A semantic-aware role-based access control model for pervasive computing environments




Access control in open and dynamic Pervasive Computing Environments (PCEs) is a very complex mechanism and encompasses various new requirements. In fact, in such environments, context information should be used in access control decision process; however, it is not applicable to gather all context information completely and accurately all the time. Thus, a suitable access control model for PCEs not only should be context-aware, but also must be able to deal with imperfect context information. In addition, due to the diversity and heterogeneity of resources and users and their security requirements in PCEs, supporting exception and default policies is a necessary requirement. In this paper, we propose a Semantic-Aware Role-Based Access Control (SARBAC) model satisfying the aforementioned requirements using MKNF+. The main contribution of our work is defining an ontology for context information along with using MKNF+ rules to define context-aware role activation and permission assignment policies. Dividing role activation and permission assignment policies into three layers and using abstract and concrete predicates not only make security policy specification more flexible and manageable, but also make definition of exception and default polices possible. The expressive power of the proposed model is demonstrated through a case study in this paper.


[1] M. Amini and R. Jalili, "Multi-level Authorisation Model and Framework for Distributed Semantic-aware Environments," IET Information Security, vol. 4, no. 4, pp. 301-321, 2010.

[2] F. Baader, D. Calvanese, D. McGuinness, D. Nardi, and P. Patel-Schneider, The Description Logic Handbook: Theory, Implementation and Applications. Cambridge university press, 2003.

[3] Y. Bai, "A Modal Logic for Authorization Specification and Reasoning," in IEEE International Conference on Intelligent Computing and Intelligent Systems, vol. 1. IEEE, 2009, pp. 264-268.

[4] P. A. Bonatti and P. Samarati, "Logics for Authorization and Security," Logics for Emerging Applications of Databases, pp. 277-323, 2003.

[5] N. Boustia and A. Mokhtari, "Representation and Reasoning on ORBAC: Description Logic with Defaults and Exceptions Approach," in Proceedings of the Third International Conference on Availability, Reliability and Security. IEEE, 2008, pp. 1008-1012.

[6] ____, "A Contextual Multilevel Access Control Model with Default and Exception Description Logic," in Proceedings of the International Conference for Internet Technology and Secured Transactions. IEEE, 2010, pp. 1{6.

[7] M. J. Covington, W. Long, S. Srinivasan, A. K. Dev, M. Ahamad, and G. D. Abowd, "Securing Context-Aware Applications using Environment Roles," in Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. ACM, 2001, pp. 10-20.

[8] F. Cuppens and N. Cuppens-Boulahia, Modeling Contextual Security Policies," International Journal of Information Security, vol. 7, no. 4, pp. 285-305, 2008.

[9] F. M. Donini, M. Lenzerini, D. Nardi, and A. Schaerf, "Al-log: Integrating Datalog and Description Logics," Journal of Intelligent Information Systems, vol. 10, no. 3, pp. 227-252, 1998.

[10] S. S. Emami and S. Zokaei, "A Context-Sensitive Dynamic Role-Based Access Control Model for Pervasive Computing Environments," ISeCure, The ISC International Journal of Information Security, vol. 2, no. 1, pp. 47-66, 2010.

[11] M. Gelfond and V. Lifschitz, "Classical Negation in Logic Programs and Disjunctive Databases," New Generation Computing, vol. 9, pp. 365-385, 1991.

[12] A. A. E. Kalam, R. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miege, C. Saurel, and G. Trouessin, "Organization Based Access Control," in IEEE 4th International Workshop on Policies for Distributed Systems and Networks. IEEE, 2003, pp. 120-131.

[13] V. Lifschitz, "Non-monotonic Databases and Epistemic Queries," in Proceedings of the 12th International Conference on Artificial Intelligence, vol. 1, 1991, pp. 381-386.

[14] B. Motik and R. Rosati, "Reconciling Description Logics and Rules," Journal of the ACM, vol. 57, no. 5, pp. 30:1-30:62, June 2008.

[15] F. Rabitti, E. Bertino, W. Kim, and D. Woelk, "A Model of Authorization for Next-generation Database Systems," ACM Transactions on Database Systems (TODS), vol. 16, no. 1, pp. 88-131, 1991.

[16] A. N. Ravari and M. S. Fallah, "A Logical View of Non-monotonicity in Access Control," in SECRYPT, 2011, pp. 472-481.

[17] R. Reiter, "Readings in Non-monotonic Reasoning," M. L. Ginsberg, Ed. San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1987, ch. A Logic for Default Reasoning, pp. 68-93.

[18] R. Rosati, "Towards Expressive KR Systems Integrating Data log and Description Logics," in Proceedings of the 1999 International Workshop on Description Logics DL. Citeseer, 1999, pp. 160-164.

[19] X. Wang, D. Q. Zhang, T. Gu, and H. Pung, "Ontology Based Context Modeling and Reasoning using OWL," in Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops. IEEE, 2004, pp. 18-22.

[20] T. Y. Woo and S. S. Lam, "Authorization in Distributed Systems: a Formal Approach," in IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 1992, pp. 33-50.

[21] G. Zhang and M. Parashar, "Context-Aware Dynamic Access Control for Pervasive Applications," in Proceedings of the Communication Networks and Distributed Systems Modeling and Simulation Conference, 2004, pp. 21-30.