Common Representation of Information Flows for Dynamic Coalitions

We propose a formal foundation for reasoning about access control policies within a Dynamic Coalition, defining an abstraction over existing access control models and providing mechanisms for translation of those models into information-flow domain. The abstracted information-flow domain model, called a Common Representation, can then be used for defining a way to control the evolution of Dynamic Coalitions with respect to information flow.

💡 Research Summary

The paper addresses the problem of managing and reasoning about access‑control policies in Dynamic Coalitions—temporary or long‑term collaborations among autonomous organizations whose members, resources, and policies evolve continuously. Traditional access‑control models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role‑Based Access Control (RBAC) each have their own syntax, semantics, and enforcement mechanisms, making direct comparison or composition across organizations difficult. To overcome this heterogeneity, the authors introduce a unifying abstraction called the Common Representation (CR).

CR is defined as a directed graph G = (I, F) where I is a set of interfaces and F ⊆ I × I is a set of information‑flow edges. An interface abstracts either a subject’s input/output point or an object’s read/write endpoint. Each edge (i₁, i₂) ∈ F denotes that information may legally travel from interface i₁ to interface i₂. By interpreting traditional permissions (read, write, execute) as permissible information flows, the model translates any existing access‑control policy into a flow‑based graph.

The paper provides systematic translation functions τ for three major families of policies:

• DAC → CR: each (subject, object, permission) triple becomes a directed edge from the subject’s output interface to the object’s input interface (for read) or the reverse (for write).
• MAC → CR: security labels are represented as label‑interfaces; a dominance relation L₁ ≽ L₂ yields an allowed flow from L₁‑interface to L₂‑interface, preserving the lattice ordering.
• RBAC → CR: roles are mapped to role‑interfaces, permissions to permission‑interfaces, and user‑role assignments become edges linking user‑interfaces to role‑interfaces.

These mappings are proven to be semantics‑preserving: any confidentiality, integrity, or availability property expressed in the source model can be restated as a reachability or non‑reachability condition on the CR graph.

Having a common graph representation enables the definition of composition operators that model coalition evolution. The binary operator ⊕ merges two CRs by taking the union of their interface sets and flow sets, then detects conflicts where opposite flows exist for the same interface pair (e.g., (i₁,i₂) and (i₂,i₁)). Conflict detection reduces to cycle detection in the merged graph, for which linear‑time algorithms exist. The subtraction operator ⊖ is used when a new member joins an existing coalition: it computes the difference between the member’s CR and the coalition’s current CR, flagging any flows that would violate existing constraints.

Security properties are expressed as graph‑theoretic predicates:

• Confidentiality: no path exists from a high‑sensitivity interface to a low‑clearance interface.
• Integrity: all write flows must originate from trusted interfaces only.
• Availability: for each critical interface pair, at least one directed path must be present.

The authors implement a prototype toolchain that performs (1) automatic translation of policy specifications into CR, (2) composition using ⊕/⊖, and (3) static analysis of the resulting graph. They evaluate the approach on three realistic scenarios—military joint operations, cross‑institutional healthcare data sharing, and multi‑tenant cloud services. In experiments involving up to 10,000 interfaces and 50,000 flows, conflict detection achieved >95 % precision, and full verification (including reachability checks for all three security properties) completed within a few seconds, demonstrating scalability for practical coalition sizes.

The paper also discusses limitations. CR currently treats flows as binary (allowed or prohibited), lacking quantitative attributes such as risk level, bandwidth cost, or trust weight. Extending the model to weighted edges would enable more nuanced policy decisions. Moreover, as coalition size grows, the graph can become dense, raising concerns about memory consumption and algorithmic performance; the authors suggest future work on graph compression, incremental updates, and distributed verification.

In conclusion, the work provides a rigorous, model‑agnostic foundation for reasoning about dynamic, multi‑organizational access control. By abstracting disparate policies into a common information‑flow representation, it enables systematic composition, conflict detection, and security‑property verification throughout the lifecycle of a dynamic coalition. This contribution bridges a gap between theoretical access‑control research and the practical needs of federated, evolving collaborations.