Abstract
In the modern computing era, access to resources is often restricted through contextual information and the attributes of users, objects and various other entities. Attribute-Based Access Control (ABAC) can capture those requirements as a policy, but it is not yet adopted like Role Based Access Control (RBAC) due to lack of a comprehensive administrative model. In the last few years, several efforts have been made to combine ABAC with RBAC, but they are limited to specification and enforcement only. Recently, we have presented a unified framework along with a role based administrative model that enables specification, enforcement and maintenance of unified access control policies, such as ABAC, RBAC and Meta-Policy Based Access Control (MPBAC). This paper describes role-based administrative model components and then present a methodology which uses a fixed-point based approach for verifying the security properties (like safety and liveness) of those policies in the presence of the administrative model. We also analyse the impact of ABAC, RBAC, MPBAC and administrative model components on the time taken for security analysis. Experimental results demonstrate that the proposed approach is scalable as well as effective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Singh, M.P., Sural, S., Vaidya, J., Atluri, V.: Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database. Comput. Secur. 86, 183–205 (2019)
Singh, M.P., Sural, S., Atluri, V., Vaidya, J., Yakub, U.: Managing multi-dimensional multi-granular security policies using data warehousing. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408, pp. 221–235. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25645-0_15
Hu, V.C., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2014)
Sandhu, R.S., Coyne, J.E., Feinstein, H.L., Youman, C.E.: Role based access control models. IEEE Comput. 29, 38–47 (1996)
Aich, S., Mondal, S., Sural, S., Majumdar, A.K.: Role based access control with spatiotemporal context for mobile applications. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science IV. LNCS, vol. 5430, pp. 177–199. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01004-0_10
Bertino, E., Andrea, B.P., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 191–233 (2001)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 105–135 (1999)
Mondal, S., Sural, S., Atluri, V.: Towards formal security analysis of GTRBAC using timed automata. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 33–42 (2009)
Sharma, M., Sural, S., Vaidya, J., Atluri, V.: AMTRAC: an administrative model for temporal role-based access control. Comput. Secur. 39, 201–218 (2013)
Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45204-8_28
Jin, X., Krishnan, R., Sandhu, R.: Reachability analysis for role based administration of attributes. In: Proceedings of the 2013 ACM Workshop on Digital Identity Management, pp. 73–84 (2013)
Ninghui, N.L., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 391–420 (2006)
Mondal, S., Sural, S.: Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th International Conference on Information Assurance and Security, pp. 37–40 (2008)
Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46, 154–172 (2014)
Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 153–154 (2008)
Jha, S., Sural, S., Vaidya, J., Atluri, V.: Temporal RBAC security analysis using logic programming in the presence of administrative policies. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 129–148. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13841-1_8
Jha, S., Sural, S., Atluri, V., Vaidya, J.: An administrative model for collaborative management of ABAC systems and its security analysis. In: Proceedings of the 2016 IEEE 2nd International Conference on Collaboration and Internet Computing, pp. 64–73 (2016)
Uzun, E., Atluri, V., Sural, S., Madhusudan, P.: Analyzing temporal role-based access control models. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 177–186 (2012)
Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of ABAC under an administrative model. IET Inf. Secur. 13, 96–103 (2018)
Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 3–17. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_1
Hoder, K., Bjørner, N., de Moura, L.: \({\mu }Z\)– an efficient engine for fixed points with constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_36
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24
Acknowledgments
Research reported in this publication was supported by the National Institutes of Health under award R01GM118574 and by the National Science Foundation under awards CNS-1564034, CNS-1624503, and CNS-1747728. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Singh, M.P., Sural, S., Atluri, V., Vaidya, J. (2020). Security Analysis of Unified Access Control Policies. In: Sahay, S., Goel, N., Patil, V., Jadliwala, M. (eds) Secure Knowledge Management In Artificial Intelligence Era. SKM 2019. Communications in Computer and Information Science, vol 1186. Springer, Singapore. https://doi.org/10.1007/978-981-15-3817-9_8
Download citation
DOI: https://doi.org/10.1007/978-981-15-3817-9_8
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-3816-2
Online ISBN: 978-981-15-3817-9
eBook Packages: Computer ScienceComputer Science (R0)