Elsevier

Future Generation Computer Systems

Volume 31, February 2014, Pages 147-168
Future Generation Computer Systems

An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system

https://doi.org/10.1016/j.future.2013.05.010Get rights and content

Abstract

Many efforts in the area of computer security have been drawn to attribute-based access control (ABAC). Compared to other adopted models, ABAC provides more granularity, scalability, and flexibility. This makes it a valuable access control system candidate for securing platforms and environments used for coordination and cooperation among organizations and communities, especially over open networks such as the Internet. On the other hand, the basic ABAC model lacks provisions for context, trust and privacy issues, all of which are becoming increasingly critical, particularly in high performance distributed collaboration environments. This paper presents an extended access control model based on attributes associated with objects and subjects. It incorporates trust and privacy issues in order to make access control decisions sensitive to the cross-organizational collaboration context. Several aspects of the proposed model are implemented and illustrated by a case study that shows realistic ABAC policies in the domain of distributed multiple organizations crisis management systems. Furthermore, the paper shows a collaborative graphical tool that enables the actors in the emergency management system to make better decisions. The prototype shows how it guarantees the privacy of object’s attributes, taking into account the trust of the subjects. This tool incorporates a decision engine that relies on attribute based policies and dynamic trust and privacy evaluation. The resulting platform demonstrates the integration of the ABAC model, the evolving context, and the attributes of actors and resources.

Introduction

Collaboration environments use distributed software and technologies that allow a group of people to interact virtually over a network. The multiplicity of platforms leads to several design requirements such as environments that take into account the context of the user and situation. Some platforms may use powerful desktop clients whereas others could be evolving “on the field” using smartphones, or even simple sensors. Some users would be strongly authenticated whereas others may be anonymous contributors. Moreover, the collaboration environment deals with the current situation that could evolve over time. If the situation changes too much, the way the users collaborate may have to change.

Such collaboration environments should be strongly adaptable and support dynamic reconfiguration. For a dynamic system, good fault tolerance properties are required to guarantee a good quality of service. To obtain such properties, the manipulated data should be distributed or replicated between servers or clients. The used algorithms should take into account the specificities of the contexts. For example, a user context could include the device capabilities: a user participating with a smartphone will not be able to store large quantities of data. A second example, related to network context, could be the network bandwidth that restricts the streaming of the users’ data.

Using these environments will help an organization to be more efficient or competitive. For a company, employing such tools should help to reduce operational costs for tasks that involve a lot of participants, especially if they are geographically distributed. The goal of a collaboration tool is to aggregate local contribution of users in order to achieve a more general task deserving the need of multiple users. For example, the Google Crisis Response is a representative example of a tool where a very large community of users is involved in a global process that helps to solve a crisis  [1]. It allows the free exchange of information about emergencies, humanitarian crises, all the way to the individual level such as helping with missing people (Google Person Finder).

The difficulty in the design of such a distribute tool, is to clearly state the distributed workflow of information and operations to achieve the expected general tasks. If the collaborative context can evolve, the workflow of information is more complex and the definition of the software operations may also be more dynamic. For example, the data manipulated by the Google Crisis Response clients are readable by all users. Nevertheless, the policy to delete or update the data is not really formalized as each user is supposed to manage the data he entered. In such a system, a community of administrators may decide to give updating rights to some users, especially when the crisis is ongoing. Those rights may be revoked later when the crisis is partially solved or over.

Collaboration and shared environments entail many security issues and concerns that cover prevention, protection, and response. Depending on the general collaborative task that the system intends to achieve, malicious users may abuse the system. For all collaboration systems, some users that do not share the goal of the collaborative task may exist. For example, in a crisis that involves terrorists, the attackers may introduce wrong information in an open crisis management tool in order to disrupt the rescue teams. For these reasons, security mechanisms should be introduced to control the information access and flows and the allowed local operations list, particularly with regard to unexpected usages.

The integration of security mechanisms in a collaboration environment can have different goals. The first classical mechanism is the authentication of users that helps control who can access the system and helps implement the users’ authorized actions in the system. The authorized actions are usually controlled by access control models such as role based ones (i.e., RBAC  [2]) and their derivative models such as OrBAC (Organization Based Access Control)  [3], [4] and ABAC (Attribute Based Access Control)  [5]. It is a difficult challenge to adapt such models to a collaboration environment because they suppose that a strong authentication mechanism is available which can be very difficult to set up in a totally distributed system. Moreover, the deployed access control policy should be distributed in the system and enforced, which is not straightforward. In such dynamic environments, the guarantee of security relies on collaborative access control mechanisms  [6]. If such mechanisms cannot be implemented, for example because the target operating system cannot be trusted or because no central authority has the right to install security components, the security should rely on the evaluation of the participants and their actions in order to evaluate the trust that a participant can put in each transaction.

Trust metrics  [7], [8], [9], [10] can help to build an opinion about other participants in a totally distributed system. The measure can be built using the reputation of a participant in the system or the recommendations a participant can have before negotiating a transaction. The difficulty with trust metrics is to link the evaluation of trust with access control decisions which originally relies on policies and known information, e.g., credentials. In a highly dynamic environment, the users, resources and collaboration contexts may be heterogeneous and evolve quickly. Users can gain or lose communication capabilities, privileges, security components; the resources may appear/disappear, or be modified by trusted or untrusted users; the collaboration context may require that each transaction has a high level of trust or, on the contrary, may accept that transactions contain possibly wrong data.

In order to illustrate such situations, we choose to present a user case scenario that shows the difficulties of these environments and will be the base of the implementation of our proposal. This paper presents an extended attribute based access control model that can be used in collaboration systems. It also presents newly devised crisis management tools that can be employed in real world crisis, in a totally distributed way. The tools should deal with managing the crisis-involved elements (events, users, actions), the contexts (localization, emergency level, type of crisis), and the exchanged messages (information, orders, reports). In such tools, the survivability and the security of the data are serious challenges. The proposed solution should rely on a fine-grained security policy combined with trust mechanisms in order to guarantee some privacy in an efficient collaboration environment.

A goal of this paper is to demonstrate that a fine-grained privacy protection can be obtained using an ABAC policy. This assurance is obtained by designing access control rules that take into account the entities’ attributes of the system, the general context in which the system evolves, and the purpose of the requests. As the presented model is formally described, the paper illustrates the achieved privacy in a tool dedicated to the management of a crisis, which is a good example of a situation where a collaboration platform needs security requirements. Another objective of the paper is to integrate trust into the ABAC decisions to further protect the system elements. This is a very useful contribution as collaboration software often rely on non-fully-trusted users in totally distributed networks. The crisis management software then implements a basic version of the trust evaluation. Lastly, this paper presents a newly extended version of the models first introduced in  [11], [12] and includes further developments and implementations applied to the domain of disaster management systems.

The paper is organized as follows. Section  2 gives a brief introduction to different access control models and shores up our choice of ABAC in collaboration systems. Section  3 introduces the proposed extended attribute-based access control model. Sections  4 Toward incorporating trust and privacy preserving, 5 Calculating trust and privacy preserving values discuss the incorporation of trust and privacy in the model in two different ways. Section  6 presents a case study that illustrates the proposed introduction of privacy and trust into ABAC. This case study describes a crisis management scenario that leads to the implementation of a platform described in Section  7. Section  8 presents the details of the policies that are incorporated into the proposed platform for a preliminary implementation of the proposed extended ABAC model, before concluding the paper in Section  9.

Section snippets

Access control and security in collaboration environments: a state of the art

The security of a collaboration system relies on several aspects that are summed up in Fig. 1. Accountability and (security) policies are traditional security concepts of the TCSEC  [13]. Nowadays, most systems that incorporate security commonly use authentication and access control mechanisms  [14]. The description of legitimate access and operations are modeled using security policies. For systems in which unknown users may enter, trust has been introduced, in order to evaluate users’

An extended attribute-based access control model

Prevention is evidently the most effective security measure since it can keep a system from being compromised to start with. One prevention aspect, which we focus on in this work, is access control. The access control model presented here is based on the attributes of the different entities involved in making the access control decision. Compared with the models mentioned before, our model is more flexible in the sense that it can be reduced to almost all the previously described ones.

As we

Toward incorporating trust and privacy preserving

Trust and privacy preserving issues have been well-investigated and will remain as focal points for security research in the foreseen future. However, more often than not, they are addressed separately despite the fact that organizations involved in collaboration face the challenges of both subjects simultaneously when making their access control policies and decisions. In this section, we describe our efforts to integrate trust and privacy together with access control in collaboration

Calculating trust and privacy preserving values

As mentioned before, there are two ways to include trust and privacy preserving in the ABAC model. The direct way requires that every access control decision is made based on a specified trust level. We therefore have four trust-related parameters for access control decision-making: subject attributes, object attributes, contexts, and the trust level. In the case of indirect incorporation of trust, the parameters are the first three. The trust level is used to assign subject attributes. We

A case study: crisis management scenario

In this section we provide a real world scenario on which we apply our extended ABAC model and use it. The scenario is on crisis management. Our goal is to demonstrate how to implement ABAC policies in a collaborative software platform to guarantee a fine-grained level of privacy. The second objective is to show how to introduce trust computation for collaborative users who are not authenticated into the system but may gain trust by performing new tasks during a crisis situation.

The conceived

The crisis management software

In our case study, we consider the case of a natural disaster crisis. Our collaborative crisis management software allows military, policemen, firefighters, federal agents, medical staff, and ordinary people to collaborate in helping efforts during crisis management, to rescue people and to solve problems.

We assume that the system is available and always runs in the background, with a minimal set of privileged users connected. For the system, a decentralized service provider stores static

Implementation of the extended ABAC model

In our implementation of the CMS presented in the previous section, we showed how some access control decisions are made. In this section, we explain how these decisions are made based on attributes, trust and privacy preserving concerns, following some aspects of the models given in Section  5. In the following sections, we first describe how we take trust into account. Then, we focus on privacy preserving. Lastly, we discuss some of the details regarding the decision engine implemented along

Discussion, concluding remarks and future work

This paper presents the integration of trust and privacy into an extended Attribute-Based Access Control (ABAC) model. The model associates the subjects and objects defined with sets of respective attributes. Those attributes represent the various properties of the considered entities, such as name, role, type, location, purpose, etc. The model facilities the development of an access control policy that consists of a set of access control rules between subjects and objects in a particular

Acknowledgments

This work is based on a preliminary version developed in  [12] and to which partly contributed the following ENSI de Bourges engineering students: Fabien Dupré for his work on the Peer-To-Peer implementation of the communication layers with JXTA, Sophie Merouani for her work on the primary user interface, and finally Sonia Rateau, for her work on the trust model and the development of the preliminary ABAC decision engine.

Waleed W. Smari is a Senior Research Scientist at Ball Aerospace & Technologies Corp and a Professor of Electrical and Computer Engineering. His technical interests and specialties include Collaboration Sciences and Technologies, Human Centered Computing, High Performance Parallel and Distributed Processing and Networking, Performance Evaluation Methods and Modeling Techniques of Computing Systems, Information Systems and Engineering, Reconfigurable Computing and Digital Systems Design, and

References (95)

  • Google Crisis Response,...
  • R. Sandhu et al.

    Role-based access control models

    IEEE Computer

    (1996)
  • F. Innerhofer-Oberperfler, M. Hafner, R. Breu, Living security-collaborative security management in a changing world,...
  • A.A.E. Kalam et al.

    Organization based access control

  • E. Yuan et al.

    Attributed based access control (ABAC) for web services

  • W. Tolone et al.

    Access control in collaborative systems

    ACM Computing Surveys

    (2005)
  • P. Massa et al.

    Trustlet, open research on trust metrics

    Scalable Computing: Practice and Experience

    (2001)
  • Z.M. Aljazzaf, M. Perry, M.A.M. Capretz, Trust metrics for services and service providers, in: CIW 2011: The Sixth...
  • H. Gomi

    An authentication trust metric for federated identity management systems

  • R. Levien

    Attack-resistant trust metrics

  • J. Zhu, W.W. Smari, Attribute based access control and security for collaboration environments, in: IEEE National...
  • W. Smari, J. Zhu, P. Clemente, Trust and privacy in attribute based access control for collaboration environments, in:...
  • Orange Book TCSEC (Trusted Computer Evaluation Criteria), American Department of Defense...
  • Common Criteria for Information Technology Security Evaluation, Version 2.1, August 1999, CCIMB-99-031,...
  • M. Blanc, J. Briffaut, P. Clemente, M. Gad El Rab, C. Toinard, A multi-agent and multi-level architecture to secure...
  • M. Kirkpatrick et al.

    Context-dependent authentication and access control

  • A.H. Karp, H. Haury, M.H. Davis, From ABAC to ZBAC: the evolution of access control models, Tech. Report HPL-2009-30,...
  • R.K. Thomas, Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative...
  • R.K. Thomas et al.

    Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management

  • F. Cuppens, A. Miège, Modelling contexts in the Or-BAC model, in: The 19th Annual Computer Security Applications...
  • W.-K. Huang et al.

    SecureFlow: a secure web-enabled workflow management system

  • F. Cuppens et al.

    Administration model for Or-BAC

    International Journal of Computer Systems Science and Engineering (CSSE)

    (2004)
  • E. Bertino et al.

    TRBAC: a temporal role-based access control model

    ACM Transactions on Information and System Security (TISSEC)

    (2001)
  • G. Mori et al.

    CTTE: support for developing and analyzing task models for interactive system design

    IEEE Transactions on Software Engineering

    (2002)
  • N. Netten et al.

    Task-adaptive information distribution for dynamic collaborative emergency response

    The International Journal of Intelligent Control and Systems

    (2006)
  • R. Thomas, R.S. Sandhu, Conceptual foundations for a model of task-based authorizations, in: Proceedings of 7th IEEE...
  • A.R. Tripathi et al.

    Specification of secure distributed collaboration systems

  • C.K. Georgiadis et al.

    Flexible team-based access control using contexts

  • M. Covington, W. Long, S. Srinivasan, A. Dey, M. Ahamad, G.D. Abowd, Securing context-aware applications using...
  • M. Nakae, X. Zhang, R. Sandhu, A general design towards secure Ad-hoc collaboration, in: Proceedings of the 2006 ACM...
  • M. Blaze, J. Feigenbaum, J. Lacy, Decentralized trust management, in: Proceedings of 17th IEEE Symposium on Security...
  • N. Li, J. Mitchell, Datalog with constraints: a foundation for trust-management languages, in: Proceedings of the 5th...
  • M. Blaze, J. Feigenbaum, J. Ioannidis, The keynote trust management system version 2. Internet society, network working...
  • K.G. Anagnostakis, F.C. Harmantzis, S. Ioannidis, M. Zghaibeh, On the impact of practical p2p incentive mechanisms on...
  • Y. Kulbak, D. Bickson, The Emule protocol specification, DANSS (Distributed Algorithms, Networking and Secure Systems)...
  • D. Hughes et al.

    Free riding on Gnutella revisited: the bell tolls?

    IEEE Distributed Systems Online

    (2005)
  • Z. Liang et al.

    PET: a personalized trust model with reputation and risk evaluation for p2p resource sharing

  • L. Xiong et al.

    Peertrust: supporting reputation-based trust for peer-to- peer electronic communities

    The IEEE Transactions on Knowledge and Data Engineering

    (2004)
  • N. Yang, H. Barringer, N. Zhang, A purpose-based access control model, in: Proceedings of the 3rd International...
  • N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, K. Moody, Using trust and risk in role-based access control...
  • P.D. Giang, L.X. Hung, S. Lee, Y. Lee, H. Lee, A flexible trust-based access control mechanism for security and privacy...
  • W.J. Adams, N.J. Davis IV, Toward a decentralized trust-based access control system for dynamic collaboration, in:...
  • Y. Liu, Trust-based access control for collaborative system, in: ISECS International Colloquium on Computing,...
  • S. Chakraborty, I. Ray, TrustBAC: integrating trust relationships into the RBAC model for access control in open...
  • T. French, N. Bessis, C. Maple, A high-level semiotic trust agent scoring model for collaborative virtual...
  • T. French

    Collaborative virtual organisation trust measurement: leveraging corporate governance metrics

  • D.F. Ferraiolo et al.

    Proposed NIST standard for role-based access control

    ACM Transactions on Information and System Security

    (2001)
  • Cited by (82)

    • Performance analysis of the dynamic trust model algorithm using the fuzzy inference system for access control

      2021, Computers and Electrical Engineering
      Citation Excerpt :

      Chen et al. [21] proposed a fuzzy inference trust model for a Peer to Peer (p2p) network environment and discussed the Mamdani type fuzzy inference technique in peer trust. Samari et al. [22,23] provided a collaboration graphical tool for ABAC policies for dynamic trust and privacy evaluation. Zhao et al. [24] provided a method for the assessment of recommendation trust and have given a solution to the problem of weight assignment to decision attributes by using relevant theories in expert investigation, fuzzy analysis and gray correlation analysis.

    • Known unknowns: Indeterminacy in authentication in IoT

      2020, Future Generation Computer Systems
      Citation Excerpt :

      Finally, it is not clear how the method identifies roles and assigns them, and nor has the work considered how RBAC can be adapted in the context of IoT. Waleed et al. [11] proposed an access control model based on ABAC that incorporates trust and privacy into access policy to make it reliable in a collaborative environment. This model supports the privacy of subjects by authorizing certain access requests so that the purposes of access for both the subject and the object are the same.

    • Mitigating Risks in the Cloud-Based Metaverse Access Control Strategies and Techniques

      2023, International Journal of Cloud Applications and Computing
    • Attribute-based encryption with enforceable obligations

      2023, Journal of Cryptographic Engineering
    View all citing articles on Scopus

    Waleed W. Smari is a Senior Research Scientist at Ball Aerospace & Technologies Corp and a Professor of Electrical and Computer Engineering. His technical interests and specialties include Collaboration Sciences and Technologies, Human Centered Computing, High Performance Parallel and Distributed Processing and Networking, Performance Evaluation Methods and Modeling Techniques of Computing Systems, Information Systems and Engineering, Reconfigurable Computing and Digital Systems Design, and Computer Engineering Education. He has served as PI on several research projects sponsored by government agencies and industry. He was a Visiting Fellow at government labs as well as at a number of universities around the World. He has been a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE) and the Association for Computing Machinery (ACM), a Member of the American Society for Engineering Education (ASEE), the International Society of Computers and Their Applications (ISCA), the International Association of Science and Technology for Development (IASTED), The Society for Computer Simulation International (SCS), and The European Council on Modelling and Simulation (ECMS).

    Patrice Clemente is currently an Associate Professor at the ENSI of Bourges (Ecole Nationale Superieure d’Ingenieurs of Bourges), France. He is also a member of the SDS team (Security of Distributed Systems) of the Laboratoire d’Informatique Fondamentale d’Orleans (LIFO), France. Patrice Clemente received a Ph.D. degree in Computer Science in 2004 from University of Franche-Comte and France Telecom R&D (previously aka CNET).

    His main research interests at SDS are focused on OS security, meta-policies of security, correlation for host intrusion detection, host intrusion detection for Mandatory Access Control, and many Access Control mechanisms, security properties enforcement, information flow prevention and security visualization: visualization of security policies and visualization of session logs.

    Jean-Francois Lalande is an Associate Professor at ENSI de Bourges, in the Laboratoire d’Informatique Fondamentale d’Orléans (LIFO) since 2005. His research domains are the security of operating systems and embedded software. He obtained his Ph.D. in Computer Sciences from University of Nice. Before 2005, he has worked on dimensioning network telecommunication in the Mascotte team (INRIA/I3S/CNRS/UNS).

    View full text