Abstract
Attribute based access control (ABAC) provides an intuitive way for security administrators to express conditions (associated with status of objects) in access control policies; however, during the design and development of an ABAC system, new problems concerning the consistency and security of the ABAC system may emerge. In this paper, we report on two specific ABAC problems denoted as the “future rule conflicts” problem and the “object overlapping” problem, which we have recently identified in developing the ABAC system for a large research laboratory. We use real world examples to illustrate the negative impact of these two problems and present two novel algorithms for the identification and prevention of these problems. We give the correctness proof for both algorithm and apply these algorithms to the attribute based laboratory control (ABLC) system and the results are also reported.
This work is supported by 863 Foundation No.2006AA01Z454, and NSF No.70890084/G021102.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Al-Kahtani, M.A., Sandhu, R.: Induced role hierarchies with attribute-based rbac. In: SACMAT 2003: Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 142–148. ACM, New York (2003)
Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 185–194. ACM, New York (2008)
Beznosov, K., Deng, Y.: A framework for implementing role-based access control using corba security service. In: RBAC 1999: Proceedings of the fourth ACM workshop on Role-based access control, pp. 19–30. ACM, New York (1999)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: SACMAT 2001: Proceedings of the sixth ACM symposium on Access control models and technologies, pp. 10–20. ACM, New York (2001)
Cruz, I.F., Gjomemo, R., Lin, B., Orsini, M.: A location aware role and attribute based access control system. In: GIS 2008: Proceedings of the 16th ACM SIGSPATIAL international conference on Advances in geographic information systems, pp. 1–2. ACM, New York (2008)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Vipul, G., Omkant, P., Amit, S., Brent, W.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 89–98. ACM, New York (2006)
Ioannidis, Y.E., Sellis, T.K.: Conflict resolution of rules assigning values to virtual attributes. In: SIGMOD 1989: Proceedings of the 1989 ACM SIGMOD international conference on Management of data, pp. 205–214. ACM, New York (1989)
Jagadish, H.V., Mendelzon, A.O., Mumick, I.S.: Managing conflicts between rules (extended abstract). In: PODS 1996: Proceedings of the fifteenth ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems, pp. 192–201. ACM, New York (1996)
Koch, M., Mancini, L.V., Parisi-Presicce, F.: Conflict detection and resolution in access control policy specifications. In: Nielsen, M., Engberg, U. (eds.) FOSSACS 2002. LNCS, vol. 2303, pp. 223–237. Springer, Heidelberg (2002)
Koch, M., Parisi-Presicce, F.: Formal access control analysis in the software development process. In: FMSE 2003: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pp. 67–76. ACM, New York (2003)
Li, N., Mao, Z.: Administration in role-based access control. In: ASIACCS 2007: Proceedings of the 2nd ACM symposium on Information, computer and communications security, pp. 127–138. ACM, New York (2007)
Lindgren, T.: Methods for rule conflict resolution. In: Boulicaut, J.-F., Esposito, F., Giannotti, F., Pedreschi, D. (eds.) ECML 2004. LNCS (LNAI), vol. 3201, pp. 262–273. Springer, Heidelberg (2004)
Lindgren, T.: On handling conflicts between rules with numerical features. In: SAC 2006: Proceedings of the 2006 ACM symposium on Applied computing, pp. 37–41. ACM, New York (2006)
Park, J.S., Sandhu, R., Ahn, G.-J.: Role-based access control on the web. ACM Trans. Inf. Syst. Secur. 4(1), 37–71 (2001)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 445–455. ACM, New York (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zha, D., Jing, J., Liu, P., Lin, J., Jia, X. (2010). Proactive Identification and Prevention of Unexpected Future Rule Conflicts in Attribute Based Access Control. In: Taniar, D., Gervasi, O., Murgante, B., Pardede, E., Apduhan, B.O. (eds) Computational Science and Its Applications – ICCSA 2010. ICCSA 2010. Lecture Notes in Computer Science, vol 6019. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12189-0_41
Download citation
DOI: https://doi.org/10.1007/978-3-642-12189-0_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12188-3
Online ISBN: 978-3-642-12189-0
eBook Packages: Computer ScienceComputer Science (R0)