Skip to main content
SpringerLink
Log in

Security Analysis of Unified Access Control Policies

  • Conference paper
  • First Online:
Secure Knowledge Management In Artificial Intelligence Era (SKM 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1186))

Abstract

In the modern computing era, access to resources is often restricted through contextual information and the attributes of users, objects and various other entities. Attribute-Based Access Control (ABAC) can capture those requirements as a policy, but it is not yet adopted like Role Based Access Control (RBAC) due to lack of a comprehensive administrative model. In the last few years, several efforts have been made to combine ABAC with RBAC, but they are limited to specification and enforcement only. Recently, we have presented a unified framework along with a role based administrative model that enables specification, enforcement and maintenance of unified access control policies, such as ABAC, RBAC and Meta-Policy Based Access Control (MPBAC). This paper describes role-based administrative model components and then present a methodology which uses a fixed-point based approach for verifying the security properties (like safety and liveness) of those policies in the presence of the administrative model. We also analyse the impact of ABAC, RBAC, MPBAC and administrative model components on the time taken for security analysis. Experimental results demonstrate that the proposed approach is scalable as well as effective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Singh, M.P., Sural, S., Vaidya, J., Atluri, V.: Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database. Comput. Secur. 86, 183–205 (2019)

    Article  Google Scholar 

  2. Singh, M.P., Sural, S., Atluri, V., Vaidya, J., Yakub, U.: Managing multi-dimensional multi-granular security policies using data warehousing. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408, pp. 221–235. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25645-0_15

    Chapter  Google Scholar 

  3. Hu, V.C., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2014)

    Google Scholar 

  4. Sandhu, R.S., Coyne, J.E., Feinstein, H.L., Youman, C.E.: Role based access control models. IEEE Comput. 29, 38–47 (1996)

    Article  Google Scholar 

  5. Aich, S., Mondal, S., Sural, S., Majumdar, A.K.: Role based access control with spatiotemporal context for mobile applications. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science IV. LNCS, vol. 5430, pp. 177–199. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01004-0_10

    Chapter  Google Scholar 

  6. Bertino, E., Andrea, B.P., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 191–233 (2001)

    Article  Google Scholar 

  7. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 105–135 (1999)

    Article  Google Scholar 

  8. Mondal, S., Sural, S., Atluri, V.: Towards formal security analysis of GTRBAC using timed automata. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 33–42 (2009)

    Google Scholar 

  9. Sharma, M., Sural, S., Vaidya, J., Atluri, V.: AMTRAC: an administrative model for temporal role-based access control. Comput. Secur. 39, 201–218 (2013)

    Article  Google Scholar 

  10. Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45204-8_28

    Chapter  Google Scholar 

  11. Jin, X., Krishnan, R., Sandhu, R.: Reachability analysis for role based administration of attributes. In: Proceedings of the 2013 ACM Workshop on Digital Identity Management, pp. 73–84 (2013)

    Google Scholar 

  12. Ninghui, N.L., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 391–420 (2006)

    Article  Google Scholar 

  13. Mondal, S., Sural, S.: Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th International Conference on Information Assurance and Security, pp. 37–40 (2008)

    Google Scholar 

  14. Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46, 154–172 (2014)

    Article  Google Scholar 

  15. Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 153–154 (2008)

    Google Scholar 

  16. Jha, S., Sural, S., Vaidya, J., Atluri, V.: Temporal RBAC security analysis using logic programming in the presence of administrative policies. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 129–148. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13841-1_8

    Chapter  Google Scholar 

  17. Jha, S., Sural, S., Atluri, V., Vaidya, J.: An administrative model for collaborative management of ABAC systems and its security analysis. In: Proceedings of the 2016 IEEE 2nd International Conference on Collaboration and Internet Computing, pp. 64–73 (2016)

    Google Scholar 

  18. Uzun, E., Atluri, V., Sural, S., Madhusudan, P.: Analyzing temporal role-based access control models. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 177–186 (2012)

    Google Scholar 

  19. Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of ABAC under an administrative model. IET Inf. Secur. 13, 96–103 (2018)

    Article  Google Scholar 

  20. Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 3–17. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_1

    Chapter  Google Scholar 

  21. Hoder, K., Bjørner, N., de Moura, L.: \({\mu }Z\)– an efficient engine for fixed points with constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_36

    Chapter  Google Scholar 

  22. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

Download references

Acknowledgments

Research reported in this publication was supported by the National Institutes of Health under award R01GM118574 and by the National Science Foundation under awards CNS-1564034, CNS-1624503, and CNS-1747728. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research.

Author information

Authors and Affiliations

  1. Department of CSE, Indian Institute of Technology Kharagpur, Kharagpur, India

    Mahendra Pratap Singh & Shamik Sural

  2. Department of MSIS, Rutgers University, Newark, USA

    Vijayalakshmi Atluri & Jaideep Vaidya

Authors
  1. Mahendra Pratap Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shamik Sural
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijayalakshmi Atluri
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jaideep Vaidya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shamik Sural .

Editor information

Editors and Affiliations

  1. Birla Institute of Technology and Science, Goa, India

    Sanjay K. Sahay

  2. Information Systems Development Group, TIFR, Mumbai, India

    Nihita Goel

  3. Indian Institute of Technology Bombay, Mumbai, India

    Vishwas Patil

  4. The University of Texas at San Antonio, San Antonio, TX, USA

    Murtuza Jadliwala

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Singh, M.P., Sural, S., Atluri, V., Vaidya, J. (2020). Security Analysis of Unified Access Control Policies. In: Sahay, S., Goel, N., Patil, V., Jadliwala, M. (eds) Secure Knowledge Management In Artificial Intelligence Era. SKM 2019. Communications in Computer and Information Science, vol 1186. Springer, Singapore. https://doi.org/10.1007/978-981-15-3817-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-3817-9_8

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-3816-2

  • Online ISBN: 978-981-15-3817-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation