Alexander Pretschner - Distributed Data-Driven Usage Control

Usage Control generalizes access control to what happens to data after it has been given away. Requirements include "don't disseminate," "delete after thirty days", "at most three copies," and "use for statistical purposes only." At a conceptual level, we discuss requirements, policies [1], and the problem of defining statements such as "don't delete my data" - what is deletion, and what is data [4]? We then argue that one is usually interested in enforcing [2] policies on all representations of a data item (a picture can come as network packets, a Java object, a cache file, a pixmap) and show how to perform cross-layer [3] and cross-system [5] data flow tracking of usage control policies. We present implementations for various operating systems, applications such as browsers and email clients, and for a video surveillance systems.


  • Demo videos
  • [1] Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control Proc. 12th European Symp. on Research in Computer Security (ESORICS), pp. 531-546, Dresden, September 2007 (pdf).
  • [2] Pretschner, A., Hilty, M., Basin, D., Schaefer, C., Walter, T.: Mechanisms for Usage Control Proc. ACM Symposium on Information, Computer & Communication Security (ASIACCS), pp. 240-245, Tokyo, March 2008 (pdf).
  • [3] Pretschner, A., Lovat, E., Buchler, M.: Representation-Independent Data Usage Control Proc. 6th Intl. Workshop on Data Privacy Management, pp. 122-140, September 2011. (pdf).
  • [4] Kumari, P., Pretschner, A.: Model-Based Usage Control Policy Derivation Proc. 5th Intl. Symp. on Engineering Secure Software and Systems (ESSOS), pp. 58-74, February 2013 (pdf).
  • [5] Kelbert, F., Pretschner, A.: Data Usage Control Enforcement in Distributed Systems Proc. 3rd ACM Conf. on Data and Application Security and Privacy (CODASPY), pp. 71-82, February 2013 (pdf).