research-article

Efficient symbolic automated analysis of administrative attribute-based RBAC-policies

Authors:
Francesco Alberti

Università della Svizzera, Italiana, Lugano

Università della Svizzera, Italiana, Lugano
View Profile

,
Alessandro Armando

Università di Genova and FBK-Irst, Trento (Italy)

Università di Genova and FBK-Irst, Trento (Italy)
View Profile

,
Silvio Ranise

Security and Trust Unit, FBK-Irst, Trento (Italy)

Security and Trust Unit, FBK-Irst, Trento (Italy)
View Profile

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications SecurityMarch 2011Pages 165–175https://doi.org/10.1145/1966913.1966935

Published:22 March 2011Publication History

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 165–175

ABSTRACT

Automated techniques for the security analysis of Role-Based Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complicates the development of security analysis techniques, that should be able to modularly reason about a wide range of attribute domains. In this paper, we describe an automated symbolic security analysis technique for administrative attribute-based RBAC policies. A class of formulae of first-order logic is used as an adequate symbolic representation for the policies and their administrative actions. State-of-the-art automated theorem proving techniques are used (off-the-shelf) to mechanize the security analysis procedure. Besides discussing the assumptions for the effectiveness and termination of the procedure, we demonstrate its efficiency through an extensive empirical evaluation.

References

http://research.microsoft.com/en-us/um/redmond/projects/z3.Google Scholar
http://www.cs.man.ac.uk/~korovink/iprover.Google Scholar
http://www.cs.miami.edu/~tptp.Google Scholar
http://www.cs.stonybrook.edu/~stoller/ccs2007.Google Scholar
http://www.smt-lib.org.Google Scholar
A. Armando and S. Ranise. Automated Symbolic Analysis of ARBAC Policies. In STM Workshop, 2010. Google ScholarDigital Library
R. E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation. IEEE TCAD, 35(8), 1986. Google ScholarDigital Library
J. Crampton. Understanding and developing role-based administrative models. In Proc. 12th ACM CCS, pages 158--167, ACM Press, 2005. Google ScholarDigital Library
H. B. Enderton. A Mathematical Introduction to Logic. Academic Press, Inc., 1972.Google Scholar
H. Gallaire, J. Minker, and J.-M. Nicolas. Logic and Databases: A Deductive Approach. Computing Surveys, 16(2):153--185, 1984. Google ScholarDigital Library
S. Ghilardi, E. Nicolini, S. Ranise, and D. Zucchelli. Towards SMT Model-Checking of Array-based Systems. In Proc. of IJCAR, LNCS, 2008. Google ScholarDigital Library
S. Ghilardi and S. Ranise. MCMT: a Model Checker Modulo Theories. In Proc. of IJCAR, LNCS, 2010. Google ScholarDigital Library
T. Hillenbrand and C. Weidenbach. Superposition for Finite Domains. Res. Rep. RG1-002, MPI, 2007.Google Scholar
S. Jha, N. Li, M. V. Tripunitara, Q. Wang, and H. Winsborough. Towards formal verification of role-based access control policies. IEEE Trans. on Dependable and Secure Comp., 5(4):242--255, 2008. Google ScholarDigital Library
S. Jha and T. Reps. Model Checking SPKI/SDSI. J. of Comp. Sec., 12:317--353, 2004. Google ScholarDigital Library
A. Kern, A. Schaad, and J. Moffett. An Administrative Concept for the Enterprise Role-Based Access Control Model. In SACMAT, pages 3--11, 2003. Google ScholarDigital Library
N. Li and Z. Mao. Administration in Role-Based Access Control. In Proc. of ASIACCS, 2007. Google ScholarDigital Library
N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM TISSEC, 9(4), 2006. Google ScholarDigital Library
R. Piskac, L. de Moura, and N. Bjoerner. Deciding Effectively Propositional Logic Using DPLL and Substitution Sets. JAR, 44(4):401--424, 2010. Google ScholarDigital Library
R. Sandhu, E. Coyne, H. Feinstein, and C. Youmann. Role-Based Access Control Models. IEEE Computer, 2(29):38--47, 1996. Google ScholarDigital Library
A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Proc. of 19th CSF Workshop. IEEE, July 2006. Google ScholarDigital Library
A. Schaad, V. Lotz, and K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT, pages 139--149, 2006. Google ScholarDigital Library
S. D. Stoller, P. Yang, M. I. Gofman, and C. R. Ramakrishnan. Symbolic Reachability Analysis for Parameterized Administrative Role Based Access Control. In SACMAT'09, pages 445--454, 2007. Google ScholarDigital Library
S. D. Stoller, P. Yang, C. Ramakrishnan, and M. I. Gofman. Efficient policy analysis for administrative role based access control. In ACM CCS, 2007. Google ScholarDigital Library
N. Zhang, M. Ryan, and D. P. Guelev. Evaluating access control policies through model checking. In 8th Info. Sec. Conf., number 3650 in LNCS, 2005. Google ScholarDigital Library

Index Terms

Efficient symbolic automated analysis of administrative attribute-based RBAC-policies

Recommendations

Automated Analysis of Access Control Policies Based on Model Checking
Abstract
Access control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is a task ...
Read More
DW-RBAC: A formal security model of delegation and revocation in workflow systems

One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...
Read More
A logic for state-modifying authorization policies

Administering and maintaining access control systems is a challenging task, especially in environments with complex and changing authorization requirements. A number of authorization logics have been proposed that aim at simplifying access control by ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
March 2011
527 pages
ISBN:9781450305648
DOI:10.1145/1966913
General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 March 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
automated verification
policy
symbolic model checking
Qualifiers
- research-article
Conference

Acceptance Rates
ASIACCS '11 Paper Acceptance Rate35of217submissions,16%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 30
  Total Citations
  View Citations
- 256
  Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Efficient symbolic automated analysis of administrative attribute-based RBAC-policies

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automated Analysis of Access Control Policies Based on Model Checking

DW-RBAC: A formal security model of delegation and revocation in workflow systems

A logic for state-modifying authorization policies