Use this URL to cite or link to this record in EThOS:
Title: Rumpole : a reactive and introspective break-glass access control model
Author: Marinovic, Srdan
ISNI:       0000 0004 2723 8318
Awarding Body: Imperial College London
Current Institution: Imperial College London
Date of Award: 2012
Availability of Full Text:
Access from EThOS:
Access from Institution:
Access control models assume that specified security policies are correct - all permissible requests and their contexts have been anticipated and are correctly recognised. However, in domains such as healthcare anticipating all permissible requests is not a priori feasible. Break-glass (access control) models are an enforcement technique that grant overrides of access control denials to users if they agree to ful fil some obligations. The key idea is to let subjects take the responsibility for their actions and ful filment of obligations in a controlled manner. The override decision is often made in situations where context information may be missing, conflicting or unreliable. Current break- glass models do not address these knowledge gaps and hence they are not able to utilise them when making override decisions. For example by issuing stricter obligations or involving additional agents in the override. Making override decisions, especially ones based on knowledge gaps, requires security management to react to obligation violations in order to prevent potential damage to the system. Current break-glass models are unable to specify and enforce this reactive behaviour. This thesis presents Rumpole, a novel break-glass model that introspectively determines gaps and inconsistencies in a system's policy knowledge base, enabling policies to utilise this information in determining the strictness of obligations. In order to define how evidence is composed and evaluated to infer whether there are gaps and inconsistencies, we present Beagle a novel logic programming language based on many-valued logics, which formally speci fies Rumpole's break-glass policies. Rumpole extends the Teleo-Reactive (TR) paradigm to de fine obligations that can react to their violations and context changes. We de fine Teleo-Reactive execution using event-driven semantics, which are more suitable for obligation monitoring rather than the original TR circuit semantics. We also show how an event-driven TR procedure can be translated into a strati fied Datalog program. Finally, we demonstrate Rumpole's applicability by investigating and specifying a break-glass policy that ful fils override provisions from the US HIPAA Privacy Rule.
Supervisor: Dulay, Naranker Sponsor: European Community
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral