Top

Published in:

2017 | OriginalPaper | Chapter

Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information

Authors : Khai Kim Quoc Dinh, Tuan Duc Tran, Anh Truong

Published in: Future Data and Security Engineering

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In many ubiquitous systems, Role-based Access Control (RBAC) is often used to restrict system access to authorized users. Spatial-Temporal Role-Based Access Control (STRBAC) is an extension of RBAC with contextual information (such as time and space) and has been adopted in real world applications. In a large organization, the RBAC policy may be complex and managed by multiple collaborative administrators to satisfy the evolving needs of the organization. Collaborative administrative actions may interact in unintended ways with each other’s that may result in undesired effects to the security requirement of the organization. Analysis of these RBAC security concerns have been studied, especially with the Administrative Role-Based Access Control (ARBAC97). However, the analysis of its extension with contextual information, e.g., STRBAC, has not been considered in the literature. In this paper, we introduce a security analysis technique for the safety of Administrative STRBAC (ASTRBAC) Policies. We leverage First-Order Logic and Symbolic Model Checking (SMT) by translating ASTRBAC policy to decidable reachability problems. An extensive experimental evaluation confirms the correctness of our proposed solution, which supports finite ASTRBAC policies analysis without prior knowledge about the number of users.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Effectiveness of Object Oriented Inheritance Metrics in Software Reusability

next chapter Metamorphic Malware Detection by PE Analysis with the Longest Common Sequence

Samarati, P., Vimercati, S.: Access control policies, models, and mechanisms. In: FOSAD: International School on Foundations of Security Analysis and Design, pp. 137–196 (2000)

National Computer Security Center (NCSC): A Guide to Understanding Discretionary Access Control in Trusted System, Report NSCD-TG-003 Version1, 30 September 1987

Osborn, S.: Mandatory access control and role-based access control revisited. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, RBAC 1997, pp. 31–40. ACM (1997)

Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Comput. 29(7), 38–47 (1996)CrossRef

Ferraiolo, K.: Role-based access control. In: 15th National Computer Security Conference, pp. 554–563, October 1992

Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role based access control: toward a unified standard. In: 5th ACM Workshop Role-Based Access Control, pp. 47–63, July 2000

Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inform. Syst. Secur. (TISSEC) 2(1), 105–135 (1999)CrossRef

Kumar, M., Newman, R.: STRBAC - an approach towards spatiotemporal role-based access control. In: Proceedings of the Third IASTED International Conference on Communication Network and Information Security CNIS, pp. 150–155 (2006)

Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45204-8_28 CrossRef

10.

Li, N., Tripunitara, M.: Security analysis in role-based access control. In: The Proceedings of ACM Symposium on Access Control Models and Technologies, pp. 126–135. ACM Press (2004)

11.

Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE TDSC 5(4), 242–255 (2008)

12.

Gofman, M.I., Luo, R., Solomon, Ayla C., Zhang, Y., Yang, P., Stoller, Scott D.: RBAC-PAT: a policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00768-2_4 CrossRef

13.

Jayaraman, K., Tripunitara, M., Ganesh, V., Rinard, M., Chapin, S.: Mohawk: abstraction-refinement and bound-estimation for verifying access control policies. ACM TISSEC 15(4), 18 (2013)CrossRef

14.

Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9_12

15.

Ranise, S., Truong, A., Vigano, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: The Proceeding of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)

16.

Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, pp. 103–114. ACM (2014)

17.

Ranise, S., Truong, A.: ASASPXL new clother for analysing ARBAC policies. In: International Conference on Future Data and Security Engineering, FDSE (2016)

18.

Ghilardi, S., Ranise, S.: MCMT: a model checker modulo theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14203-1_3 CrossRef

19.

Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)CrossRefMATH

20.

Bertino, E., Bonatti, P., Ferrari, E.: TRBAC a temporal role based access control model. ACM TISSEC 4(3), 191–233 (2001)CrossRef

21.

Joshi, J., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)CrossRef

22.

Kumar, M., Newman, R.: STRBAC - an approach towards spatio-temporal role-based access control. In: Communication, Network, and Information Security, pp. 150–155 (2006)

23.

Aich, S., Mondal, S., Sural, S., Majumdar, A.: Role based access control with spatio-temporal context for mobile applications. Trans. Comput. Sci. IV, 177–199 (2009)

24.

Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.: Analyzing temporal role based access control models. In: SACMAT, pp. 177–186. ACM (2012)

25.

Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving termination and invariant synthesis. Logical Methods Comput. Sci. LMCS 6(4), 1–48 (2010)MATHMathSciNet

26.

http://research.microsoft.com/en-us/um/redmond/projects/z3

27.

Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control, pp. 103–114 (2014)

28.

Ranise, S.: Symbolic backward reachability with effectively propositional logic: applications to security policy analysis. FMSD 42(1), 24–45 (2013)MATH

29.

Piskac, R., Moura, L., Bjørner, N.: Deciding effectively propositional logic using DPLL and substitution sets. J. Autom. Reasoning 44(4), 401–424 (2010)CrossRefMATHMathSciNet

30.

Sasturkar, A., Yang, A., Stoller, S., Ramakrishnan, C.: Policy analysis for administrative role based access control. In: 19th IEEE Computer Security Foundations Workshop, pp. 124–138 (2006)

Title: Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information
Authors: Khai Kim Quoc Dinh
Tuan Duc Tran
Anh Truong
Publisher: Springer International Publishing
Book: Future Data and Security Engineering
Print ISBN: 978-3-319-70003-8

Electronic ISBN: 978-3-319-70004-5

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-70004-5_17

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner