@Article{cram:logi01,
  author =       {J. Crampton and G. Loizou and G. O'Shea},
  title =        {A logic of access control},
  journal =      {The Computer Journal},
  year =         {2001},
  volume =       {44},
  number =       {2},
  pages =        {137--149},
}
Abstract
The effectiveness of an access control mechanism in implementing a security policy in a centralised operating system is often weakened because of the large number of possible access rights involved, informal specification of security policy and a lack of tools for assisting systems administrators. Herein we present a logical foundation for automated tools that assist in determining which access rights should be granted by reasoning about the effects of an access control mechanism on the computations performed by an operating system. We demonstrate the practicality and utility of our logical approach by showing how it allows us to construct a deductive database capable of answering questions about the security of two real-world operating systems. We illustrate the application of our techniques by presenting the results of an experiment designed to assess how accurately the configuration of an access control mechanism implements a given security policy. 
@Article{cram:comp01,
  author =       {J. Crampton and G. Loizou},
  title =        {The completion of a poset in a lattice of antichains},
  journal =      {International Mathematical Journal},
  year =         {2001},
  volume =       {1},
  number =       {3},
  pages =        {223--238},
}
Abstract
It is well known that given a poset, $X$, the lattice of order ideals of $X$, $\poset{\ix}{\subseteq}$, is a completion of $X$ via the order-embedding $\phi:X \hookrightarrow \ix$ where $\phi(x) = \dset{x}$. Herein we define a lattice of antichains in $X$, $\poset{\ax}{\pe}$, and prove it is isomorphic to $\poset{\ix}{\subseteq}$. We establish the ``join'' and ``meet'' operations of the lattice, and present results for $\poset{\ax}{\pe}$ analogous to standard results for $\poset{\ix}{\subseteq}$, including Birkhoff's Representation Theorem for finite distributive lattices and a Dedekind-MacNeille-style completion using antichains. We also discuss the relevance and application of completions using antichains to access control in computer science, in particular with reference to role-based access control and to modelling conflict of interest policies. 
@Article{cram:auth01,
  author =  {J. Crampton and G. Loizou},
  title =   {Authorisation and antichains},
  journal = {ACM Operating Systems Review},
  year =    {2001},
  volume =  {35},
  number =  {3},
  pages =   {6--15},
}
Abstract
We present a summary of our recent work on partial orders and their application to access control modelling. In particular, we introduce a framework for separation of duty policies and a new access control model. We briefly discuss a special case of this model, HSS RBAC, which is our variation of a role-based access control model. 
@PhdThesis{cram:phd,
  author =       {J. Crampton},
  title =        {Authorization and antichains},
  school =       {Birkbeck, University of London},
  year =         {2002},
  address =      {London, England},
  note =         {\url{http://www.isg.rhul.ac.uk/~umai001/Pubs/thesis.pdf}},
}
Abstract
Access control has been an important issue in military systems for many years and is becoming increasingly important in commercial systems. There are three important access control paradigms: the Bell-LaPadula model, the protection matrix model and the role-based access control model. Each of these models has its advantages and disadvantages. Partial orders play a significant part in the role-based access control model and are also important in defining the security lattice in the Bell-LaPadula model. The main goal of this thesis is to improve the understanding and specification of access control models through a rigorous mathematical approach.

We examine the mathematical foundations of the role-based access control model and conclude that antichains are a fundamental concept in the model. The analytical approach we adopt enables us to identify where improvements in the administration of role-based access control could be made. We then develop a new administrative model for role-based access control based on a novel, mathematical interpretation of encapsulated ranges. We show that this model supports discretionary access control features which have hitherto been difficult to incorporate into role-based access control frameworks.

Separation of duty is an important feature of role-based access control models that has usually been expressed in first-order logic. We present an alternative formalism for separation of duty policies based on antichains in a powerset (Sperner families), and show that it is no less expressive than existing approaches. The simplicity of the formalism enables us to analyze the complexity of implementing separation of duty policies. In the course of this analysis we establish new results about Sperner families.

We also define two orderings on the set of antichains in a partially ordered set and prove that in both cases the resulting structure is a distributive lattice. This lattice provides the formal framework for a family of secure access control models which incorporate the advantages of existing paradigms without introducing many of their respective disadvantages. We present two members of this family: a new model for role-based access control, for which we give an operational semantics and prove a security theorem similar to the Basic Security Theorem for the Bell-LaPadula model; and the secure hierarchical protection matrix model which combines the strong security properties of the Bell-LaPadula model with the flexibility of the protection matrix model. 

@InProceedings{cram:sacmat02,
  author =      {J. Crampton and G. Loizou},
  title =       {Administrative scope and hierarchy operations},
  booktitle =   {Proceedings of 7th ACM Symposium on Access Control Models and Technologies},
  year =        {2002},
  pages =       {145--154},
  OPTaddress =  {Monterey, California},
}
Abstract
The ARBAC97 model makes an important contribution to the understanding and modeling of administration in role-based access control. However, there are several features of the model which we believe could be improved. We introduce the concept of administrative scope in a role hierarchy and show how this can be used to control updates to the hierarchy. We then incrementally develop a model for administering the role hierarchy and compare it to the RRA97 sub-model of ARBAC97. We conclude that our model offers significant advantages over RRA97. 
@Article{cram:tissec02,
  author =  {J. Crampton and G. Loizou},
  title =   {Administrative Scope: A Foundation for Role-Based Administrative Models},
  journal = {ACM Transactions on Information and System Security},
  volume =  {6},
  number =  {2},
  pages =   {201--231},
  year =    {2003},
}
Abstract
We introduce the concept of administrative scope in a role hierarchy and demonstrate that it can be used as a basis for role-based administration. We then develop a family of models for role hierarchy administration (RHA) employing administrative scope as the central concept. We then extend \RHA{4}, the most complex model in the family, to a complete, decentralized model for role-based administration. We show that SARBAC, the resulting role-based administrative model, has significant practical and theoretical advantages over ARBAC97. We also discuss how administrative scope might be applied to the administration of general hierarchical structures, how our model can be used to reduce inheritance in the role hierarchy and how it can be configured to support discretionary access control features. 
@InProceedings{cram:sacmat03,
  author =      {J. Crampton},
  title =       {Specifying and enforcing constraints in role-based access control},
  booktitle =   {Proceedings of 8th ACM Symposium on Access Control Models and Technologies},
  year =        {2003},
  pages =       {43-50},
  OPTaddress =  {Como, Italy},
}
Abstract
Constraints in access control in general and separation of duty constraints in particular are an important area of research. There are two important issues relating to constraints: their specification and their enforcement. We believe that existing separation of duty specification schemes are rather complicated and that the few enforcement models that exist are unlikely to scale well.

We examine the assumptions behind existing approaches to separation of duty and present a combined specification and implementation model for a class of constraints that includes separation of duty constraints. The specification model is set-based and has a simpler syntax than existing approaches. We discuss the enforcement of constraints and the relationship between static, dynamic and historical separation of duty constraints. Finally, we propose a model for a scalable role-based reference monitor, based on dynamic access control structures, that can be used to enforce constraints in an efficient manner. 

@InProceedings{cram:issa03,
  author =      {J. Crampton and H. Khambhammettu},
  title =       {Access control in a distributed object environment using {XML} and roles},
  booktitle =   {Proceedings of 3rd Annual Information Security South Africa Conference (ISSA 2003)},
  year =        {2003},
  pages =       {75--88},
  OPTaddress =  {Sandton, South Africa},
}
Abstract
We discuss the design of an integrated security architecture for authorization and authentication in a distributed object environment. Our architecture will have four main components: an authentication engine, an interface, a session manager and an authorization engine. The core component of our model is the session manager, which issues XML-based session certificates to authenticated users. A session certificate will be used by the authorization engine to establish the legitimacy of an access request by a user. We will also describe how the architecture supports dynamic revocation of session certificates and delegation. 
@InProceedings{cram:ccs03,
    author =      {J. Crampton},
    title =       {On permissions, inheritance and role hierarchies},
    booktitle =   {Proceedings of the 10th ACM Conference on Computer and Communications Security},
    year =        {2003},
    pages =       {85--92},
    OPTaddress =  {Washington, DC}
}
Abstract
Role-based access control and role hierarchies have generated considerable research activity in recent years. In many role-based models the role hierarchy partially determines which roles and permissions are available to users via various inheritance mechanisms. In this paper, we consider the nature of permissions more closely than is customary in the literature and propose a particular structure for permissions. We then introduce a role-based access control model that contains a novel approach to permission inheritance and illustrate how this model can be used to derive a role-based model with multi-level secure properties. We also consider the issue of redundant and consistent permission-role assignments and describe how such assignments can be avoided. 
@InProceedings{cram:iasted,
  author =      {J. Crampton and H. Khambhammettu},
  title =       {Authorization and Certificates: Are We Pushing When We Should Be Pulling?},
  booktitle =   {Proceedings of IASTED Conference on Network and Information Security},
  year =        {2003},
  pages =       {62--66},
  OPTaddress =  {New York}
}
Abstract
Certificates have long been used to bind authorization information to an identity or public key. Essentially there are two ways in which a verifying authority (reference monitor) can obtain the information (from a certificate) that is required to make an access control decision: the requesting entity provides the privilege attributes to the verifying authority -- a `push' model; or the verifying authority obtains the privilege attributes from a trusted repository -- a `pull' model. In this paper we argue that a push model, which is used by most certificate-based authorization mechanisms, is inferior to a pull model, and present an architecture based on the pull model. 
@Article{cram:sacj,
  author =  {J. Crampton and H. Khambhammettu},
  title =   {Access control in a distributed object environment using XML and roles},
  journal = {South African Computer Journal},
  volume =  {31},
  pages =   {2--8},
  year =    {2003}
}
Abstract
We discuss the design of an integrated security architecture for authorization and authentication in a distributed object environment. Our architecture will have four main components: an authentication engine, an interface, a session manager and an authorization engine. The core component of our model is the session manager, which issues XML-based session certificates to authenticated users. A session certificate will be used by the authorization engine to establish the legitimacy of an access request by a user. We will also describe how the architecture supports dynamic revocation of session certificates and delegation. 
@InProceedings{tan:csfw04,
  author =      {K. Tan and J. Crampton and C. Gunter},
  title =       {The consistency of task-based authorization constraints in workflow systems},
  booktitle =   {Proceedings of 17th IEEE Computer Security Foundations Workshop},
  year =        {2004},
  pages =       {155--169},
  OPTaddress =  {Pacific Grove, CA}
}
Abstract
Workflow management systems (WFMSs) have attracted a lot of interest both in academia and the business community. A workflow consists of a collection of tasks that are organized to facilitate some business process specification. To simplify the complexity of security administration, it is common to use role-based access control (RBAC) to grant authorization to roles and users. Typically, security policies are expressed as constraints on users, roles, tasks and the workflow itself. A workflow system can become very complex and involve several organizations or different units of an organization, thus the number of security policies may be very large and their interactions very complex. It is clearly important to know whether the existence of such constraints will prevent certain instances of the workflow from completing. Unfortunately, no existing constraint models have considered this problem satisfactorily.

In this paper we define a model for constrained workflow systems that includes local and global cardinality constraints, separation of duty constraints and binding of duty constraints. We define the notion of a workflow specification and of a constrained workflow authorization schema. Our main result is to establish necessary and sufficient conditions for the set of constraints that ensure a sound constrained workflow authorization schema, that is, for any user or any role who are authorized to a task, there is at least one complete workflow instance when this user or this role executes this task. 

@InProceedings{cram:fcs04,
  author =      {J. Crampton},
  title =       {An Algebraic Approach to the Analysis of Constrained Workflow Systems},
  booktitle =   {Proceedings of 3rd Workshop on Foundations of Computer Security (FCS'04)},
  year =        {2004},
  pages =       {61--74},
  OPTaddress =  {Turku, Finland}
}
Abstract
The enforcement of authorization constraints such as separation of duty in workflow systems is an important area of current research in computer security. We briefly summarize our model for constrained workflow systems and develop a systematic algebraic method for combining constraints and authorization information. We then show how the closure of a set of constraints and the use of linear extensions can be used to develop an algorithm for computing authorized users in a constrained workflow system. We show how this algorithm can be used as the basis for a reference monitor. We discuss the computational complexity of implementing such a reference monitor and briefly compare our methods with the best existing approach. 
@InProceedings{cram:sws04,
  author = {J. Crampton},
  title = {Applying hierarchial and role-based access control to {XML} documents},
  booktitle = {Proceedings of 2004 ACM Workshop on Secure Web Services},
  year = {2004},
}
Abstract
W3C Recommendations XML Encryption and XML-Digital Signature can be used to protect the confidentiality of and provide assurances about the integrity of XML documents transmitted over an insecure medium. The focus of this paper is how to control access to XML documents, once they have been received. This is particularly important for services where updates are sent to subscribers. We describe how certain access control policies for restricting access to XML documents can be enforced by encrypting specified regions of the document. These regions are specified using XPath filters and the policies are based on the hierarchical structure of XML documents. We also describe how techniques for assigning keys to a security lattice can be adapted to minimize the number of keys that are distributed to users and compare our approach with two other access control frameworks. Finally we consider how role-based access control can be used to enforce more complex access control policies. 
@TechReport{cram:eval99,
  author =      {J. Crampton and G. Loizou and G. O'Shea},
  title =       {Evaluating and improving access control},
  institution = {Birkbeck College, University of London, United Kingdom},
  year =        {1999},
  number =      {BBKCS-99-11}
}
Abstract
Our recent work provides a theoretical basis for the development of tools for reasoning about the operational implications of a particular configuration of the access control mechanism of an operating system. Herein we introduce a set-theoretic model of an access control policy and the concept of consistency of the state of an access control mechanism with a given access control policy. Our earlier work coupled with this definition of consistency enables us to assess and hence improve the implementation of an access control policy by using an access control mechanism. We demonstrate the value of our approach by specifying a simple access control policy and implementing the policy on two different commercial operating systems. 
@TechReport{cram:conf00,
  author =      {J. Crampton and G. Loizou},
  title =       {Conflict of interest policies: A general approach},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-07},
  OPTaddress =  {United Kingdom},
}
Abstract
We define a conflict of interest policy and show that the definition is sufficiently general to include several well-known generic policies as special cases and to define policies for different environments. We show that such conflict of interest policies can be regarded as members of $\mathcal{P}(\mathcal{P}(X))$, for some set $X$, where $\mathcal{P}(X)$ denotes the powerset of $X$, and that such policies can be reduced to a canonical form. The set of canonical conflict of interest policies can be modelled by a subset of $\mathcal{P}(\mathcal{P}(X))$, $\mathcal{A}({\mathcal{P}(X))$. We derive upper and lower bounds for $|\mathcal{A}({\mathcal{P}(X))|$ and for the maximum length of a string that would be required to describe a conflict of interest policy. We also discuss the composition of two conflict of interest policies, an ordering for conflict of interest policies, and possible simplifications in the expression of such policies. 
@TechReport{cram:part00,
  author =      {J. Crampton and G. Loizou},
  title =       {Two partial orders on the set of antichains},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-05},
  OPTaddress =  {United Kingdom},
  OPTmonth =    {September}
}
Abstract
Given a poset $X$, we define two partial orders on the set of antichains of $X$. We prove that the two resulting posets $\langle \mathcal{A}(X) \preccurlyeq \rangle$ and $\langle \mathcal{A}(X) \preccurlyeq' \rangle$ are lattices which are isomorphic to the lattice of order ideals of $X$, $\langle \mathcal{I}(X) \subseteq \rangle$. We also establish the meet and join operations of the two resulting lattices. 
@TechReport{cram:stru00,
  author =      {J. Crampton and G. Loizou},
  title =       {Structural complexity of conflict of interest policies},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-13}
}
Abstract
We define a conflict of interest policy and show that the definition is sufficiently general to include several well-known generic policies as special cases and to articulate policies in different models of access control. We show that conflict of interest policies can be regarded as members of $2^{2^X}$, for some set $X$, where $2^X$ denotes the powerset of $X$. We demonstrate that conflict of interest policies can be reduced to a canonical form and that the set of canonical conflict of interest policies is a subset of $2^{2^X}$. In particular, the set of canonical conflict of interest policies is the set of Sperner families in $2^{X}$. We define a partial ordering on the set of Sperner families and show that this corresponds to an intuitive notion of strength of conflict of interest policies. Furthermore, we show that this ordering leads to a formal definition for composition of policies. We give some examples of conflict of interest policies in the context of two access control models and compare our framework with existing work in the role-based access control community on separation of duty policies.

We derive upper and lower bounds for the number of Sperner families improving on results obtained by Hansel. In particular, our introduction of the novel concept of a bi-symmetric chain partition enables us to improve the upper bound significantly. We also derive an expression for the maximum length of a string that is required to describe a conflict of interest policy. 

@TechReport{cram:sarbac02,
  author =      {J. Crampton and G. Loizou},
  title =       {{SARBAC}: A New Model for Role-Based Administration},
  institution = {Birkbeck College, University of London},
  year =        {2002},
  number =      {BBKCS-02-09}
}
Abstract
The ARBAC97 model makes an important contribution to the understanding and modeling of administration in role-based access control. However, there are several features of the model which we believe could be improved. The RHA family of models provides a useful alternative to the RRA97 sub-model of ARBAC97 which is used to control updates to the role hierarchy. We present SARBAC -- an extension of the RHA$_{4}$ model to a complete model for role-based administration. We show that SARBAC has significant practical and theoretical advantages over ARBAC97. In addition, we briefly discuss how SARBAC can be used to reduce inheritance in the role hierarchy and how it can be configured to support discretionary access control features. 
@techreport{cram:esorics04,
  author =      {J. Crampton},
  title =       {On the satisfiability of authorization constraints in workflow systems},
  institution = {Department of Mathematics, Royal Holloway, University of London},
  year =        {2004},
  number =      {{RHUL--MA--2004--1}},
  note =        {\url{http://www.ma.rhul.ac.uk/techreports/}}
}
Abstract
The specification and enforcement of authorization policies such as separation of duty and binding of duty in workflow systems is an important area of current research in computer security. We introduce a formal model for constrained workflow systems that incorporate constraints for implementing such policies. We define an entailment constraint, which is defined on a pair of tasks in a workflow, and show that such constraints can be used to model many familiar authorization policies. We show that a set of entailment constraints can be manipulated algebraically in order to compute all possible dependencies between tasks in the workflow. The resulting set of constraints form the basis for an analysis of the satisfiability of a workflow. We briefly consider how this analysis can be used to implement a reference monitor for workflow systems. 
@InProceedings{cram:sacmat05,
  author = {J. Crampton},
  title = {A reference monitor for workflow systems with constrained task execution},
  booktitle = {Proceedings of the 10th ACM Symposium on Access Control Models and Technologies},
  year = {2005},
  pages = {38--47}
}
Abstract
We describe a model, independent of any underlying access control paradigm, for specifying authorization constraints such as separation of duty and cardinality constraints in workflow systems. We present a number of results enabling us to simplify the set of authorization constraints. These results form the theoretical foundation for an algorithm that can be used to determine whether a given constrained workflow can be satisfied: that is, does there exist an assignment of authorized users to workflow tasks that satisfies the authorization constraints? We show that this algorithm can be incorporated into a workflow reference monitor that guarantees that every workflow instance can complete. We derive the computational complexity of our algorithm and compare its performance to comparable work in the literature. 
@InProceedings{shi:cec05,
  author = {S. Swift, A. Shi, J. Crampton, and A. Tucker},
  title = {{ICARUS}: Intelligent Coupon Allocation for Retailers Using Search},
  booktitle = {Proceedings of 2005 IEEE Congress on Evolutionary Computation},
  year = {2005},
  pages = {182--189}
}
Abstract
Many retailers run loyalty card schemes for their customers offering incentives in the form of money off coupons. The total value of the coupons depends on how much the customer has spent. This paper deals with the problem of finding the smallest set of coupons such that each possible total can be represented as the sum of a pre-defined number of coupons. A mathematical analysis of the problem leads to the development of a Genetic Algorithm solution. The algorithm is applied to real world data using several crossover operators and compared to well known straw-person methods. Results are promising showing that considerable time can be saved by using this method, reducing a few days worth of consultancy time to a few minutes of computation. 
@InProceedings{cram:ccs05,
  author = {Jason Crampton},
  title = {Understanding and developing role-based administrative models},
  booktitle = {Proceedings of the 12th ACM Conference on Computer and Communications Security},
  year = {2005},
  pages = {158--167},
}
Abstract
Access control data structures generally need to evolve over time in order to reflect changes to security policy and personnel. An administrative model defines the rules that control the state changes to an access control model and the data structures that model defines. We present a powerful framework for describing role-based administrative models. It is based on the concept of administrative domains and criteria that control state changes in order to preserve certain features of those domains. We define a number of different sets of criteria, each of which control the effect of state changes on the set of administrative domains and thereby lead to different role-based administrative models. Using this framework we are able to identify some unexpected connections between the ARBAC97 and RHA administrative models and to compare their respective properties. In doing so we are able to suggest some improvements to both models. 
@InProceedings{cram:cnis05,
  author = {Jason Crampton and Hemanth Khambhammettu},
  title = {Data Structures for Constraint Enforcement in Role-Based Systems},
  booktitle = {Proceedings of the 2005 IASTED Conference on Network and Information Security},
  year = {2005},
  pages = {158--167},
}
Abstract
Constraints are an important aspect of role-based models. Several types of constraints, such as separation of duty constraints, cardinality constraints and temporal constraints have been identified in the literature. Although the specification of constraints has received significant research interest, there has been little work on the development of an efficient constraint enforcement model. In particular there does not exist a model for the data structures that are referenced and maintained by the constraint enforcement mechanism. In this paper, we define a formal model for such data structures that record salient information to be used by the constraint enforcement mechanism. We introduce the concept of a constraint evaluation structure that is used by the constraint enforcement mechanism to determine whether granting a request would violate a constraint. Two particular constraint evaluation structures form part of the runtime model we introduce in order to enforce dynamic constraints. 
@InProceedings{cram:sacmat06,
  author = {Jason Crampton and Wing Leung and Konstantin Beznosov},
  title = {The secondary and approximate authorization model and its application to {Bell-LaPadula} policies},
  booktitle = {Proceedings of 11th ACM Symposium in Access Control Models and Technologies},
  year = {2006},
  pages = {111--120},
}
Abstract
We introduce the concept, model, and policy-specific algorithms for inferring new access control decisions from previous ones. Our secondary and approximate authorization model (SAAM) defines the notions of primary vs. secondary and precise vs. approximate authorizations. Approximate authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the authorization server is unavailable or slow. The ability to compute approximate authorizations improves the reliability and performance of access control sub-systems and ultimately the application systems themselves.

The operation of a system that employs SAAM depends on the type of access control policy it implements. We propose and analyze algorithms for computing secondary authorizations in the case of policies based on the Bell-LaPadula model. In this context, we define a dominance graph, and describe its construction and usage for generating secondary responses to authorization requests. Preliminary results of evaluating SAAM$_{\text{BLP}}$ algorithms demonstrate a 30% increase in the number of authorization requests that can be served without consulting access control policies. 

@InProceedings{cram:csfw06,
  author = {Jason Crampton and Keith Martin and Peter Wild},
  title = {On Key Assignment for Hierarchical Access Control},
  booktitle = {Proceedings of 19th IEEE Computer Security Foundations Workshop},
  year = {2006},
  pages = {98--111},
}
Abstract
A key assignment scheme is a cryptographic technique for implementing an information flow policy, sometimes known as hierarchical access control. All the research to date on key assignment schemes has focused on particular encryption techniques rather than an analysis of what features are required of such a scheme. To remedy this we propose a family of generic key assignment schemes and compare their respective advantages. We note that every scheme in the literature is simply an instance of one of our generic schemes. We then conduct an analysis of the Akl-Taylor scheme and propose a number of improvements. We also demonstrate that many of the criticisms that have been made of this scheme in respect of key udpates are unfounded. Finally, exploiting the deeper understanding we have acquired of key assignment schemes, we introduce a technique for exploiting the respective advantages of different schemes. 
@article{tuck:rgfga,
  author = {A. Tucker and J. Crampton and S. Swift},
  title = {{RGFGA}: An efficient representation and crossover for grouping genetic algorithms},
  journal = {Evolutionary Computation},
  volume = {13},
  number = {4},
  pages = {477--500},
  year = {2005},
}
Abstract
There is substantial research into genetic algorithms that are used to group large numbers of objects into mutually exclusive subsets based upon some fitness function. However, nearly all methods involve degeneracy to some degree. We introduce a new representation for grouping genetic algorithms, the restricted growth function genetic algorithm, that effectively removes all degeneracy, resulting in a more efficient search. A new crossover operator is also described that exploits a measure of similarity between chromosomes in a population. Using several synthetic datasets, we compare the performance of our representation and crossover with another well known state-of-the-art GA method, a strawman optimisation method and a well-established statistical clustering algorithm, with encouraging results. 
@article{coun:inte06,
  author = {Steve Counsell and Stephen Swift and Jason Crampton},
  title = {The interpretation and utility of three cohesion metrics for object-oriented design},
  journal = {ACM Transactions on Software Engineering and Methodololgy},
  volume = {15},
  number = {2},
  year = {2006},
  pages = {123--149},
  doi = {http://doi.acm.org/10.1145/1131421.1131422},
  OPTpublisher = {ACM Press},
  OPTaddress = {New York, NY, USA},
}
Abstract
The concept of cohesion in a class has been the subject of various recent empirical studies and has been measured using many different metrics. In the structured programming paradigm, the software engineering community has adopted an informal yet meaningful and understandable definition of cohesion based on the work of Yourdon and Constantine. The object-oriented (OO) paradigm has formalised various cohesion measures, but the argument over the most meaningful of those metrics continues to be debated. Yet achieving highly cohesive software is fundamental to its comprehension and thus its maintainability. In this paper we subject two object-oriented cohesion metrics, CAMC and NHD, to a rigorous mathematical analysis in order to better understand and interpret them. This analysis enables us to offer substantial arguments for preferring the NHD metric to CAMC as a measure of cohesion. Furthermore, we provide a complete understanding of the behaviour of these metrics, enabling us to attach a meaning to the values calculated by the CAMC and NHD metrics. In addition, we introduce a variant of the NHD metric and demonstrate that it has several advantages over CAMC and NHD. While it may be true that a generally accepted formal and informal definition of cohesion continues to elude the OO software engineering community, there seems considerable value in being able to compare, contrast and interpret metrics which attempt to measure the same features of software. 
@inproceedings{cram:dbsec06,
  author =       {Jason Crampton},
  title =        {Discretionary and Mandatory Control for Role-Based Administration},
  booktitle =    {Data and Applications Security XX},
  year =         {2006},
  editor =       {Ernesto Damiani and Peng Liu},
  volume =       {4127},
  series =       {Lecture Notes in Computer Science},
  pages =        {194--208},
  publisher =    {Springer},
}
Abstract
Role-based access control is an important way of limiting the access users have to computing resources. While the basic concepts of role-based access control are now well understood, there is no consensus on the best approach to managing role-based systems. In this paper, we introduce a new model for role-based administration, using the notions of discretionary and mandatory controls. Our model provides a number of important features that control the assignment of users and permissions to roles. This means that we can limit the damage that can be done by malicious administrative users. We compare our approach to a number of other models for role-based administration, and demonstrate that our model has several advantages. 
@InProceedings{bert:acce06,
  author = {E. Bertino and J. Crampton and F. Paci},
  title = {Access control and authorization constraints for {WS-BPEL}},
  booktitle = {Proceedings of IEEE International Conference on Web Services},
  year = {2006},
  pages = {},
}
Abstract
Computerized workflow systems have attracted considerable research interest in the last fifteen years. More recently, there have been several XML-based languages proposed for specifying and orchestrating business processes, culminating in WS-BPEL. A significant omission from WSBPEL is the ability to specify authorization information associating users with activities in the business process and authorization constraints on the execution of activities such as separation of duty. In this paper, we address these deficiencies by developing the RBAC-WS-BPEL and BPCL languages. The first of these provides for the specification of authorization information associated with a business process specified in WS-BPEL, while BPCL provides for the articulation of authorization constraints. 
@inproceedings{cram:esorics06,
  author = {J. Crampton and H. Khambhammettu},
  title = {Delegation in role-based access control},
  booktitle = {Proceedings of 11th European Symposium on Research in Computer Security},
  year = {2006}
  pages = {174--191},
}
Abstract
User delegation is a mechanism for assigning access rights available to a user to another user. A delegation operation can either be a grant or transfer operation. Delegation for role-based access control models have extensively studied grant delegations. However, transfer delegations for role-based access control have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorise delegations in our model. In particular, we show that the use of administrative scope for authorising delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we compare our work with relevant work in the literature. 
@inproceedings{sken:wosp07,
  author = {J. Skene and A. Skene and J. Crampton and W. Emmerich},
  title = {The monitorability of service-level agreements for application-service provision},
  booktitle = {Proceedings of the 6th International Workshop on Software and Performance},
  year = {2007},
  pages = {3--14}
}
Abstract
Service-Level Agreements (SLAs) mitigate the risks of a service-provision scenario by associating financial penalties with aberrant service behaviour. SLAs are useless if their provisions can be unilaterally ignored by a party without incurring any liability. To avoid this, it is necessary to ensure that each party's conformance to its obligations can be monitored by the other parties. We introduce a technique for analysing systems of SLAs to determine the degree of monitorability possible. We apply this technique to identify the most monitorable system of SLAs governing timeliness for a three-role Application-Service Provision (ASP) scenario. The system contains SLAs that are at best mutually monitorable, implying the requirement for reconciliation of monitoring data between the parties, and hence the need to constrain the parties to report honestly while accommodating unavoidable measurement error. We describe the design of a fair constraint on the precision and accuracy of reported measurements, and its approximate monitorability using a statistical hypothesis test. 
@inproceedings{dekk:exte07,
  title = {Extended privilege inheritance in {RBAC}},
  author = {M. Dekker and S. Etalle and J. Cederquist},
  booktitle = {Proceedings of 2007 ACM Symposium on InformAtion, Computer and Communications Security},
  pages = {383--385},
  year = {2007}
}
Abstract
In existing RBAC literature, administrative privileges are inherited just like ordinary user privileges. We argue that from a security viewpoint this is too restrictive, and we believe that a more flexible approach can be very useful in practice. We define an ordering on the set of administrative privileges, enabling us to extend the standard privilege inheritance relation in a natural way. This means that if a user has a particular administrative privilege, then she is also implicitly authorized for weaker administrative privileges. We prove the non-trivial result that it is possible to decide whether one administrative privilege is weaker than another and show how this result can be used to decide administrative requests in an RBAC security monitor. 
@inproceedings{cram:pkird07,
  author = {J. Crampton and H.W. Lim and K.G. Paterson and G. Price},
  title = {A certificate-free grid security infrastructure supporting password-based user authentication},
  booktitle = {Proceedings of 6th Annual PKI R&D Workshop},
  year = {2007}
}
Abstract
Password-based authentication is still the most widely used authentication mechanism, largely because of the ease with which it can be understood by end users and implemented. In this paper, we propose a security infrastructure for grid applications, in which users are authenticated using passwords. Our infrastructure allows users to perform single sign-on based only on passwords, without requiring a public key infrastructure. Nevertheless, our infrastructure supports essential grid security services, such as mutual authentication and delegation, using public key cryptographic techniques. Moreover, hosting servers in our infrastructure are not required to have public key certificates, meaning mutual authentication and delegation of proxy credentials can be performed in a lightweight and efficient manner. 
@inproceedings{cram:wia07,
  author = {J. Crampton and L. Chen},
  title = {Applications of the oriented permission role-based access control model},
  booktitle = {Proceedings of 3rd International Workshop on Information Assurance},
  year = {2007}
}
Abstract
Role-based access control and role hierarchies have been the subject of considerable research in recent years. In this paper, we consider three useful applications of a new role-based access control model that contains a novel approach to permissions and permission inheritance: one is to illustrate that the new model provides a simpler and more natural way to implement BLP model using role based techniques; a second application is to make it possible to define separation of duty constraints on two roles that have a common senior role and for a user to be assigned to or activate the senior role; finally, we describe how a single hierarchy in new model supports the requirement of distinction between role activation and permission usage hierarchies. In short, the oriented permission model provides ways of implementing a number of useful features that have previously required ad hoc and inelegant solutions. 
@inproceedings{cram:sacmat07,
  author = {L. Chen and J. Crampton},
  title = {Inter-domain role mapping and least privilege},
  booktitle = {Proceedings of the 12th ACM Symposium on Access Control Models and Technologies},
  year = {2007},
  pages = {157--162}
}
Abstract
The principle of least privilege is a well known design principle to which access control models and systems should adhere. In the context of role-based access control, the principle of least privilege can be implemented through the use of sessions. In this paper, we first define a family of simple role-based models that provide support for multiple hierarchies and temporal constraints. We then investigate a question related to sessions in each of these models: the inter-domain role mapping problem. The question has previously been defined and analyzed in the context of a particular role-based model. We re-define the question and analyze it in the context of a number of different role-based models. 
@inproceedings{cram:mmm07,
  author = {H. Rowe and J. Crampton},
  title = {Avoiding key redistribution in key assignment schemes},
  booktitle = {Proceedings of the Fourth International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security},
  pages = {127--140},
  year = {2007}
}
Abstract
A key assignment scheme is a model for enforcing an information flow policy using cryptographic techniques. Such schemes have been widely studied in recent years. Each security label is associated with a symmetric encryption key: data objects are encrypted and authorised users are supplied with the appropriate key(s). However, updates to encryption keys pose a significant problem, as the new keys have to be issued to all authorised users. In this paper, we propose three generic approaches to key assignment schemes that remove the problem of key redistribution following key updates. We analyse the overheads incurred by these approaches and conclude that these overheads are negligible in practical applications. 
@inproceedings{cram:nordsec07,
  author = {J. Crampton},
  title = {Cryptographically-enforced hierarchical access control with multiple keys},
  booktitle = {Proceedings of the 12th Nordic Workshop on Secure IT Systems},
  pages = {49-60},
  year = {2007}
}
Abstract
Hierarchical access control policies, in which users and objects are associated with nodes in a hierarchy, can be enforced using cryptographic mechanisms. Protected data is encrypted and authorized users are given the appropriate keys. Lazy re-encryption techniques and temporal hierarchical access control policies require that multiple keys may be associated with a node in the hierarchy. In this paper, we introduce the notion of a multi-key assignment scheme to address this requirement. We define bounded, unbounded, synchronous, and asynchronous schemes. We demonstrate that bounded, synchronous schemes provide an alternative to temporal key assignment schemes in the literature, and that unbounded asynchronous schemes provide the desired support for lazy re-encryption. 
@inproceedings{cram:sws07,
  author = {J. Crampton and H.W. Lim, K.G. Paterson},
  title =  {What can identity-based cryptography offer to web services?},
  booktitle = {Proceedings of 4th ACM Workshop on Secure Web Services},
  year = {2007},
  pages = {26--36}
}
Abstract
Web services are seen as the enabler of service-oriented computing, a promising next generation distributed computing technology. Independently, identity-based cryptography is emerging as a serious contender to more conventional certificate-based public key cryptography. However, the application of identity-based cryptography in web services appears largely unexplored. This paper sets out to examine how identity-based cryptography might be used to secure web services. We show that identity-based cryptography has some attractive properties which naturally suit the message-level security needed by web services. 
@inproceedings{cram:sac08,
  author = {J. Crampton and H. Khambhammettu},
  title = {On delegation and workflow execution models},
  booktitle = {Proceedings of the 2008 ACM Symposium on Applied Computing},
  year = {2008},
  pages = {2137--2144}
}
Abstract
Workflow systems have long been of interest to computer science researchers due to their practical relevance. Supporting delegation mechanisms in workflow systems is receiving increasing research interest. In this paper, we conduct a comprehensive study of user delegation operations in computerized workflow systems. In a workflow system, the semantics of a delegation operation are largely based on three factors: the underlying workflow execution model, task type and delegation type. We describe three different workflow execution models and examine the effect of various delegation operations in each workflow execution model. We then extend our workflow execution models to examine the effect of various delegation operations in different role-based work°ow execution models. 
@inproceedings{chen:spat08,
  author = {L. Chen and J. Crampton},
  title = {On spatio-temporal constraints and inheritance in role-based access control},
  booktitle = {Proceedings of ACM Symposium on Information, Computer and Communications Security},
  year = {2008},
  pages = {205--216}
  }
Abstract
Pervasive computing environments have created a requirement for spatial- and temporal-aware access control systems. Although temporal, spatial and spatio-temporal role-based access control (RBAC) models have been developed, a family of simple, expressive and flexible models that convincingly addresses the interaction between spatio-temporal constraints and inheritance in RBAC does not yet exist. In this paper, we define three spatio-temporal models based on RBAC96 the de facto standard for RBAC, and extend these models to include activation and usage hierarchies. These models provide different authorization semantics, varying in the extent to which RBAC entities and relations are constrained by spatio-temporal restrictions. We introduce the notion of trusted entities, which are used to selectively override certain spatio-temporal restrictions. We also demonstrate that our spatio-temporal models are consistent and compatible with RBAC96 and the ANSI-RBAC standard, in contrast to existing models. Finally, we propose four approaches to encoding spatio-temporal requirements in practical applications that permit access requests to be answered efficiently. 
@inproceedings{cram:dele08,
  author = {J. Crampton and H. Khambhammettu},
  title = {Delegation and satisfiability in workflow systems},
  booktitle = {Proceedings of 13th ACM Symposium on Access Control Models and Technologies},
  pages = {31-40},
  year = {2008}
}
Abstract
Supporting delegation mechanisms in workflow systems is receiving increasing interest from the research community. An important requirement of a constrained workflow is to guarantee the satisfiability of the workflow, which requires that some set of authorized users can complete a workflow. Typically, any mechanism that is used to establish the satisfiability of a workflow is based on the workflow specification and the user authorization information. The effect of a successful user delegation request is to change the user authorization information, thereby affecting the satisfiability of the workflow. Existing work on delegation in workflows does not consider the satisfiability of the workflow. In this paper, we address the satisfiability problem of workflows, while supporting user delegation mechanisms, in the context of three different workflow execution models. We consider delegation of concrete tasks, abstract tasks and roles. We present algorithms for evaluating various delegation requests in each workflow execution model. 
@inproceedings{dekk:rbac08,
  author = {M. Dekker and J. Crampton and S. Etalle},
  title = {{RBAC} administration in distributed systems},
  booktitle = {Proceedings of 13th ACM Symposium on Access Control Models and Technologies},
  pages = {93-102},
  year = {2008}
}
Abstract
Large and distributed access control systems are increasingly common, for example in health care. In such settings, access control policies may become very complex, thus complicating correct and efficient adminstration of the access control system. Despite being one of the most widely used access control standards, RBAC does not include an administration model for distributed systems. In this paper we fill this gap. We present a model for the administration of RBAC in a distributed system and propose an administration procedure supporting the principle that different systems protect different sets of objects. We demonstrate that our procedure fulfills the formal requirements deriving from safety and availability, and we show how it can be translated to a practical implementation. Finally, we show how our model can be extended with multiple decentralized administrative systems. 
@inproceedings{wei:auth08,
  author = {Q. Wei and J. Crampton and K. Beznosov and M. Ripeanu},
  title = {Authorization recycling in RBAC systems},
  booktitle = {Proceedings of 13th ACM Symposium on Access Control Models and Technologies},
  pages = {63-72},
  year = {2008}
}
Abstract
As distributed applications increase in size and complexity, traditional authorization mechanisms based on a single policy decision point are increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization recycling is one technique that has been used to address these challenges. This paper introduces and evaluates the mechanisms for authorization recycling in RBAC enterprise systems. The algorithms that support these mechanisms allow precise and approximate authorization decisions to be made, thereby masking possible failures of the policy decision point and reducing its load. We evaluate these algorithms analytically and using a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed access control mechanisms. 
@inproceedings{cram:role08,
  author = {J. Crampton and H.W. Lim},
  title = {Role signatures for access control in open distributed systems},
  booktitle = {Proceedings of IFIP TC-11 23rd International Information Security Conference}
  pages = {205--220},
  year = {2008}
}
Abstract
Implementing access control efficiently and effectively in an open and distributed system is a challenging problem. One reason for this is that users requesting access to remote resources may be unknown to the authorization service that controls access to the requested resources. Hence, it seems inevitable that pre-defined mappings of principals in one domain to those in the domain containing the resources are needed. In addition, verifying the authenticity of user credentials or attributes can be difficult. In this paper, we propose the concept of {\em role signatures} to solve these problems by exploiting the hierarchical namespaces that exist in many distributed systems. Our approach makes use of a hierarchical identity-based signature scheme: verification keys are based on generic role identifiers defined within a hierarchical namespace. The verification of a role signature serves to prove that the signer is an authorized user and is assigned to one or more roles. Individual member organizations of a virtual organization are not required to agree on principal mappings beforehand to enforce access control to resources. Moreover, user authentication and credential verification is unified in our approach and can be achieved through a single role signature. 
@inproceedings{cram:nordsec07,
  author = {J. Crampton},
  title = {Cryptographically-enforced hierarchical access control with multiple keys},
  booktitle = {Proceedings of the 12th Nordic Workshop on Secure IT Systems},
  pages = {49-60},
  year = {2007}
}
Abstract
Unix is an operating system that began development almost 40 years ago. It has a very simple mechanism for controlling access to protected resources based on the owner-group-world model. This simple model has not attracted much interest from the access control community. In this paper we argue that the Unix access control mechanism has some interesting features of relevance to modern authorization services. We present a formal model for the Unix access control mechanism and compare its characteristics with those of role-based access control and XACML, two popular foundations for authorization services. We then discuss what lessons may be learned from the Unix model and how those lessons might be applied in the future.