Elsevier

Computers & Security

Volume 25, Issue 1, February 2006, Pages 36-44
Computers & Security

Towards a location-based mandatory access control model

https://doi.org/10.1016/j.cose.2005.06.007Get rights and content

Abstract

With the growing use of wireless networks and mobile devices, we are moving towards an era where location information will be necessary for access control. The use of location information can be used for enhancing the security of an application, and it can also be exploited to launch attacks. For critical applications, such as the military, a formal model for location-based access control is needed that increases the security of the application and ensures that the location information cannot be exploited to cause harm. In this paper, we show how the mandatory access control (MAC) model can be extended to incorporate the notion of location. We also show how the different components in the MAC model are related with location and how this location information can be used to determine whether a subject has access to a given object. This model is suitable for military applications consisting of static and dynamic objects, where location of a subject and object must be considered before granting access.

Introduction

With the increase in the growth of wireless networks and sensor and mobile devices, we are moving towards an age of ubiquitous computing where location information will be an integral part of many applications. Denning and MacDoran (1996) and other researchers have described how the use of location information can make applications more secure. For instance, a user should be able to control or fire a missile from specific high security locations only. Verifying the location information in addition to the checks that are performed by traditional methods of authentication and access control will improve the security of the underlying application. Location information, however, can also be misused causing a breach of privacy and security. For example, information about the location of a user can compromise his privacy. If a malicious user knows about the location information of a person, he/she can infer the activities being performed by that person. Protecting the confidentiality, integrity, and availability of location information is of utmost importance. These issues have also been emphasized by the United States government through the “Wireless Protection Act of 2003” from the 108th Congress (The Wireless Privacy Protection Act, 2003). This act requires explicit consent from the users before using their location information and other sensitive information. The bill also mandated that the wireless carriers “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the information.”

Understanding the security and privacy implications of location information is non-trivial. Researchers (Perrig et al., 2004, John, 2001, Schulzrinne et al., 2003, Snekkenes, 2001, Titkov et al., 2004) are investigating various problems related to the security and privacy of location-based systems. Some researchers in security and privacy have investigated how to maintain the confidentiality of location information and control its disclosure. Others have focussed on validating the location data transmitted by devices, such as, sensors and active badges, and maintaining the integrity of such data. Some have investigated the availability issues for location data. An effective denial of service attack can be launched by either jamming the Global Positioning System (GPS) or by feeding the GPS receiver fake information (Enge and Misra, 1999, John, 2001). Although all the above problems are important and need to be adequately addressed, we focus only on protecting the confidentiality of location information.

We show how location information can be used to augment traditional access control in order to cater to more sophisticated applications. Few examples will help to motivate our work. In a military application, if a computer containing top secret information is placed in a public place, then the computer should automatically become inaccessible. A critical application that is involved with the firing of missiles may have the following requirements: a user should be able to control or fire a missile from specific high security locations only. Moreover, the missile can be fired only when it is in a certain location. For such critical applications, we need additional checks, such as verification of the location of the user and the location of the missile that must be satisfied before the user is granted access. Such checks based on location are not provided by the traditional access control models, such as discretionary access control (DAC) or mandatory access control (MAC).

The above examples illustrate how the use of location information can increase the security of an application. The misuse of location information can also cause a breach of security. Thus, the use of location information must be carefully controlled to prevent malicious users from launching attacks. Such attacks may have disastrous consequences for critical applications, such as the military. In short, formal models are needed for performing location-based access control. One can reason about such formal models to ensure that the use of location information is as intended.

In this paper we propose one such formal model that is suitable for military applications. Rather than developing such a model from scratch, we illustrate how the MAC model proposed by Bell and LaPadula (1976) can be extended to incorporate the concept of location. We show how to control the disclosure of location information of subjects and objects in order to prevent any illegal information flow. We illustrate how the different components in MAC are related with location and how location impacts these different components. Finally, we show how this location information can be used to determine whether a subject has access to a given object. The correct behavior of the model is formulated in terms of constraints that must be satisfied by any application using this model.

The remainder of the paper is organized as follows. Next section provides some background information which is followed by the section that specifically summarizes the MAC model on which our work is based and then enumerates some approaches to location representation and determination. Further, it illustrates how we represent location in our model, how locations can be associated with security levels, and how to protect location information. Furthermore, it shows how the different components of MAC are related with location and the constraints that location-based access control imposes on these components followed by some work related to this area. The last section concludes the paper with pointers to future directions.

Section snippets

Mandatory access control

Since our work is based on MAC, we present the main features of the MAC model. The mandatory access control framework that we use is adapted from the Bell–LaPadula model (Bell and LaPadula, 1976). The Bell–LaPadula model is defined in terms of a security structure (L, ⪯) where L represents the set of security levels, and ⪯ is an ordering relation defined on these levels. The ordering relation is known as the dominance relation and it is reflexive, transitive and anti-symmetric. Li  Lj signifies

Our approach to location formalization

In order to perform location-based access control, we need to perform operations on location information and protect the location information. In this section we formalize the concept of location, discuss the relationship of location with security levels, and show how the location information can be protected.

We begin by formalizing the concept of location. Locations can be specified at different levels of granularity. The smallest granularity of location is a point. A location is formally

Extending MAC to incorporate location-based access control

In this section we show how MAC can be extended to incorporate location-based access control. The different components of MAC are user, subject, object and operations. We discuss how each of these components is associated with location. Fig. 3 illustrates how these components are related with location. The multiplicity of these relationships is indicated by presence or absence of an arrowhead. The absence of an arrowhead indicates a multiplicity of “one” and the presence of arrowhead indicates

Related work

Location determination and representation is discussed in various works (Cadman, 2003, Fox et al., 2003, Glassey and Ferguson, 2003, Hightower, 2003, Krumm, 2003). Lee et al. (2002) describe different methods to represent location. They propose two representations for location: the Geometrical model and the Symbolic model. They also describe how different types of location-based queries can be processed.

Security and privacy issues pertaining to pervasive computing has been explored in details

Conclusion

In this paper we have proposed a location-based mandatory access control model that is suitable for military applications. In our model, the access a subject has on an object is determined by security levels of the subject and object as well as their location. We are therefore able to provide more security than the MAC model. We have extended the MAC model by incorporating the notion of location and identifying what relationship location has with the other components of the MAC model. We also

Acknowledgment

This material is based upon work funded by AFOSR under Award No. FA9550-04-1-0102.

Indrakshi Ray is an assistant professor in the Computer Science Department at Colorado State University. Prior to joining Colorado State, she was a faculty at the University of Michigan-Dearborn. She obtained her Ph.D. from George Mason University. Her research interests include security and privacy, database systems, e-commerce and formal methods in software engineering. She has published several refereed journal and conference papers in these areas. She is the Program Chair of the 11th ACM

References (29)

  • R.S. Sandhu

    Lattice-based enforcement of Chinese Walls

    Computers & Security

    (December 1992)
  • D.E. Bell et al.

    Secure computer system: unified exposition and MULTICS

    (1976)
  • D.F.C. Brewer et al.

    The Chinese Wall security policy

  • Jay Cadman

    Deploying commercial location-aware system

  • R. Campbell et al.

    Towards security and privacy for pervasive computing

  • D.R. Clark et al.

    A comparison of commercial and military computer security policies

  • Michael J. Covington et al.

    A context-aware security architecture for emerging applications

  • Michael J. Covington et al.

    Securing context-aware applications using environment roles

  • Dorothy E. Denning et al.

    Location-based authentication: grounding cyberspace for better security

  • P. Enge et al.

    Scanning the issues/technology

    Proceedings of the IEEE, special issue on GPS

    (11 January 1999)
  • David F. Ferraiolo et al.

    Proposed NIST standard for role-based access control

    ACM Transaction on Information and System Security

    (2001)
  • Dieter Fox et al.

    Bayesian techniques for location estimation

  • Richard James Glassey et al.

    SpaceSemantics: an architecture for modeling environments

  • G.S. Graham et al.

    Protection: principle and practices

  • Cited by (63)

    • A location-based policy-specification language for mobile devices

      2012, Pervasive and Mobile Computing
      Citation Excerpt :

      In addition, role assignment and location information are fixed per session in Geo-RBAC, so policies on systems with dynamically changing roles or locations (e.g., the policies in Figs. 3–5) could not be specified with Geo-RBAC. Ray and Kumar describe a formal, Turing-incomplete model that extends a MAC system with location primitives [16]. They describe how the location of a subject and an object can be used to make decisions about granting subjects access to objects, while keeping the locations of subjects and objects private from each other.

    • Scheduling mobile collaborating workforce for multiple urgent events

      2012, Journal of Network and Computer Applications
      Citation Excerpt :

      Moreover, they do not take the location factor into account for the assignment. Recently, location is considered as an important issue of context and is introduced into authorization decision (Ray and Kumar, 2006; Damiani et al., 2007). The location-based access control technologies allow taking users physical location into account when determining their eligible tasks.

    View all citing articles on Scopus

    Indrakshi Ray is an assistant professor in the Computer Science Department at Colorado State University. Prior to joining Colorado State, she was a faculty at the University of Michigan-Dearborn. She obtained her Ph.D. from George Mason University. Her research interests include security and privacy, database systems, e-commerce and formal methods in software engineering. She has published several refereed journal and conference papers in these areas. She is the Program Chair of the 11th ACM Symposium on Access Control Models and Technologies, 2006. She served as the Program Chair for the IFIP WG 11.3 Conference on Data and Applications Security, 2003. She has served on the program committees of several conferences, such as EDBT, SACMAT, ACM CCS and EC-Web. She is a member of the ACM and the IEEE.

    Mahendra Kumar is a graduate student at the University of Florida. He obtained his undergraduate degree from the Indian Institute of Technology, Roorkee.

    View full text