RT: A Family of Role-based Trust-management Languages

• Design of RT Languages

  • Design of A Role-based Trust-management Framework.   Ninghui Li, John C. Mitchell, and William H. Winsborough.   In Proceedings of 2002 IEEE Symposium on Security and Privacy, Berkeley, California, May 2002. IEEE Computer Society Press, Los Alamitos, California, pp. 114-130. 
    RT: A Role-based Trust-management Framework.
    Ninghui Li and John C. Mitchell.
    In Proceedings of The Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C., April 2003. IEEE Computer Society Press, Los Alamitos, California, pp. 201--212.
    RTML: A Role-based Trust-management Markup Language
    Ninghui Li, John C. Mitchell, Yu Qiu, William H. Winsborough, Kent E. Seamons, Michael Halcrow, and Jared Jacobson.  Unpublished manuscript.

• Distributed Credential Chain Discovery

  Credentials in trust management may be issued and stored in a distributed manner. In an Internet-scale system, there are potentially millions of credentials. One needs a mechanism that can answer queries by retrieving only the relevant credentials and a way to guarantee that relevant credentials can be found when needed. We developed goal-directed algorithms to do distributed credential chain discovery for RT0 and introduced a storage-typing scheme, which guarantees well-typed credential chains can be discovered, and helps make the discovery process more efficient. 
  • Distributed Credential Chain Discovery in Trust Management.
    Ninghui Li, William H. Winsborough, and John C. Mitchell.
    Journal of Computer Security, volume 11, number 1, pp. 35-86, February 2003.
    Conference version in Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS-8), November 2001.

• Constraint Datalog as a Foundation for Trust-Management Languages

  Trust-management (TM) languages need a declarative and formal foundation. Although Datalog was used in several TM languages and has been the best logical foundation for TM languages to date, Datalog does not meet the practical need for policies about common structured resources, such as file hierarchies. By using ideas from the field of constraint databases, we showed that Datalog extended with constraints is a promising and expressive alternative that eliminates some deficiencies of Datalog without sacrificing any of the attractive features that make Datalog appealing for trust management. This is joint work with John Mitchell.

  • Datalog with Constraints: A foundation for trust-management languages.   Ninghui Li and John C. Mitchell. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages (PADL'03), New Orleans, Louisiana, January 2003.

• Security Analysis in Trust Management

  Trust management has delegation as its key power. Because one organization may delegate partial control to another organization, it is natural to ask what permissions may be granted as the result of policy changes by other organizations.  We studied security properties such as safety and availability in the RT  framework using a trust-management model. We showed that many properties can be determined efficiently using logic programs, and proved that the most complicated cases are decidable but intractable. These results are somewhat surprising. In Harrison, Ruzzo, and Ullman 1976, it was shown that a basic form of safety analysis in the context of the well-known access matrix model is undecidable. Our trust-management model is more powerful in certain ways than the HRU access matrix model, and the security properties we considered are more than simple safety. In our paper, we explained the differences between the HRU model and our TM model.

  • Beyond Proof-of-compliance: Security Analysis in Trust Management
    Ninghui Li, John C. Mitchell, and William H. Winsborough
    Journal of the ACM. 52(3):474--514, May 2005. 
    Conference version in Proceedings of 2003 IEEE Symposium on Security and Privacy, May 2003.