skip to main content
10.1145/1966913.1966935acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Efficient symbolic automated analysis of administrative attribute-based RBAC-policies

Published: 22 March 2011 Publication History

Abstract

Automated techniques for the security analysis of Role-Based Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complicates the development of security analysis techniques, that should be able to modularly reason about a wide range of attribute domains. In this paper, we describe an automated symbolic security analysis technique for administrative attribute-based RBAC policies. A class of formulae of first-order logic is used as an adequate symbolic representation for the policies and their administrative actions. State-of-the-art automated theorem proving techniques are used (off-the-shelf) to mechanize the security analysis procedure. Besides discussing the assumptions for the effectiveness and termination of the procedure, we demonstrate its efficiency through an extensive empirical evaluation.

References

[1]
http://research.microsoft.com/en-us/um/redmond/projects/z3.
[2]
http://www.cs.man.ac.uk/~korovink/iprover.
[3]
http://www.cs.miami.edu/~tptp.
[4]
http://www.cs.stonybrook.edu/~stoller/ccs2007.
[5]
http://www.smt-lib.org.
[6]
A. Armando and S. Ranise. Automated Symbolic Analysis of ARBAC Policies. In STM Workshop, 2010.
[7]
R. E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation. IEEE TCAD, 35(8), 1986.
[8]
J. Crampton. Understanding and developing role-based administrative models. In Proc. 12th ACM CCS, pages 158--167, ACM Press, 2005.
[9]
H. B. Enderton. A Mathematical Introduction to Logic. Academic Press, Inc., 1972.
[10]
H. Gallaire, J. Minker, and J.-M. Nicolas. Logic and Databases: A Deductive Approach. Computing Surveys, 16(2):153--185, 1984.
[11]
S. Ghilardi, E. Nicolini, S. Ranise, and D. Zucchelli. Towards SMT Model-Checking of Array-based Systems. In Proc. of IJCAR, LNCS, 2008.
[12]
S. Ghilardi and S. Ranise. MCMT: a Model Checker Modulo Theories. In Proc. of IJCAR, LNCS, 2010.
[13]
T. Hillenbrand and C. Weidenbach. Superposition for Finite Domains. Res. Rep. RG1-002, MPI, 2007.
[14]
S. Jha, N. Li, M. V. Tripunitara, Q. Wang, and H. Winsborough. Towards formal verification of role-based access control policies. IEEE Trans. on Dependable and Secure Comp., 5(4):242--255, 2008.
[15]
S. Jha and T. Reps. Model Checking SPKI/SDSI. J. of Comp. Sec., 12:317--353, 2004.
[16]
A. Kern, A. Schaad, and J. Moffett. An Administrative Concept for the Enterprise Role-Based Access Control Model. In SACMAT, pages 3--11, 2003.
[17]
N. Li and Z. Mao. Administration in Role-Based Access Control. In Proc. of ASIACCS, 2007.
[18]
N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM TISSEC, 9(4), 2006.
[19]
R. Piskac, L. de Moura, and N. Bjoerner. Deciding Effectively Propositional Logic Using DPLL and Substitution Sets. JAR, 44(4):401--424, 2010.
[20]
R. Sandhu, E. Coyne, H. Feinstein, and C. Youmann. Role-Based Access Control Models. IEEE Computer, 2(29):38--47, 1996.
[21]
A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Proc. of 19th CSF Workshop. IEEE, July 2006.
[22]
A. Schaad, V. Lotz, and K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT, pages 139--149, 2006.
[23]
S. D. Stoller, P. Yang, M. I. Gofman, and C. R. Ramakrishnan. Symbolic Reachability Analysis for Parameterized Administrative Role Based Access Control. In SACMAT'09, pages 445--454, 2007.
[24]
S. D. Stoller, P. Yang, C. Ramakrishnan, and M. I. Gofman. Efficient policy analysis for administrative role based access control. In ACM CCS, 2007.
[25]
N. Zhang, M. Ryan, and D. P. Guelev. Evaluating access control policies through model checking. In 8th Info. Sec. Conf., number 3650 in LNCS, 2005.

Cited By

View all
  • (2023)Tool-Based Attack Graph Estimation and Scenario Analysis for Software ArchitecturesSoftware Architecture. ECSA 2022 Tracks and Workshops10.1007/978-3-031-36889-9_5(45-61)Online publication date: 16-Jul-2023
  • (2022)Architectural Attack Propagation Analysis for Identifying Confidentiality Issues2022 IEEE 19th International Conference on Software Architecture (ICSA)10.1109/ICSA53651.2022.00009(1-12)Online publication date: Mar-2022
  • (2021)ProFact: A Provenance-Based Analytics Framework for Access Control PoliciesIEEE Transactions on Services Computing10.1109/TSC.2019.290064114:6(1914-1928)Online publication date: 1-Nov-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
March 2011
527 pages
ISBN:9781450305648
DOI:10.1145/1966913
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. automated verification
  3. policy
  4. symbolic model checking

Qualifiers

  • Research-article

Conference

ASIA CCS '11
Sponsor:

Acceptance Rates

Overall Acceptance Rate 160 of 921 submissions, 17%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Tool-Based Attack Graph Estimation and Scenario Analysis for Software ArchitecturesSoftware Architecture. ECSA 2022 Tracks and Workshops10.1007/978-3-031-36889-9_5(45-61)Online publication date: 16-Jul-2023
  • (2022)Architectural Attack Propagation Analysis for Identifying Confidentiality Issues2022 IEEE 19th International Conference on Software Architecture (ICSA)10.1109/ICSA53651.2022.00009(1-12)Online publication date: Mar-2022
  • (2021)ProFact: A Provenance-Based Analytics Framework for Access Control PoliciesIEEE Transactions on Services Computing10.1109/TSC.2019.290064114:6(1914-1928)Online publication date: 1-Nov-2021
  • (2021)A Role-Based Administrative Model for Administration of Heterogeneous Access Control Policies and its Security AnalysisInformation Systems Frontiers10.1007/s10796-021-10167-zOnline publication date: 21-Jul-2021
  • (2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
  • (2019)Adventures in the Analysis of Access Control PoliciesFuture Data and Security Engineering10.1007/978-3-030-35653-8_31(467-482)Online publication date: 20-Nov-2019
  • (2018)Automated and efficient analysis of administrative temporal RBAC policies with role hierarchiesJournal of Computer Security10.3233/JCS-1575626:4(423-458)Online publication date: 10-Jul-2018
  • (2017)Scalable Automated Analysis of Access Control and Privacy PoliciesTransactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI10.1007/978-3-662-56266-6_7(142-171)Online publication date: 28-Nov-2017
  • (2016)Parameterized model checking for security policy analysisInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-015-0410-118:5(559-573)Online publication date: 1-Oct-2016
  • (2016)ASASPXL: New Clother for Analysing ARBAC PoliciesFuture Data and Security Engineering10.1007/978-3-319-48057-2_19(267-284)Online publication date: 23-Oct-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media