Abstract
The \(\mathrm {ABAC_\alpha }\) model was recently defined with the motivation to demonstrate a minimal set of capabilities for attribute-based access control (ABAC) which can configure typical forms of the three dominant traditional access control models: discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC). \(\mathrm {ABAC_\alpha }\) showed that attributes can express identities (for DAC), security labels (for MAC) and roles (for RBAC). Safety analysis is a fundamental problem for any access control model. Recently, it has been shown that the pre-authorization usage control model with finite attribute domains (\(\mathrm {UCON_{preA}^{finite}}\)) has decidable safety. \(\mathrm {ABAC_\alpha }\) is a pre-authorization model and requires finite attribute domains, but is otherwise quite different from \(\mathrm {UCON_{preA}^{finite}}\). This paper gives a state-matching reduction from \(\mathrm {ABAC_\alpha }\) to \(\mathrm {UCON_{preA}^{finite}}\). The notion of state-matching reductions was defined by Tripunitara and Li, as reductions that preserve security properties including safety. It follows that safety of \(\mathrm {ABAC_\alpha }\) is decidable.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the original definition of \(\mathrm {ABAC_\alpha }\) [4] subject creation and modification have identical policies. However, a correct configuration of MAC in \(\mathrm {ABAC_\alpha }\) requires different policies for these two operations. Hence, we define \(\mathrm {ABAC_\alpha }\) here to have separate policies for these two operations.
References
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976). http://doi.acm.org/10.1145/360303.360333
Hu, V.C., Ferrariolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Karen, S.: Guide to attribute based access control (ABAC) definitions and considerations. 2014 NIST Special Publication 800–162
Jin, X.: Attribute-Based Access Control Models and Implementation in Cloud Infrastructure as a Service. Ph.D. thesis, UTSA (2014)
Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31540-4_4
Kolter, J., Schillinger, R., Pernul, G.: A privacy-enhanced attribute-based access control system. In: Barker, S., Ahn, G.-J. (eds.) DBSec 2007. LNCS, vol. 4602, pp. 129–143. Springer, Heidelberg (2007). doi:10.1007/978-3-540-73538-0_11
Park, J., Sandhu, R.: The UCONabc usage control model. ACM TISSEC 7, 128–174 (2004)
Rajkumar, P., Sandhu, R.: Safety decidability for pre-authorization usage control with finite attribute domains. IEEE Trans. Dependable Secure Comput. 13(5), 582–590 (2016)
Shen, H.: A semantic-aware attribute-based access control model for web services. In: Hua, A., Chang, S.-L. (eds.) ICA3PP 2009. LNCS, vol. 5574, pp. 693–703. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03095-6_65
Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. J. Comput. Secur. 15(2), 231–272 (2007)
Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS 2005, pp. 561–569 (2005). http://dx.doi.org/10.1109/ICWS.2005.25
Acknowledgments
This research is partially supported by NSF Grants CNS-1111925, CNS-1423481, CNS-1538418, and DoD ARL Grant W911NF-15-1-0518.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ahmed, T., Sandhu, R. (2017). Safety of ABAC\(_\alpha \) Is Decidable. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)