( Ch as R~A) says r The
requester
(1? as RB) — The may RA
here
for
(A
ACL
at
have,
or the
+
R%,
the
server
R~4 +
the
group
key.
In
each
case
and
then
this
should ACM
R~,
point
may
may
and
B +
must that
in the
group.
the
algorithm
(A
contain
membership it
to discover
membership
as RB ) for
as R.4 ) ) as R~,
which
is equivalent
(G’
certificates name
for
(G
certificates
as R!).
that
prove
The that
server A +
on Programmmg
G,
G’.
be possible the
as RB ) for
present,
to
is that
access
come resolve
signed
of someone
control
can
with
this
public who
easily
someone’s key
into
is trusted
determine
public a name
to certify
that
access
be granted.
Transactions
to
as R~).
workstation
— Actually,
At
is ((B as R~
Languages
and Systems,
Vol
15, No. 4, September
1993
A Calculus for Access Control
.
731
EXTENSIONS
7, Our
main
goal
in this
tractable
concepts.
ters
deserve
that
extended
paper
has
been
We have
only
touched
more
in many
detailed
to
isolate
treatments.
int cresting
ways.
some
on many
To
In
useful
and
practical
addition,
conclude,
mathematically
and
the
t heretical
basic
we briefly
logic
describe
matcould
be
three
ext en-
grollps.
It
sions.
7.1
Intersection
An
intersection
not
a logical
to atomic
operation
symbols
Conjunction (AA
B)
if C
+
+
(so for
C
and
+
sense
example weaker
B) is not.
(An and is not
as users
in the
is strictly
A
Atomicity
n permits
connective
B
conjunction
C
of groups
from
is, as it can
only
is
be applied
n Ak is not a legal expression). E?) + (AA B) is valid but (An property than (AA B) + (An 1?) holds:
(AJ IA, ) than +
intersection:
n II)
(A
defined
are
construction
A weaker
then
a logically
machines
the that
provided
notion;
atomic,
while
C’ is in
intuitively, the
only
conjunction
some
sense
simple
of two
atomic.
principals
such
such
principals
is
only
a particular
not. An
application
member G,
but
it
grants
also
The
grants
access
a member
7.2
of intersection
of a group.
concerns
ACL
access
entry to
restricting
A A G grants
A A B
to A if A is a member
if B
access access
is a member
of G, but
not
to
to A if A is a member of G.
necessarily
In
contrast,
of
n G
A
to A A B even
if B is
of G.
Subtraction
Another
important
to specify
that
be denied
access,
is the
only
has
group
ation
Consider, A +-
G,
facts
A +
cent rol this
G“
G“
This
via
is granted in this
G +
in
not
G =+ G“
and
may
Moreover,
we
G and
G +
– G means
“all
centralized
+
which G“.
ability should
Subtraction
where
it
is easy
set subtraction.
in general
G“
The
it is possible
cannot
expect
members
hence of G“,
access
to the A
Therefore,
and
– G appears
Should
be available
to A. G“,
the
supergroup.
systems,
is simply
because
in
G’
not
to the
provides
a supergroup
to
situ-
to prove
nonmembership.
a situation G“,
It
within
paper.
subtraction systems,
of no benefit
to
the access
in
procedure provide
access
an
proofs control
the
for
for
that
with
A?
The access
then-as
decision
be granted
those
to
making
should
except
ACL,
be granted
cannot
in this
case.
are members
of
G.”
definition
possible,
access
semantics
but
(–).
or subgroups
ACLS
There,
example,
G and
on A +
only
for
a simple
G’,
decision.
In short,
such
in groups,
for
A +
is probably
depend
when
in distributed
membership
is subtraction
individuals
construct
membership.
is different
only
on groups
named
even
negative
Subtraction decide
operation
certain
and
of subtraction it has even
been
is somewhat suggested
operational. that
Nevertheless,
it provides
an intuitive
it is the best semantics
for
subtraction. Even both by
in
distributed
membership fairly
subtraction ACM
and
centralized operation Transactions
systems,
there
are
nonmembership. subsystems can
be made
on Programming
groups
Typically,
of the
for
distributed
available Languages
for
which
these
it
is possible
groups
are those
system. these
The
to
prove
managed
traditional
set
groups.
and Systems,
Vol.
15, No. 4, September
1993.
732
M. Abadi et al.
.
Variables
7.3
So far, more
we have
general
provided
form
should
be granted
jointly,
without
the
two
signers
The ables
to
any all
bear
parts and
of the bind
predicates For
y +
and
y be different,
possible
to
universal
with
The
(ylx)
A and
are some
to handle scope The
use
on
unary it
ylx;
one
and
that
when may
expressiveness,
matches
an ACL
of the
is then
a
access
they
sign
require
that
and more.
Vari-
entry,
variables
possible
we identify
in the
ACL
to evaluate
en-
arbitrary
when
to
that,
we require
be added, by
Z.
all
s is the
is granted
that
ones. )
The
statement
under
x
becomes
entry
y, if z and
requirements
that
it
x and
if the
x =+ F
instance
(Intuitively,
arbitrary
for
for
has
an
y satisfy
all
consideration. hold
when
x is
B. can
be
added
however.
of principal
to
the
In particular,
expressions
construct
is needed
algorithm some
of
Section
metalogical
if variables
6.2.
construct
are to be legal
in the
( )+.
may
It seems
GIF
y can owned
s, where
of variables
of variables
to
relations
access
y with
iteration
expressiveness.
group
Moreover,
each
It
x and
means
controls
complications,
lists
of the
against parts.
y be a machine
from
manipulation
There
match
quantifier:
B 1A matches
replaced
of a given
the desired a requester
y Iz is equivalent
or that
then
Ti-ivially,
When
requirements
generalize
requirements
members
signatures,
to express
to one another.
to these
entry
Other
implicit
of joint
to be able
variables.
the
and
form
like
combinations.
provides
that
basic
would
relation
in ACLS.
variables
most
One
different
a certain
on these
example,
the
allowed
requester
the
G.
two
of variables
can be included
the
only
be useful.
listing
introduction
try,
for
would
not
be
to deserve
the
only
further
or
best
way
to
provide
the
desired
study.
GLOSSARY A says s: A makes A controls
s:
A
appearing A +
B:
A may
B:
B serves A A B:
represent
Band
A:
A and
B for
A:
A as R:
B
principal
A;
on behalf
A in role the
A – B:
A minus
R.
intersection B,
if
A
says
s then
than
B.
(For
or a subgroup
A controls B+
as (B AD)
Transactions
s:
s.
This
is the
meaning
when
B represents
of A
example, of B.)
If A says
s then
a group,
B says s, and
s.
-A. for
A.
B in conjunction;
A n B:
ACM
s.
s.
B is a delegate
B quoting
D,
for
a member
s then
A+
on
ACL
A is a stronger
BIA:
server
statement
is trusted
in the
if B controls A=
the
(B IA)
(AAB)
says
of A.
This
s if and
This
can
can
This
can
if A and
on Programming
B,
B for
A).
if A says
s and
B says
s if and only
if B says A says
be
defined
in
terms
s and B serves
of
B are atomic
a fictional
A then
delegation
(B for
A)
symbols.
symbols.
and Systems,
s.
s.
as AIR.
if A and
B are atomic
Languages
+
says
be encoded
of A and
as (BIA
only
If B says A says
IA.
be defined
Vol. 15, No. 4, September
1993
says
s.
A Calculus for Access Control
.
733
ACKNOWLEDGMENTS
Morrie
Gasser,
of the
ideas
pant ed in
fruitful
convinced Greg
and
here.
Tim
Vaughan
told
edit orial
Charlie
Mann,
Kaufman
Garret
implementations
import
ante
Pratt
us about
of the
helped
were
Swart,
about
he practical
and
Maddux
provided
Goldstein,
discussions
us oft
Nelson
Roger
Andy
discussed
and extension
work.
Luca
Ted
origin
and
Shockley
in Section
algebra
Cardelli
partici-
Bill
described the
of many
Wobber
examples.
in understanding
Andr6ka’s
at the
and
7.3.
of principals.
Cynthia
Hibbard
suggestions.
REFERENCES 1. ABADI,
M.,
(June 2.
ABALH, tion
4.
H.
5,
CCITT.
of composition.
M.,
AND LAMPSOii, of Computer
1991,
Theor.
Comput.
Scz.
1
114,
B.
Authentication
Software,
and
delega-
Springer-Verlag
Lecture
326–345.
of distributive
AIND NEEDHAM,
Blue
A 426
lattice-ordered
KOZEN,
Geneva, D.,
R.M.
(1989),
semigroups
with
binary
rela-
A logic
of authentication.
Proceedings
of
233–271.
Recommendation
Book,
framework. A.,
C., Aspects
526, Sept.
of London
CCITT
CHANDRA,
view
1989.
ABADI,
Society
authentication 6.
Science Aug.
M.,
the Royal
KAUFMAN,
Representations
Manuscript,
BURROWS,
A logical
In Theoretical
in Computer
tions.
M.,
smart-cards.
ANDRfi~A,
G.
3-30.
M ,BURROWS,
with
Notes 3.
AND PLOTIiIN,
1993),
March
X.509
and
1S0
9594-8:
The
directory-
1988.
AND STOCKMEYER)
L.
Alternation.
J. AdM
1 (Jan.
28,
1981),
114–133. 7.
DAM,
M.
Relevance
Sympostum 8. 9.
NATIONAL
BUREAU
Standards
Pub.
DIFFIE,
W.,
IT-22,
logic
on Logzc
1976),
FABRY) R GASSER, M,,
GOLDSTEIN,
tem Security
Architect
(Oct.
305-319.
system.
Data
D.C M.
of the
Proceedings
‘Thw-d
IEEE
178–185.
Encryption
, Jan.
New
In
1988),
Standard.
Fed.
Inform.
Processing
1977.
directions
m cryptography.
Trans.
IEEE
Inf.
Theor.
644–654.
10
Capability-based
1989),
computation.
Sczence (July
OF STANDARDS.
AND HELL MAN,
6 (Nov.
GASSER, M.,
concurrent
46. Washington
11,
12.
and
Computer
zn
addressing. A.,
Comrmm.
KAUFMAN,
ure. In Pr-oceedmgs
AND MCDERMOTT,
In Pr-oceedmgs
of
the
E. 1990
ACM
17, 7 (July
C., AND LAMPSON,
B.
of the 1989 Nataonal
An architecture IEEE
The Co input
for practical
Symposium
403-412. Distributed
and
Sys-
Conference
er Secumty
delegation
Securzty
on
1974), Digital
in a distributed (May
Prwacy
1990),
20–30
13.
GIRARI),
14.
HUGHES, G E , AND CRESSWELL,
J.-Y.
Linear
logic.
‘1’heor.
Comput.
M J
An
Set.
50
(1987),
Introduction
to
1-102.
Modal
Logzc.
Methuen,
New York,
1968. 15.
KOHL, vice
J.,
NEtJMAN,
(version
5,
C.,
draft
/pub/doc/kerberos/V5 16. 17.
KOZEN,
D
TR90-1123,
LAMPSON,
18. 19.
LEVY,
20.
May
ABADI,
NEEDHAM, V.
puter
Science
ACM
Unzuersal
425,
Transactions
M.,
C.,
FTP
TXT},
1990.
Oct.
algebras
ACM
algebras Algebra
Comput.
network from
and
J. I.,
Athena
M.D. 21,
Computer
Press,
the
authentication
athena-dist algebra
ser-
.mit .edu,
of regular
1978), fragment
Science,
Authentication 4 (November
as
events.
in distributed 1992),
265–310.
1983. J.H. Section
Plan,
encryption
(Dec.
as a well-behaved in
10,
AND SALTZER, Technzcal
Using 12
E.
Syst.
Digital
Systems.
SCHILLER,
In Project
Commun.
1990,
Kerberos
AND WOBBER,
Trans.
Computer
, AND SCHROEDER,
Dynamic
and
The
anonymous
for Kleene
BURROWS,
system.
R.iM
Logic
ACM
M.,
NEUMAN,
of computers.
PRATT,
theorem
Capabdity-based
S P.,
J.
by
1990.
and practice.
authorization
works 21.
B.,
H.
MILLER, and
A completeness
theory
STEINER,
Available
DRAFT3-RFC.{PS,
Cornell systems:
AND
3).
Kerberos E,2.1,
authentication MIT,
for authentication
July in large
1987. net-
993–999. of relation
Springer-Verlag
algebras, Lecture
In Algebrazc Notes
in Com-
77–110.
on Programming
Languages
and Systems,
Vol. 15, No. 4, September
1993.
734
22.
RIVEST,
R.L
pllblic-key 23 24.
AND ADLEMAN, Commun.
J., AND SCHROEDER, 9
63,
SOLLINS)
K
1975),
Cascaded
S.
21,
A method 2
(Feb.
The protection
for obtaining 1978),
digital
signatures
and
120–126
of information
in computer
systems.
Proc.
1278–1308. authentication.
( April
Samson
M.
L.
A CM
1988),
Abramsky
of
In Proceedings
the
1988
IEEE
Symposium
on
Se-
156–163. on linear
process
Iogics.
Foundation
linear
logic.
Workshop
Notes,
Ott
1988.
YETTER)
Received
(Sept.
and Przvacy
VICKERS,
1990),
ACM
A.,
IEEE
Nov. 26.
, SHAMIR,
cryptosystems.
SALTZER,
curzty
25.
et al.
M. Abadi
.
D N.
Quantales
and
(noncommutatlve)
J. Symb
Logtc
55, 1 (March
41–64.
August
Transactions
1991,
revised
September
on Programmmg
1992;
Languages
accepted
and Systems,
November
1992
Vol. 15, No. 4, September
1993.
-
