An answer set programming based formal language for complex XML authorisations with temporal constraints

Abstract

The Extensible Markup Language (XML) has widely become the de facto method for the encoding of stored and shared computer data. Many of today's Internet applications utilise XML for the exchange of information. In many cases, information that is stored in XML can be regarded as sensitive or private (ie. personal, financial, or generally classified information). For this reason there is an obvious necessity to ensure that information that is deemed sensitive or private is protected with a method of security or access control. In this thesis we investigate and present such a method with the introduction of a formal language that can provide an authoritative framework for XML documents. In conjunction with the highly regarded and recognised Role-based Access Control (RBAC) model, we designed a formal language of authorisation for XML documents. With the inherent features of the RBAC model (such as subject and role based structuring, authorisation delegation and propagation, conflict resolution, separation of duty), we developed Axml(T), a formal language capable of specifying a queryable security policy base. Beyond this, we also furthered its expressive nature and capabilities by also incorporating Temporal Logic. This gives Axml(T) the ability to specify and reason upon access control temporally and is something that is rarely implemented in terms of authorisation languages. For the foundation and semantics of Axml(T), we turned to a relatively new and commonly used form of declarative programming used in Knowledge Representation and Logic Programming. Answer Set Programming (ASP) provides Axml(T) with a semantic definition and translation so that we can treat our security policy base as a logic program. This logic program translation is reasoned upon to provide an answer set (stable model) which dictates the authorisations to XML documents. As well as the description and presentation of this formal language, we also produced a software implementation to demonstrate its use and features. Using case studies, we show a level of complexity that can be accomplished by using Axml(T) to specify access control to XML documents. Finally, we also present further extensions and theories to the formal language that increase its capabilities and expressiveness and also further differentiate it from other research in XML security. These extensions, such as query containment and aggregates, increase the complexity in which Axml(T) can specify authorisation to XML documents. We formally define these extensions in Axml(T) and demonstrate them through further examples.

Date of Award	2011
Original language	English