Proactive enforcement of provisions and obligations
Research output: Contribution to journal › Journal article › Research › peer-review
Standard
Proactive enforcement of provisions and obligations. / Basin, David; Debois, Søren; Hildebrandt, Thomas.
In: Journal of Computer Security, Vol. 32, No. 3, 2024, p. 247-289.Research output: Contribution to journal › Journal article › Research › peer-review
Harvard
APA
Vancouver
Author
Bibtex
}
RIS
TY - JOUR
T1 - Proactive enforcement of provisions and obligations
AU - Basin, David
AU - Debois, Søren
AU - Hildebrandt, Thomas
N1 - Publisher Copyright: © 2024 - IOS Press. All rights reserved.
PY - 2024
Y1 - 2024
N2 - We present an approach to the proactive enforcement of provisions and obligations, suitable for building policy enforcement mechanisms that both prevent and cause system actions. Our approach encompasses abstract requirements for proactive policy enforcement, a system model describing how enforcement mechanisms interact with and control target systems, and concrete policy languages and associated enforcement mechanisms. As examples of policy languages, we consider finite automata and timed dynamic condition response (DCR) graphs. We use finite automata to illustrate the basic principles and DCR graphs to show how these principles can be adapted to a practical, real-time policy language. In both cases, we show how to algorithmically determine whether a given policy is enforceable and, when this is the case, construct an associated enforcement mechanism. Our approach improves upon existing formalisms in two ways: (1) we exploit the target system's existing functionality to avert policy violations proactively, rather than compensate for them reactively; and (2) rather than requiring the manual specification of remedial actions in the policy, we deduce required actions directly from the policy.
AB - We present an approach to the proactive enforcement of provisions and obligations, suitable for building policy enforcement mechanisms that both prevent and cause system actions. Our approach encompasses abstract requirements for proactive policy enforcement, a system model describing how enforcement mechanisms interact with and control target systems, and concrete policy languages and associated enforcement mechanisms. As examples of policy languages, we consider finite automata and timed dynamic condition response (DCR) graphs. We use finite automata to illustrate the basic principles and DCR graphs to show how these principles can be adapted to a practical, real-time policy language. In both cases, we show how to algorithmically determine whether a given policy is enforceable and, when this is the case, construct an associated enforcement mechanism. Our approach improves upon existing formalisms in two ways: (1) we exploit the target system's existing functionality to avert policy violations proactively, rather than compensate for them reactively; and (2) rather than requiring the manual specification of remedial actions in the policy, we deduce required actions directly from the policy.
KW - Access control
KW - business process modeling
KW - obligations
KW - run-time enforcement
U2 - 10.3233/JCS-210078
DO - 10.3233/JCS-210078
M3 - Journal article
AN - SCOPUS:85196660902
VL - 32
SP - 247
EP - 289
JO - Journal of Computer Security
JF - Journal of Computer Security
SN - 0926-227X
IS - 3
ER -
ID: 396987433