Abstract
Despite the growing interest in Attribute-Based Access Control (ABAC) and the large amount of research devoted to the specification and evaluation of ABAC policies, to date only little work has addressed the issue of attribute management and retrieval. In many modern systems, the attributes needed for policy evaluation are often retrieved from external sources (e.g., sensors, access points). This poses concerns on the correctness of policy evaluation as the policy decision point can be provided with incorrect attribute values, which can potentially yield incorrect decisions. In this paper, we investigate the problem of selecting mechanisms for attribute retrieval and its relation with the accuracy of policy evaluation. We first introduce the notion of policy evaluation under error rate and use this notion to compute the evaluation accuracy of a policy. We formulate the Attribute Retrieval Mechanism Selection Problem (ARMSP) in terms of evaluation accuracy and show that ARMSP is exponential in the number of attribute values. To overcome this computation limitation, we investigate approaches to estimate the evaluation accuracy of a policy while maintaining the computation feasible.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For the sake of simplicity, we do not consider the scenario when an employee is alone and is already inside the building (i.e., if she remains in the building after office hours).
- 2.
An attribute a associated with n values \({v_1, \dots , v_n}\) can be modeled as n Boolean attributes \(a_{v_1}, \dots , a_{v_n}\), one for each attribute value.
- 3.
We leave for future work the case where multiple mechanisms cover the same attribute.
- 4.
We assume \(\rho (a_i, true )= \rho (a_i, false )\) for any attribute \(a_i\in \mathcal {A} _E\).
References
Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)
Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4_21
Crampton, J., Morisset, C., Zannone, N.: On missing attributes in access control: non-deterministic and probabilistic attribute retrieval. In: Proceedings of Symposium on Access Control Models and Technologies, pp. 99–109. ACM (2015)
Crampton, J., Williams, C.: On completeness in languages for attribute-based access control. In: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, pp. 149–160. ACM (2016)
den Hartog, J., Zannone, N.: A policy framework for data fusion and derived data control. In: Proceedings of International Workshop on Attribute Based Access Control, pp. 47–57. ACM (2016)
Ferraiolo, D.F., Chandramouli, R., Hu, V.C.: Extensible access control markup language (XACML) and next generation access control (NGAC). In: Proceedings of International Workshop on Attribute Based Access Control, pp. 13–24. ACM (2016)
Morisset, C., Willemse, T.A.C., Zannone, N.: A framework for the extended evaluation of ABAC policies. Cybersecurity 2(1), 1–21 (2019). https://doi.org/10.1186/s42400-019-0024-0
Morisset, C., Willemse, T.A.C., Zannone, N.: Efficient extended ABAC evaluation. In: Proceedings of Symposium on Access Control Models and Technologies, pp. 149–160. ACM (2018)
Morisset, C., Zannone, N.: Reduction of access control decisions. In: Proceeding of Symposium on Access Control Models and Technologies, pp. 53–62. ACM (2014)
Newsham, G.R., et al.: Testing the accuracy of low-cost data streams for determining single-person office occupancy and their use for energy reduction of building services. Energy Build. 135, 137–147 (2017)
OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard (2013)
Tschantz, M., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: Proceedings of Symposium on Access Control Models and Technologies, pp. 160–169. ACM (2006)
Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)
Acknowledgements
This work is partially funded by the ITEA3 project APPSTACLE (15017).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Morisset, C., Ravidas, S., Zannone, N. (2020). On Attribute Retrieval in ABAC. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-45371-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45370-1
Online ISBN: 978-3-030-45371-8
eBook Packages: Computer ScienceComputer Science (R0)