Usage control requirements stipulate constraints on the usage of data after access to them (“de-lete within three days,” “don’t copy.“) Control over data is, however, usually lost in distributed settings once the data is given away.The goal of the project is the run-time enforcement or at least the detection of violation of this kind of properties. Existing approaches focus on one concrete data representation, e.g., a file. In this project, a representation-independent solution is sought. To this end, existing concepts for reference monitors – that are usually defined for technical events – will, firstly, be extended by data flow detection: A deletion requirement for a file will then pertain to all copies of that file as well, the existence of which must hence be tracked. Secondly, a framework for the definition of precise technical machine-level semantics at different levels of abstraction will be provided: “copy” means, among other things, copy a file, copy&paste in Excel, and sending an email. To enforce data-driven usage control policies, reference monitors are, thirdly, defined at different levels of abstraction (e.g., operating system, runtime system, windowing system, separate IT system). Data flows will not only be monitored at each of these levels, but also in-between lev-els. For instance, under a strict interpretation of a prohibition to “copy,” the data’s path from a file through the operating system through the Java VM to native display functions must be tracked if one wants to, finally, prohibit copy&paste

DFG Programme Priority Programmes

Subproject of SPP 1496:  Reliably Secure Software Systems