Proactive enforcement of provisions and obligations

Research output: Contribution to journalJournal articleResearchpeer-review

Standard

Proactive enforcement of provisions and obligations. / Basin, David; Debois, Søren; Hildebrandt, Thomas.

In: Journal of Computer Security, Vol. 32, No. 3, 2024, p. 247-289.

Research output: Contribution to journalJournal articleResearchpeer-review

Harvard

Basin, D, Debois, S & Hildebrandt, T 2024, 'Proactive enforcement of provisions and obligations', Journal of Computer Security, vol. 32, no. 3, pp. 247-289. https://doi.org/10.3233/JCS-210078

APA

Basin, D., Debois, S., & Hildebrandt, T. (2024). Proactive enforcement of provisions and obligations. Journal of Computer Security, 32(3), 247-289. https://doi.org/10.3233/JCS-210078

Vancouver

Basin D, Debois S, Hildebrandt T. Proactive enforcement of provisions and obligations. Journal of Computer Security. 2024;32(3):247-289. https://doi.org/10.3233/JCS-210078

Author

Basin, David ; Debois, Søren ; Hildebrandt, Thomas. / Proactive enforcement of provisions and obligations. In: Journal of Computer Security. 2024 ; Vol. 32, No. 3. pp. 247-289.

Bibtex

@article{c6918be5bde24b5088761f3e2afb5ccb,
title = "Proactive enforcement of provisions and obligations",
abstract = "We present an approach to the proactive enforcement of provisions and obligations, suitable for building policy enforcement mechanisms that both prevent and cause system actions. Our approach encompasses abstract requirements for proactive policy enforcement, a system model describing how enforcement mechanisms interact with and control target systems, and concrete policy languages and associated enforcement mechanisms. As examples of policy languages, we consider finite automata and timed dynamic condition response (DCR) graphs. We use finite automata to illustrate the basic principles and DCR graphs to show how these principles can be adapted to a practical, real-time policy language. In both cases, we show how to algorithmically determine whether a given policy is enforceable and, when this is the case, construct an associated enforcement mechanism. Our approach improves upon existing formalisms in two ways: (1) we exploit the target system's existing functionality to avert policy violations proactively, rather than compensate for them reactively; and (2) rather than requiring the manual specification of remedial actions in the policy, we deduce required actions directly from the policy.",
keywords = "Access control, business process modeling, obligations, run-time enforcement",
author = "David Basin and S{\o}ren Debois and Thomas Hildebrandt",
note = "Publisher Copyright: {\textcopyright} 2024 - IOS Press. All rights reserved.",
year = "2024",
doi = "10.3233/JCS-210078",
language = "English",
volume = "32",
pages = "247--289",
journal = "Journal of Computer Security",
issn = "0926-227X",
publisher = "IOS Press BV",
number = "3",

}

RIS

TY - JOUR

T1 - Proactive enforcement of provisions and obligations

AU - Basin, David

AU - Debois, Søren

AU - Hildebrandt, Thomas

N1 - Publisher Copyright: © 2024 - IOS Press. All rights reserved.

PY - 2024

Y1 - 2024

N2 - We present an approach to the proactive enforcement of provisions and obligations, suitable for building policy enforcement mechanisms that both prevent and cause system actions. Our approach encompasses abstract requirements for proactive policy enforcement, a system model describing how enforcement mechanisms interact with and control target systems, and concrete policy languages and associated enforcement mechanisms. As examples of policy languages, we consider finite automata and timed dynamic condition response (DCR) graphs. We use finite automata to illustrate the basic principles and DCR graphs to show how these principles can be adapted to a practical, real-time policy language. In both cases, we show how to algorithmically determine whether a given policy is enforceable and, when this is the case, construct an associated enforcement mechanism. Our approach improves upon existing formalisms in two ways: (1) we exploit the target system's existing functionality to avert policy violations proactively, rather than compensate for them reactively; and (2) rather than requiring the manual specification of remedial actions in the policy, we deduce required actions directly from the policy.

AB - We present an approach to the proactive enforcement of provisions and obligations, suitable for building policy enforcement mechanisms that both prevent and cause system actions. Our approach encompasses abstract requirements for proactive policy enforcement, a system model describing how enforcement mechanisms interact with and control target systems, and concrete policy languages and associated enforcement mechanisms. As examples of policy languages, we consider finite automata and timed dynamic condition response (DCR) graphs. We use finite automata to illustrate the basic principles and DCR graphs to show how these principles can be adapted to a practical, real-time policy language. In both cases, we show how to algorithmically determine whether a given policy is enforceable and, when this is the case, construct an associated enforcement mechanism. Our approach improves upon existing formalisms in two ways: (1) we exploit the target system's existing functionality to avert policy violations proactively, rather than compensate for them reactively; and (2) rather than requiring the manual specification of remedial actions in the policy, we deduce required actions directly from the policy.

KW - Access control

KW - business process modeling

KW - obligations

KW - run-time enforcement

U2 - 10.3233/JCS-210078

DO - 10.3233/JCS-210078

M3 - Journal article

AN - SCOPUS:85196660902

VL - 32

SP - 247

EP - 289

JO - Journal of Computer Security

JF - Journal of Computer Security

SN - 0926-227X

IS - 3

ER -

ID: 396987433