@Article{cram:logi01,
  author =       {J. Crampton and G. Loizou and G. O'Shea},
  title =        {A logic of access control},
  journal =      {The Computer Journal},
  year =         {2001},
  volume =       {44},
  number =       {2},
  pages =        {137--149},
}
Abstract
The effectiveness of an access control mechanism in implementing a security policy in a centralised operating system is often weakened because of the large number of possible access rights involved, informal specification of security policy and a lack of tools for assisting systems administrators. Herein we present a logical foundation for automated tools that assist in determining which access rights should be granted by reasoning about the effects of an access control mechanism on the computations performed by an operating system. We demonstrate the practicality and utility of our logical approach by showing how it allows us to construct a deductive database capable of answering questions about the security of two real-world operating systems. We illustrate the application of our techniques by presenting the results of an experiment designed to assess how accurately the configuration of an access control mechanism implements a given security policy. 
@Article{cram:comp01,
  author =       {J. Crampton and G. Loizou},
  title =        {The completion of a poset in a lattice of antichains},
  journal =      {International Mathematical Journal},
  year =         {2001},
  volume =       {1},
  number =       {3},
  pages =        {223--238},
}
Abstract
It is well known that given a poset, $X$, the lattice of order ideals of $X$, $\poset{\ix}{\subseteq}$, is a completion of $X$ via the order-embedding $\phi:X \hookrightarrow \ix$ where $\phi(x) = \dset{x}$. Herein we define a lattice of antichains in $X$, $\poset{\ax}{\pe}$, and prove it is isomorphic to $\poset{\ix}{\subseteq}$. We establish the ``join'' and ``meet'' operations of the lattice, and present results for $\poset{\ax}{\pe}$ analogous to standard results for $\poset{\ix}{\subseteq}$, including Birkhoff's Representation Theorem for finite distributive lattices and a Dedekind-MacNeille-style completion using antichains. We also discuss the relevance and application of completions using antichains to access control in computer science, in particular with reference to role-based access control and to modelling conflict of interest policies. 
@Article{cram:auth01,
  author =  {J. Crampton and G. Loizou},
  title =   {Authorisation and antichains},
  journal = {ACM Operating Systems Review},
  year =    {2001},
  volume =  {35},
  number =  {3},
  pages =   {6--15},
}
Abstract
We present a summary of our recent work on partial orders and their application to access control modelling. In particular, we introduce a framework for separation of duty policies and a new access control model. We briefly discuss a special case of this model, HSS RBAC, which is our variation of a role-based access control model. 
@PhdThesis{cram:phd,
  author =       {J. Crampton},
  title =        {Authorization and antichains},
  school =       {Birkbeck, University of London},
  year =         {2002},
  address =      {London, England},
  note =         {\texttt{http://www.isg.rhul.ac.uk/$\sim$umai001/Pubs/thesis.pdf}},
}
Abstract
Access control has been an important issue in military systems for many years and is becoming increasingly important in commercial systems. There are three important access control paradigms: the Bell-LaPadula model, the protection matrix model and the role-based access control model. Each of these models has its advantages and disadvantages. Partial orders play a significant part in the role-based access control model and are also important in defining the security lattice in the Bell-LaPadula model. The main goal of this thesis is to improve the understanding and specification of access control models through a rigorous mathematical approach.

We examine the mathematical foundations of the role-based access control model and conclude that antichains are a fundamental concept in the model. The analytical approach we adopt enables us to identify where improvements in the administration of role-based access control could be made. We then develop a new administrative model for role-based access control based on a novel, mathematical interpretation of encapsulated ranges. We show that this model supports discretionary access control features which have hitherto been difficult to incorporate into role-based access control frameworks.

Separation of duty is an important feature of role-based access control models that has usually been expressed in first-order logic. We present an alternative formalism for separation of duty policies based on antichains in a powerset (Sperner families), and show that it is no less expressive than existing approaches. The simplicity of the formalism enables us to analyze the complexity of implementing separation of duty policies. In the course of this analysis we establish new results about Sperner families.

We also define two orderings on the set of antichains in a partially ordered set and prove that in both cases the resulting structure is a distributive lattice. This lattice provides the formal framework for a family of secure access control models which incorporate the advantages of existing paradigms without introducing many of their respective disadvantages. We present two members of this family: a new model for role-based access control, for which we give an operational semantics and prove a security theorem similar to the Basic Security Theorem for the Bell-LaPadula model; and the secure hierarchical protection matrix model which combines the strong security properties of the Bell-LaPadula model with the flexibility of the protection matrix model. 

@InProceedings{cram:sacmat02,
  author =      {J. Crampton and G. Loizou},
  title =       {Administrative scope and hierarchy operations},
  booktitle =   {Proceedings of 7th ACM Symposium on Access Control Models and Technologies},
  year =        {2002},
  pages =       {145--154},
  OPTaddress =  {Monterey, California},
}
Abstract
The ARBAC97 model makes an important contribution to the understanding and modeling of administration in role-based access control. However, there are several features of the model which we believe could be improved. We introduce the concept of administrative scope in a role hierarchy and show how this can be used to control updates to the hierarchy. We then incrementally develop a model for administering the role hierarchy and compare it to the RRA97 sub-model of ARBAC97. We conclude that our model offers significant advantages over RRA97. 
@Article{cram:tissec02,
  author =  {J. Crampton and G. Loizou},
  title =   {Administrative Scope: A Foundation for Role-Based Administrative Models},
  journal = {ACM Transactions on Information and System Security},
  volume =  {6},
  number =  {2},
  pages =   {201--231},
  year =    {2003},
  index =   {250}
}
Abstract
We introduce the concept of administrative scope in a role hierarchy and demonstrate that it can be used as a basis for role-based administration. We then develop a family of models for role hierarchy administration (RHA) employing administrative scope as the central concept. We then extend \RHA{4}, the most complex model in the family, to a complete, decentralized model for role-based administration. We show that SARBAC, the resulting role-based administrative model, has significant practical and theoretical advantages over ARBAC97. We also discuss how administrative scope might be applied to the administration of general hierarchical structures, how our model can be used to reduce inheritance in the role hierarchy and how it can be configured to support discretionary access control features. 
@InProceedings{cram:sacmat03,
  author =      {J. Crampton},
  title =       {Specifying and enforcing constraints in role-based access control},
  booktitle =   {Proceedings of 8th ACM Symposium on Access Control Models and Technologies},
  year =        {2003},
  pages =       {43-50},
  OPTaddress =  {Como, Italy},
}
Abstract
Constraints in access control in general and separation of duty constraints in particular are an important area of research. There are two important issues relating to constraints: their specification and their enforcement. We believe that existing separation of duty specification schemes are rather complicated and that the few enforcement models that exist are unlikely to scale well.

We examine the assumptions behind existing approaches to separation of duty and present a combined specification and implementation model for a class of constraints that includes separation of duty constraints. The specification model is set-based and has a simpler syntax than existing approaches. We discuss the enforcement of constraints and the relationship between static, dynamic and historical separation of duty constraints. Finally, we propose a model for a scalable role-based reference monitor, based on dynamic access control structures, that can be used to enforce constraints in an efficient manner. 

@InProceedings{cram:issa03,
  author =      {J. Crampton and H. Khambhammettu},
  title =       {Access control in a distributed object environment using {XML} and roles},
  booktitle =   {Proceedings of 3rd Annual Information Security South Africa Conference (ISSA 2003)},
  year =        {2003},
  pages =       {75--88},
  OPTaddress =  {Sandton, South Africa},
}
Abstract
We discuss the design of an integrated security architecture for authorization and authentication in a distributed object environment. Our architecture will have four main components: an authentication engine, an interface, a session manager and an authorization engine. The core component of our model is the session manager, which issues XML-based session certificates to authenticated users. A session certificate will be used by the authorization engine to establish the legitimacy of an access request by a user. We will also describe how the architecture supports dynamic revocation of session certificates and delegation. 
@InProceedings{cram:ccs03,
    author =      {J. Crampton},
    title =       {On permissions, inheritance and role hierarchies},
    booktitle =   {Proceedings of the 10th ACM Conference on Computer and Communications Security},
    year =        {2003},
    pages =       {85--92},
    OPTaddress =  {Washington, DC}
}
Abstract
Role-based access control and role hierarchies have generated considerable research activity in recent years. In many role-based models the role hierarchy partially determines which roles and permissions are available to users via various inheritance mechanisms. In this paper, we consider the nature of permissions more closely than is customary in the literature and propose a particular structure for permissions. We then introduce a role-based access control model that contains a novel approach to permission inheritance and illustrate how this model can be used to derive a role-based model with multi-level secure properties. We also consider the issue of redundant and consistent permission-role assignments and describe how such assignments can be avoided. 
@InProceedings{cram:iasted,
  author =      {J. Crampton and H. Khambhammettu},
  title =       {Authorization and Certificates: Are We Pushing When We Should Be Pulling?},
  booktitle =   {Proceedings of IASTED Conference on Network and Information Security},
  year =        {2003},
  pages =       {62--66},
  OPTaddress =  {New York}
}
Abstract
Certificates have long been used to bind authorization information to an identity or public key. Essentially there are two ways in which a verifying authority (reference monitor) can obtain the information (from a certificate) that is required to make an access control decision: the requesting entity provides the privilege attributes to the verifying authority -- a `push' model; or the verifying authority obtains the privilege attributes from a trusted repository -- a `pull' model. In this paper we argue that a push model, which is used by most certificate-based authorization mechanisms, is inferior to a pull model, and present an architecture based on the pull model. 
@Article{cram:sacj,
  author =  {J. Crampton and H. Khambhammettu},
  title =   {Access control in a distributed object environment using XML and roles},
  journal = {South African Computer Journal},
  volume =  {31},
  pages =   {2--8},
  year =    {2003}
}
Abstract
We discuss the design of an integrated security architecture for authorization and authentication in a distributed object environment. Our architecture will have four main components: an authentication engine, an interface, a session manager and an authorization engine. The core component of our model is the session manager, which issues XML-based session certificates to authenticated users. A session certificate will be used by the authorization engine to establish the legitimacy of an access request by a user. We will also describe how the architecture supports dynamic revocation of session certificates and delegation. 
@InProceedings{tan:csfw04,
  author =      {K. Tan and J. Crampton and C. Gunter},
  title =       {The consistency of task-based authorization constraints in workflow systems},
  booktitle =   {Proceedings of 17th IEEE Computer Security Foundations Workshop},
  year =        {2004},
  pages =       {155--169},
  OPTaddress =  {Pacific Grove, CA}
}
Abstract
Workflow management systems (WFMSs) have attracted a lot of interest both in academia and the business community. A workflow consists of a collection of tasks that are organized to facilitate some business process specification. To simplify the complexity of security administration, it is common to use role-based access control (RBAC) to grant authorization to roles and users. Typically, security policies are expressed as constraints on users, roles, tasks and the workflow itself. A workflow system can become very complex and involve several organizations or different units of an organization, thus the number of security policies may be very large and their interactions very complex. It is clearly important to know whether the existence of such constraints will prevent certain instances of the workflow from completing. Unfortunately, no existing constraint models have considered this problem satisfactorily.

In this paper we define a model for constrained workflow systems that includes local and global cardinality constraints, separation of duty constraints and binding of duty constraints. We define the notion of a workflow specification and of a constrained workflow authorization schema. Our main result is to establish necessary and sufficient conditions for the set of constraints that ensure a sound constrained workflow authorization schema, that is, for any user or any role who are authorized to a task, there is at least one complete workflow instance when this user or this role executes this task. 

@InProceedings{cram:fcs04,
  author =      {J. Crampton},
  title =       {An Algebraic Approach to the Analysis of Constrained Workflow Systems},
  booktitle =   {Proceedings of 3rd Workshop on Foundations of Computer Security (FCS'04)},
  year =        {2004},
  pages =       {61--74},
  OPTaddress =  {Turku, Finland}
}
Abstract
The enforcement of authorization constraints such as separation of duty in workflow systems is an important area of current research in computer security. We briefly summarize our model for constrained workflow systems and develop a systematic algebraic method for combining constraints and authorization information. We then show how the closure of a set of constraints and the use of linear extensions can be used to develop an algorithm for computing authorized users in a constrained workflow system. We show how this algorithm can be used as the basis for a reference monitor. We discuss the computational complexity of implementing such a reference monitor and briefly compare our methods with the best existing approach. 
@InProceedings{cram:sws04,
  author = {J. Crampton},
  title = {Applying hierarchial and role-based access control to {XML} documents},
  booktitle = {Proceedings of 2004 ACM Workshop on Secure Web Services},
  year = {2004},
}
Abstract
W3C Recommendations XML Encryption and XML-Digital Signature can be used to protect the confidentiality of and provide assurances about the integrity of XML documents transmitted over an insecure medium. The focus of this paper is how to control access to XML documents, once they have been received. This is particularly important for services where updates are sent to subscribers. We describe how certain access control policies for restricting access to XML documents can be enforced by encrypting specified regions of the document. These regions are specified using XPath filters and the policies are based on the hierarchical structure of XML documents. We also describe how techniques for assigning keys to a security lattice can be adapted to minimize the number of keys that are distributed to users and compare our approach with two other access control frameworks. Finally we consider how role-based access control can be used to enforce more complex access control policies. 
@TechReport{cram:eval99,
  author =      {J. Crampton and G. Loizou and G. O'Shea},
  title =       {Evaluating and improving access control},
  institution = {Birkbeck College, University of London, United Kingdom},
  year =        {1999},
  number =      {BBKCS-99-11}
}
Abstract
Our recent work provides a theoretical basis for the development of tools for reasoning about the operational implications of a particular configuration of the access control mechanism of an operating system. Herein we introduce a set-theoretic model of an access control policy and the concept of consistency of the state of an access control mechanism with a given access control policy. Our earlier work coupled with this definition of consistency enables us to assess and hence improve the implementation of an access control policy by using an access control mechanism. We demonstrate the value of our approach by specifying a simple access control policy and implementing the policy on two different commercial operating systems. 
@TechReport{cram:conf00,
  author =      {J. Crampton and G. Loizou},
  title =       {Conflict of interest policies: A general approach},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-07},
  OPTaddress =  {United Kingdom},
}
Abstract
We define a conflict of interest policy and show that the definition is sufficiently general to include several well-known generic policies as special cases and to define policies for different environments. We show that such conflict of interest policies can be regarded as members of $\mathcal{P}(\mathcal{P}(X))$, for some set $X$, where $\mathcal{P}(X)$ denotes the powerset of $X$, and that such policies can be reduced to a canonical form. The set of canonical conflict of interest policies can be modelled by a subset of $\mathcal{P}(\mathcal{P}(X))$, $\mathcal{A}({\mathcal{P}(X))$. We derive upper and lower bounds for $|\mathcal{A}({\mathcal{P}(X))|$ and for the maximum length of a string that would be required to describe a conflict of interest policy. We also discuss the composition of two conflict of interest policies, an ordering for conflict of interest policies, and possible simplifications in the expression of such policies. 
@TechReport{cram:part00,
  author =      {J. Crampton and G. Loizou},
  title =       {Two partial orders on the set of antichains},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-05},
  OPTaddress =  {United Kingdom},
  OPTmonth =    {September}
}
Abstract
Given a poset $X$, we define two partial orders on the set of antichains of $X$. We prove that the two resulting posets $\langle \mathcal{A}(X) \preccurlyeq \rangle$ and $\langle \mathcal{A}(X) \preccurlyeq' \rangle$ are lattices which are isomorphic to the lattice of order ideals of $X$, $\langle \mathcal{I}(X) \subseteq \rangle$. We also establish the meet and join operations of the two resulting lattices. 
@TechReport{cram:stru00,
  author =      {J. Crampton and G. Loizou},
  title =       {Structural complexity of conflict of interest policies},
  institution = {Birkbeck College, University of London},
  year =        {2000},
  number =      {BBKCS-00-13}
}
Abstract
We define a conflict of interest policy and show that the definition is sufficiently general to include several well-known generic policies as special cases and to articulate policies in different models of access control. We show that conflict of interest policies can be regarded as members of $2^{2^X}$, for some set $X$, where $2^X$ denotes the powerset of $X$. We demonstrate that conflict of interest policies can be reduced to a canonical form and that the set of canonical conflict of interest policies is a subset of $2^{2^X}$. In particular, the set of canonical conflict of interest policies is the set of Sperner families in $2^{X}$. We define a partial ordering on the set of Sperner families and show that this corresponds to an intuitive notion of strength of conflict of interest policies. Furthermore, we show that this ordering leads to a formal definition for composition of policies. We give some examples of conflict of interest policies in the context of two access control models and compare our framework with existing work in the role-based access control community on separation of duty policies.

We derive upper and lower bounds for the number of Sperner families improving on results obtained by Hansel. In particular, our introduction of the novel concept of a bi-symmetric chain partition enables us to improve the upper bound significantly. We also derive an expression for the maximum length of a string that is required to describe a conflict of interest policy. 

@TechReport{cram:sarbac02,
  author =      {J. Crampton and G. Loizou},
  title =       {{SARBAC}: A New Model for Role-Based Administration},
  institution = {Birkbeck College, University of London},
  year =        {2002},
  number =      {BBKCS-02-09}
}
Abstract
The ARBAC97 model makes an important contribution to the understanding and modeling of administration in role-based access control. However, there are several features of the model which we believe could be improved. The RHA family of models provides a useful alternative to the RRA97 sub-model of ARBAC97 which is used to control updates to the role hierarchy. We present SARBAC -- an extension of the RHA$_{4}$ model to a complete model for role-based administration. We show that SARBAC has significant practical and theoretical advantages over ARBAC97. In addition, we briefly discuss how SARBAC can be used to reduce inheritance in the role hierarchy and how it can be configured to support discretionary access control features. 
@techreport{cram:esorics04,
  author =      {J. Crampton},
  title =       {On the satisfiability of authorization constraints in workflow systems},
  institution = {Department of Mathematics, Royal Holloway, University of London},
  year =        {2004},
  number =      {{RHUL--MA--2004--1}},
  OPTnote =     {{\tt http://www.ma.rhul.ac.uk/techreports/}}
}
Abstract
The specification and enforcement of authorization policies such as separation of duty and binding of duty in workflow systems is an important area of current research in computer security. We introduce a formal model for constrained workflow systems that incorporate constraints for implementing such policies. We define an entailment constraint, which is defined on a pair of tasks in a workflow, and show that such constraints can be used to model many familiar authorization policies. We show that a set of entailment constraints can be manipulated algebraically in order to compute all possible dependencies between tasks in the workflow. The resulting set of constraints form the basis for an analysis of the satisfiability of a workflow. We briefly consider how this analysis can be used to implement a reference monitor for workflow systems. 
@InProceedings{cram:sacmat05,
  author = {J. Crampton},
  title = {A reference monitor for workflow systems with constrained task execution},
  booktitle = {Proceedings of the 10th ACM Symposium on Access Control Models and Technologies},
  year = {2005},
  pages = {38--47}
}
Abstract
We describe a model, independent of any underlying access control paradigm, for specifying authorization constraints such as separation of duty and cardinality constraints in workflow systems. We present a number of results enabling us to simplify the set of authorization constraints. These results form the theoretical foundation for an algorithm that can be used to determine whether a given constrained workflow can be satisfied: that is, does there exist an assignment of authorized users to workflow tasks that satisfies the authorization constraints? We show that this algorithm can be incorporated into a workflow reference monitor that guarantees that every workflow instance can complete. We derive the computational complexity of our algorithm and compare its performance to comparable work in the literature. 
@InProceedings{shi:cec05,
  author = {S. Swift, A. Shi, J. Crampton, and A. Tucker},
  title = {{ICARUS}: Intelligent Coupon Allocation for Retailers Using Search},
  booktitle = {Proceedings of 2005 IEEE Congress on Evolutionary Computation},
  year = {2005},
  pages = {182--189}
}
Abstract
Many retailers run loyalty card schemes for their customers offering incentives in the form of money off coupons. The total value of the coupons depends on how much the customer has spent. This paper deals with the problem of finding the smallest set of coupons such that each possible total can be represented as the sum of a pre-defined number of coupons. A mathematical analysis of the problem leads to the development of a Genetic Algorithm solution. The algorithm is applied to real world data using several crossover operators and compared to well known straw-person methods. Results are promising showing that considerable time can be saved by using this method, reducing a few days worth of consultancy time to a few minutes of computation. 
@InProceedings{cram:ccs05,
  author = {Jason Crampton},
  title = {Understanding and developing role-based administrative models},
  booktitle = {Proceedings of the 12th ACM Conference on Computer and Communications Security},
  year = {2005},
  pages = {158--167},
}
Abstract
Access control data structures generally need to evolve over time in order to reflect changes to security policy and personnel. An administrative model defines the rules that control the state changes to an access control model and the data structures that model defines. We present a powerful framework for describing role-based administrative models. It is based on the concept of administrative domains and criteria that control state changes in order to preserve certain features of those domains. We define a number of different sets of criteria, each of which control the effect of state changes on the set of administrative domains and thereby lead to different role-based administrative models. Using this framework we are able to identify some unexpected connections between the ARBAC97 and RHA administrative models and to compare their respective properties. In doing so we are able to suggest some improvements to both models. 
@InProceedings{cram:cnis05,
  author = {Jason Crampton and Hemanth Khambhammettu},
  title = {Data Structures for Constraint Enforcement in Role-Based Systems},
  booktitle = {Proceedings of the 2005 IASTED Conference on Network and Information Security},
  year = {2005},
  pages = {158--167},
}
Abstract
Constraints are an important aspect of role-based models. Several types of constraints, such as separation of duty constraints, cardinality constraints and temporal constraints have been identified in the literature. Although the specification of constraints has received significant research interest, there has been little work on the development of an efficient constraint enforcement model. In particular there does not exist a model for the data structures that are referenced and maintained by the constraint enforcement mechanism. In this paper, we define a formal model for such data structures that record salient information to be used by the constraint enforcement mechanism. We introduce the concept of a constraint evaluation structure that is used by the constraint enforcement mechanism to determine whether granting a request would violate a constraint. Two particular constraint evaluation structures form part of the runtime model we introduce in order to enforce dynamic constraints. 
@InProceedings{cram:sacmat06,
  author = {Jason Crampton and Wing Leung and Konstantin Beznosov},
  title = {The secondary and approximate authorization model and its application to {Bell-LaPadula} policies},
  booktitle = {Proceedings of 11th ACM Symposium in Access Control Models and Technologies},
  year = {2006},
  pages = {111--120},
}
Abstract
We introduce the concept, model, and policy-specific algorithms for inferring new access control decisions from previous ones. Our secondary and approximate authorization model (SAAM) defines the notions of primary vs. secondary and precise vs. approximate authorizations. Approximate authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the authorization server is unavailable or slow. The ability to compute approximate authorizations improves the reliability and performance of access control sub-systems and ultimately the application systems themselves.

The operation of a system that employs SAAM depends on the type of access control policy it implements. We propose and analyze algorithms for computing secondary authorizations in the case of policies based on the Bell-LaPadula model. In this context, we define a dominance graph, and describe its construction and usage for generating secondary responses to authorization requests. Preliminary results of evaluating SAAM$_{\text{BLP}}$ algorithms demonstrate a 30% increase in the number of authorization requests that can be served without consulting access control policies. 

@InProceedings{cram:csfw06,
  author = {Jason Crampton and Keith Martin and Peter Wild},
  title = {On Key Assignment for Hierarchical Access Control},
  booktitle = {Proceedings of 19th IEEE Computer Security Foundations Workshop},
  year = {2006},
  pages = {98--111},
}
Abstract
A key assignment scheme is a cryptographic technique for implementing an information flow policy, sometimes known as hierarchical access control. All the research to date on key assignment schemes has focused on particular encryption techniques rather than an analysis of what features are required of such a scheme. To remedy this we propose a family of generic key assignment schemes and compare their respective advantages. We note that every scheme in the literature is simply an instance of one of our generic schemes. We then conduct an analysis of the Akl-Taylor scheme and propose a number of improvements. We also demonstrate that many of the criticisms that have been made of this scheme in respect of key udpates are unfounded. Finally, exploiting the deeper understanding we have acquired of key assignment schemes, we introduce a technique for exploiting the respective advantages of different schemes. 
@article{tuck:rgfga,
  author = {A. Tucker and J. Crampton and S. Swift},
  title = {{RGFGA}: An efficient representation and crossover for grouping genetic algorithms},
  journal = {Evolutionary Computation},
  volume = {13},
  number = {4},
  pages = {477--500},
  year = {2005},
}
Abstract
There is substantial research into genetic algorithms that are used to group large numbers of objects into mutually exclusive subsets based upon some fitness function. However, nearly all methods involve degeneracy to some degree. We introduce a new representation for grouping genetic algorithms, the restricted growth function genetic algorithm, that effectively removes all degeneracy, resulting in a more efficient search. A new crossover operator is also described that exploits a measure of similarity between chromosomes in a population. Using several synthetic datasets, we compare the performance of our representation and crossover with another well known state-of-the-art GA method, a strawman optimisation method and a well-established statistical clustering algorithm, with encouraging results. 
@article{coun:inte06,
  author = {Steve Counsell and Stephen Swift and Jason Crampton},
  title = {The interpretation and utility of three cohesion metrics for object-oriented design},
  journal = {ACM Transactions on Software Engineering and Methodololgy},
  volume = {15},
  number = {2},
  year = {2006},
  pages = {123--149},
  doi = {http://doi.acm.org/10.1145/1131421.1131422},
  OPTpublisher = {ACM Press},
  OPTaddress = {New York, NY, USA},
}
Abstract
The concept of cohesion in a class has been the subject of various recent empirical studies and has been measured using many different metrics. In the structured programming paradigm, the software engineering community has adopted an informal yet meaningful and understandable definition of cohesion based on the work of Yourdon and Constantine. The object-oriented (OO) paradigm has formalised various cohesion measures, but the argument over the most meaningful of those metrics continues to be debated. Yet achieving highly cohesive software is fundamental to its comprehension and thus its maintainability. In this paper we subject two object-oriented cohesion metrics, CAMC and NHD, to a rigorous mathematical analysis in order to better understand and interpret them. This analysis enables us to offer substantial arguments for preferring the NHD metric to CAMC as a measure of cohesion. Furthermore, we provide a complete understanding of the behaviour of these metrics, enabling us to attach a meaning to the values calculated by the CAMC and NHD metrics. In addition, we introduce a variant of the NHD metric and demonstrate that it has several advantages over CAMC and NHD. While it may be true that a generally accepted formal and informal definition of cohesion continues to elude the OO software engineering community, there seems considerable value in being able to compare, contrast and interpret metrics which attempt to measure the same features of software. 
@inproceedings{cram:dbsec06,
  author =       {Jason Crampton},
  title =        {Discretionary and Mandatory Control for Role-Based Administration},
  booktitle =    {Data and Applications Security XX},
  year =         {2006},
  editor =       {Ernesto Damiani and Peng Liu},
  volume =       {4127},
  series =       {Lecture Notes in Computer Science},
  pages =        {194--208},
  publisher =    {Springer},
}
Abstract
Role-based access control is an important way of limiting the access users have to computing resources. While the basic concepts of role-based access control are now well understood, there is no consensus on the best approach to managing role-based systems. In this paper, we introduce a new model for role-based administration, using the notions of discretionary and mandatory controls. Our model provides a number of important features that control the assignment of users and permissions to roles. This means that we can limit the damage that can be done by malicious administrative users. We compare our approach to a number of other models for role-based administration, and demonstrate that our model has several advantages. 
@InProceedings{bert:acce06,
  author = {E. Bertino and J. Crampton and F. Paci},
  title = {Access control and authorization constraints for {WS-BPEL}},
  booktitle = {Proceedings of IEEE International Conference on Web Services},
  year = {2006},
  pages = {},
}
Abstract
Computerized workflow systems have attracted considerable research interest in the last fifteen years. More recently, there have been several XML-based languages proposed for specifying and orchestrating business processes, culminating in WS-BPEL. A significant omission from WSBPEL is the ability to specify authorization information associating users with activities in the business process and authorization constraints on the execution of activities such as separation of duty. In this paper, we address these deficiencies by developing the RBAC-WS-BPEL and BPCL languages. The first of these provides for the specification of authorization information associated with a business process specified in WS-BPEL, while BPCL provides for the articulation of authorization constraints. 
@inproceedings{cram:esorics06,
  author = {J. Crampton and H. Khambhammettu},
  title = {Delegation in role-based access control},
  booktitle = {Proceedings of 11th European Symposium on Research in Computer Security},
  year = {2006}
  pages = {174--191},
}
Abstract
User delegation is a mechanism for assigning access rights available to a user to another user. A delegation operation can either be a grant or transfer operation. Delegation for role-based access control models have extensively studied grant delegations. However, transfer delegations for role-based access control have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorise delegations in our model. In particular, we show that the use of administrative scope for authorising delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we compare our work with relevant work in the literature. 
@inproceedings{chen:esorics09,
  author = {L. Chen and J. Crampton},
  title = {Set cover problems in role-based access control},
  booktitle = {Proceedings of 14th European Symposium on Research in Computer Security},
  pages = {689--704},
  year = {2009}
}
Abstract
Interest in role-based access control has generated considerable research activity in recent years. A number of interesting problems related to the well known set cover problem have come to light as a result of this activity. However, the computational complexity of some of these problems is still not known. In this paper, we explore some variations on the set cover problem and use these variations to establish the computational complexity of these problems. Most significantly, we introduce the minimal cover problem~--~a generalization of the set cover problem~--~which we use to determine the complexity of the inter-domain role mapping problem. 
@article{cram:tissec09,
  author = {Q. Wei and J. Crampton and K. Beznosov and M. Ripeanu},
  title = {Authorization recycling in RBAC systems},
  journal = {ACM Transactions on Information and System Security},
  volume = {},
  number = {},
  pages = {},
  year = {}
}
Abstract
As distributed applications increase in size and complexity, traditional authorization mechanisms based on a single policy decision point are increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization recycling is one technique that has been used to address these challenges. This paper introduces and evaluates the mechanisms for authorization recycling in RBAC enterprise systems. The algorithms that support these mechanisms allow precise and approximate authorization decisions to be made, thereby masking possible failures of the policy decision point and reducing its load. We evaluate these algorithms analytically and using a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed access control mechanisms.