Skip to main content
SpringerLink
Log in

Scalable Automated Analysis of Access Control and Privacy Policies

  • Chapter
  • First Online:
Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI

Part of the book series: Lecture Notes in Computer Science ((TLDKS,volume 10720))

Abstract

Access Control is becoming increasingly important for today ubiquitous systems. Sophisticated security requirements need to be ensured by authorization policies for increasingly complex and large applications. As a consequence, designers need to understand such policies and ensure that they meet the desired security constraints while administrators must also maintain them so as to comply with the evolving needs of systems and applications. These tasks are greatly complicated by the expressiveness and the dimensions of the authorization policies. It is thus necessary to provide policy designers and administrators with automated analysis techniques that are capable to foresee if, and under what conditions, security properties may be violated. In this paper, we consider this analysis problem in the context of the Role-Based Access Control (RBAC), one of the most widespread access control models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex Administrative RBAC policies. We also discuss the capability of applying the techniques inside the tool to the analysis of location-based privacy policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In [18], the authors claim that we can transform a policy with role hierarchies to a policy without them by pre-processing away the role hierarchies as shown in [23]. Then, we only need to process the explicit members of a role when considering the role memberships (cf. Definitions 2 and 5).

References

  1. http://homes.di.unimi.it/~ghilardi/mcmt

  2. http://research.microsoft.com/en-us/um/redmond/projects/z3

  3. Alberti, F., Armando, A., Ranise, S.: ASASP: automated symbolic analysis of security policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 26–33. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22438-6_4

    Chapter  Google Scholar 

  4. Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role based access control policies. In: Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011). ACM PR (2011)

    Google Scholar 

  5. Ardagna, C.A., Cremonini, M., Vimercati, S.D.C., Samarati, P.: Privacy-enhanced location-based access control. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security Applications and Trends, pp. 531–552. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-48533-1_22

    Chapter  Google Scholar 

  6. Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC-policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22444-7_2

    Chapter  Google Scholar 

  7. Bellavista, P., Corradi, A., Giannelli, C.: Efficiently managing location information with privacy requirements in Wi-Fi networks, a middleware approach. In: Proceedings of the Second International Symposium on Wireless Communication Systems, pp. 1–8. IEEE (2005)

    Google Scholar 

  8. Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of 19th ACM Conference on Computer and Communications Security (CCS 2005), pp. 158–167. ACM PR (2005)

    Google Scholar 

  9. Cuellar, J.R.: Location information privacy. In: Sarikaya, B. (ed.) Geographic Location in the Internet, pp. 179–208. Kluwer Academic Publishers, Boston (2002)

    Chapter  Google Scholar 

  10. De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. Int. J. Comput. Sci. Eng. (IJCSE) 3(2), 94–102 (2007)

    Article  Google Scholar 

  11. Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_12

    Google Scholar 

  12. Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Log. Methods Comput. Sci. (LMCS) 6(4), 1–48 (2010)

    MathSciNet  MATH  Google Scholar 

  13. Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access-control policies. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011). ACM (2011)

    Google Scholar 

  14. Jha, S., Li, N., Tripunitara, M.V., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secure Comput. 5(4), 242–255 (2008)

    Article  Google Scholar 

  15. Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)

    Article  Google Scholar 

  16. Mohamed, F.M.: Privacy in location-based services: state-of-the-art and research directions. In: Proceedings of the 8th IEEE International Conference on Mobile Data Management (MDM 2007). IEEE (2007)

    Google Scholar 

  17. Ranise, S., Truong, A.: Incremental analysis of evolving administrative role based access control policies. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 260–275. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_17

    Google Scholar 

  18. Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38004-4_18

    Chapter  Google Scholar 

  19. Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of 19th Symposium on Access control Models and Technologies (SACMAT 2014), pp. 103–114. ACM (2014)

    Google Scholar 

  20. Ranise, S., Truong, A., Traverso, R.: Parameterized model checking for security policy analysis. Int. J. Softw. Tools Technol. Transfer (STTT) 18, 559–573 (2016)

    Article  Google Scholar 

  21. Ranise, S., Truong, A., Viganó, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: Proceedings of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)

    Google Scholar 

  22. Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996)

    Article  Google Scholar 

  23. Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role based access control. In: Proceedings of 19th IEEE Computer Security Foundations Symposium (CSF 2006). IEEE Press, July 2006

    Google Scholar 

  24. Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: Proceedings of 21st ACM Conference on Computer and Communications Security (CCS 2007). ACM Press (2007)

    Google Scholar 

  25. Truong, A.T., Dang, T.K., Küng, J.: On guaranteeing k-anonymity in location databases. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011. LNCS, vol. 6860, pp. 280–287. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23088-2_20

    Chapter  Google Scholar 

  26. Truong, A., Hai Ton That, D.: Solving the user-role reachability problem in ARBAC with role hierarchy. In: Proceedings of 2016 International Conference on Advanced Computing and Applications (ACOMP 2016), pp. 3–10. IEEE (2016)

    Google Scholar 

  27. Truong, A.T., Truong, Q.C., Dang, T.K.: An adaptive grid-based approach to location privacy preservation. In: Nguyen, N.T., Katarzyniak, R., Chen, S.M. (eds.) Advances in Intelligent Information and Database Systems. SCI, vol. 283, pp. 133–144. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  28. Truong, Q.C., Truong, A.T., Dang, T.K.: Memorizing algorithm: protecting user privacy using historical information of location based services. Int. J. Mob. Comput. Multimedia Commun. 2, 65–86 (2010)

    Article  Google Scholar 

  29. Yang, P., Gofman, M.I., Stoller, S., Yang, Z.: Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1–9 (2014)

    Google Scholar 

Download references

Acknowledgement

This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-17.

Author information

Authors and Affiliations

  1. Faculty of Computer Science and Engineering, Ho Chi Minh City University of Technology, Ho Chi Minh City, Vietnam

    Anh Truong & Thanh Tung Nguyen

  2. Security and Trust Unit, FBK-Irst, Trento, Italy

    Silvio Ranise

Authors
  1. Anh Truong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thanh Tung Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anh Truong .

Editor information

Editors and Affiliations

  1. IRIT, Paul Sabatier University, Toulouse, France

    Abdelkader Hameurlain

  2. FAW, University of Linz, Linz, Austria

    Josef Küng

  3. FAW, University of Linz, Linz, Austria

    Roland Wagner

  4. Ho Chi Minh City University of Technology, Ho Chi Minh City, Vietnam

    Tran Khanh Dang

  5. Ho Chi Minh City University of Technology, Ho Chi Minh City, Vietnam

    Nam Thoai

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer-Verlag GmbH Germany

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Truong, A., Ranise, S., Nguyen, T.T. (2017). Scalable Automated Analysis of Access Control and Privacy Policies. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T., Thoai, N. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI. Lecture Notes in Computer Science(), vol 10720. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-56266-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-56266-6_7

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-56265-9

  • Online ISBN: 978-3-662-56266-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation