Safety and Consistency of Subject Attributes for Attribute-Based Pre-Authorization Systems

Abstract

Attribute-based access control (ABAC) systems typically enforce pre-authorization, whereby an access decision is made once prior to granting or denying access. This decision utilizes multiple components: subject’s, object’s and environment’s attribute values as well as the authorization policy. Here, we assume that the policy, object and environment attribute values are known with high assurance while subject attributes are collected incrementally from multiple attribute authorities. This incremental assembly with differing validity periods for subject attribute values creates potential for inconsistency leading to incorrect access decisions. This problem was studied in context of trust negotiation systems by Lee and Winslett (LW), who define four different notions of consistency which are partially ordered in strictness. In this paper, we propose an alternate set of five consistency levels, also partially ordered in increasing strictness. Three of our levels are equivalent to counterparts in LW. The third LW level is differentiated by receive time, to which we are agnostic. Our fifth and highest level is new in that it utilizes request time which is not recognized in LW. We define the formal specification of each of our consistency levels and identify the properties guaranteed by each level. We discuss implication of these consistency levels in different practical scenarios and compare our work with related previous research.

A Appendix: Proof of Consistency Levels Equivalencies

We prove our claim of equivalent levels with LW model in this section. One of the distinctions is inequality of decision time with revocation check time, since we believe these two timestamps cannot be exactly the same, as the decision has to happen after revocation checks.

1.1 A.1 Incremental Levels Equivalency

As seen in Sect. 4.1, for every relevant credential in our incremental level, there is at least one point before the decision time, at which that credential has been found to be valid. The incremental level in LW model is satisfied if and only if every credential to be valid at its receive time as follows.

$$\begin{aligned} \begin{aligned} (\forall c_{i} \in {V}_{e}^{{P},t}) \;&[(s.syn = True ) \wedge ( revocation \text{- } check _i \ne \perp ) \\ {}&\wedge ( start _i \le receive _i \le revocation \text{- } check _i)] \end{aligned} \end{aligned}$$

This could be simplified as follows: \( start _{i} \le receive _i \le revocation \text{- } check _i \le end _{i}\). So, there is at least one point in time (receive time) at which every relevant credential has found to be valid, which matches with our incremental level. Moreover, this revocation check at the receive time could be considered as the latest validation. Then, we need to show revocation check in LW happens before the decision time, same as its counterpart in our model. Although the decision time has not been considered explicitly in LW model, revocation checks obviously happen before the decision time, since the receive time could not occur later than decision time. So, the proof is complete.

1.2 A.2 Internal Levels Equivalency

Authors in LW define a view as internal consistent providing all relevant credentials satisfy the following conditions:

$$\begin{aligned} \begin{aligned} (\forall c_{i} \in {V}_{e}^{{P},t}) \;&[ checked ( credential \text{- } state ) \wedge (\max _{\forall c_{j} \in V}{ start _j}< \min _{\forall c_{i} \in V}{ invalidation _i}) \\ {}&\wedge (\max _{\forall c_{j} \in V}{ start _j} < \max _{\forall c_{i} \in V}{ receive _i}) \wedge (\min _{\forall c_{j} \in V}{ end _j} > \min _{\forall c_{i} \in V}{ receive _i})] \end{aligned} \end{aligned}$$

Above conditions could be arranged as follows:

$$\begin{aligned} \begin{aligned} (\forall c_{i} \in {V}_{e}^{{P},t})\;&[( start _{i}< revocation \text{- } check _i \le end _{i}) \wedge (\max _{\forall c_{j} \in V}{ start _{j}}< \min _{\forall c_{i} \in V}{ invalidation _{i}}) \\ {}&\wedge (\max _{\forall c_{j} \in V}{ start _{j}} < \max _{\forall c_{i} \in V}{ receive _{i}}) \wedge (\min _{\forall c_{j} \in V}{ end _{j}} > \min _{\forall c_{i} \in V}{ receive _{i}})] \end{aligned} \end{aligned}$$

Based on our internal specification in Sect. 4.2, all conditions are the same except the last two conditions stated in LW model, which aim to provide an overlap between lifetime intervals of all relevant credentials in the view. Lifetime overlap has been provided in our model through \(\max _{\forall c_{i} \in V_{DP}^{P,t_d}}{ start _{i}} < \min _{\forall c_{j} \in V_{DP}^{P,t_d}}{ end _{j}}\). Another distinction is the explicit consideration of decision time after all revocation checks. Even though this has not been stated in LW model, it is impossible to take revocation checks after the decision time into account while making decision, since it needs prediction of future states of credentials.

1.3 A.3 Interval Levels Equivalency

To prove equality of the properties provided by both interval levels in our work and LW model, consider their definition of interval consistency for every relevant credential in the view:

$$\begin{aligned} \begin{aligned} (\forall c_{i} \in {V}_{e}^{{P},t}) \;&[ checked ( credential \text{- } state ) \\ {}&\wedge ( start _i \le receive _i \le \max _{\forall c_{i} \in V}{ receive _{i}} \le revocation \text{- } check _i)] \end{aligned} \end{aligned}$$

We can restate their interval definition as follows:

$$\begin{aligned} \begin{aligned} start _{i} \le receive _i \le \max _{\forall c_{i} \in V}{ receive _{i}}&\le revocation \text{- } check _i \le decision \text{- } time \le end _{i} \end{aligned} \end{aligned}$$

The following property is concluded from above definition:

$$\begin{aligned} \begin{aligned}&(\forall c_{i} \in {V}_{e}^{{P},t_d}) \; [start_{i} \le \max _{\forall c_{i} \in V}{ receive _{i}} \le revocation \text{- } check _i] \\ {}&\implies (\forall c_{i} \in {V}_{e}^{{P},t_d})\;[\max _{\forall c_{i} \in V}{ start _{i}} \le \max _{\forall c_{i} \in V}{ receive _{i}} \le revocation \text{- } check _i] \end{aligned} \end{aligned}$$

On the other hand, we can formally deduce the following property from interval consistency definition in LW model:

$$\begin{aligned} \begin{aligned}&(\forall c_{i} \in {V}_{e}^{{P},t_d}) \; [ revocation \text{- } check _i \le decision \text{- } time \le end _{i}] \\ {}&\implies (\forall c_{i} \in {V}_{e}^{{P},t_d})\; [ revocation \text{- } check _i \le decision \text{- } time \le \min _{\forall c_{i} \in V}{ end _{i}}] \end{aligned} \end{aligned}$$

Putting above concluded properties together would result in the following definition. Taking out the receive time, this definition becomes the same as our interval definition.

$$\begin{aligned} \begin{aligned} \max _{\forall c_{i} \in V}{ start _{i}} \le \max _{\forall c_{i} \in V}{ receive _{i}} \le revocation \text{- } check _i \le decision \text{- } time \le \min _{\forall c_{i} \in V}{ end _{i}} \end{aligned} \end{aligned}$$