Security language translations with logic resolution
First Claim
Patent Images
1. A computer-implemented method comprising:
- under control of one or more processors configured with executable instructions;
determining whether an asserted fact included in a security language assertion is flat based on whether the asserted fact is nested;
upon determining that the asserted fact is not flat,determining that the security language assertion is a delegation assertion with at least one delegation-directive verb, andtranslating the security language assertion into a plurality of logic language rules, the translating comprising;
adding a first logic language rule including a primary fact corresponding to the asserted fact; and
for each delegation-directive verb of the at least one delegation-directive verb, adding a second logic language rule having an unbounded delegation depth and a fresh variable representing a delegatee, wherein the fresh variable represents a principal to whom rights are being delegated;
for each logic language rule having an asserted fact with an expression that has been created when adding the first logic language rule and/or the second logic language rule, adding a third language rule having an alias capability and a fresh variable representing an object of an alias;
determining whether another asserted fact of another security language assertion is flat;
upon determining that the other asserted fact is not flat, translating the other security language assertion into a fourth logic language rule including another primary fact corresponding to the other asserted fact;
combining the first, second, third and fourth logic language rules into a logic language program; and
evaluating the logic language program in conjunction with an authorization query.
2 Assignments
0 Petitions
Accused Products
Abstract
Security language constructs may be translated into logic language constructs and vise versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.
133 Citations
6 Claims
-
1. A computer-implemented method comprising:
-
under control of one or more processors configured with executable instructions; determining whether an asserted fact included in a security language assertion is flat based on whether the asserted fact is nested; upon determining that the asserted fact is not flat, determining that the security language assertion is a delegation assertion with at least one delegation-directive verb, and translating the security language assertion into a plurality of logic language rules, the translating comprising; adding a first logic language rule including a primary fact corresponding to the asserted fact; and for each delegation-directive verb of the at least one delegation-directive verb, adding a second logic language rule having an unbounded delegation depth and a fresh variable representing a delegatee, wherein the fresh variable represents a principal to whom rights are being delegated; for each logic language rule having an asserted fact with an expression that has been created when adding the first logic language rule and/or the second logic language rule, adding a third language rule having an alias capability and a fresh variable representing an object of an alias; determining whether another asserted fact of another security language assertion is flat; upon determining that the other asserted fact is not flat, translating the other security language assertion into a fourth logic language rule including another primary fact corresponding to the other asserted fact; combining the first, second, third and fourth logic language rules into a logic language program; and evaluating the logic language program in conjunction with an authorization query. - View Dependent Claims (2, 3)
-
-
4. A system comprising:
-
one or more processors; one or more computer-readable storage media storing executable instructions that, when executed by the one or more processors, cause the one or more processors to perform acts comprising; determining whether an asserted fact included in a security language assertion is flat based on whether the asserted fact is nested; and upon determining that the asserted fact is not flat, determining that the security language assertion is a delegation assertion with at least one delegation-directive verb, and translating the security language assertion, the translating comprising;
adding a first logic language rule including a primary fact corresponding to the asserted fact, andfor each delegation-directive verb of the at least one delegation-directive verb, adding a second logic language rule having an unbounded delegation depth and a fresh variable representing a delegatee, wherein the fresh variable represents a principal to whom rights are being delegated; for each logic language rule having an asserted fact with an expression that has been created when adding the first logic language rule and/or the second logic language rule, adding a third language rule having an alias capability and a fresh variable representing an object of an alias; determining whether another asserted fact of another security language assertion that the other asserted fact is flat; upon determining that the other asserted fact is not flat, translating the other security language assertion into a fourth logic language rule including another primary fact corresponding to the other asserted fact; combining the first, second, third and fourth logic language rules into a logic language program; and evaluating the logic language program in conjunction with an authorization query. - View Dependent Claims (5, 6)
-
Specification