Skip to Main Content
In usage control, access decisions rely on mutable attributes. A reference monitor should reevaluate security policies each time attributes change their values. Identifying all attribute changes in a timely manner is a challenging issue, especially if the attribute provider and the reference monitor reside in different security domains. Some attribute changes might be missed, corrupted, and delayed. As a result, the reference monitor may erroneously grant access to malicious users and forbid it for eligible ones. This paper proposes a set of policy enforcement models that help mitigate the uncertainties associated with mutable attributes. In our model, the reference monitor, as usual, evaluates logical predicates over attributes and, additionally, makes some estimates on how much observed attribute values differ from reality. The final access decision takes into account both factors. We assign costs for granting and revoking access to legitimate and malicious users and compare the proposed policy enforcement models in terms of cost efficiency.