ABSTRACT
Access control systems are a key component of computer system security. This paper presents the results of an effort to understand the usability of current access control systems. A study was conducted to observe users of three access control systems: UNIX discretionary access control (DAC), SELinux, and a novel access control system, a File System Firewall (FSF), which we have designed and implemented. Several recommendations for improving user experiences with access control systems are presented based on our analysis of the study results.
- Ross J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition. Wiley. 2008. Google ScholarDigital Library
- Konstantin Beznosov, Philip Inglesant, Jorge Lobo, Rob Reeder, and Mary Ellen Zurko. 2009. Usability Meets Access Control: Challenges and Research Opportunities, In Proceeding of SACMAT '09 Proceedings of the 14th ACM symposium on Access control models and technologies (Stresa, Italy, June 3--5, 2009). SACMAT'09. ACM, New York, NY, 73--74. DOI=http://dl.acm.org/10.1145/1542207.1542220. Google ScholarDigital Library
- Alma Whitten. 2004. Making Security Usable, Doctoral thesis. CMU-CS-04-135. Carnegie Mellon University.Google Scholar
- Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin and David Wagner. 2012. Android Permissions: User Attention, Comprehension, and Behavior. In Proceeding of the Eighth Symposium on Usable Privacy and Security (Washington, DC, July 11--13, 2012). SOUPS '12. ACM, New York, NY, Article No. 3. DOI=http://doi.acm.org/10.1145/2335356.2335360. Google ScholarDigital Library
- D. K. Smetters and N. Good. 2009. How Users Use Access Control. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, CA, July 15--17, 2009). SOUPS '09. ACM, New York, NY, 1--12. DOI=http://doi.acm.org/10.1145/1572532.1572552. Google ScholarDigital Library
- Sara Motiee, Kirstie Hawkey, and Konstantin Beznosov. 2010. Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices. In Proceedings of the Sixth Symposium on Usable Privacy and Security (Redmond, WA, July 14--16, 2010). SOUPS '10. ACM, New York, NY, 1--13. DOI=http://doi.acm.org/10.1145/1837110.1837112. Google ScholarDigital Library
- Xiang Cao and Lee Iverson. 2006. Intentional Access Management: Making Access Control Usable for End-Users. In Proceedings of the second Symposium on Usable Privacy and Security (Pittsburgh, PA, July 12--14, 2006). SOUPS '06. ACM, New York, NY, 20--31. DOI=http://doi.acm.org/10.1145/1143120.1143124. Google ScholarDigital Library
- Michelle L. Mazurek, J. P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter. 2010. Access Control for Home Data Sharing: Attitudes, Needs and Practices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, GA, April 10--15, 2010). CHI '10, ACM, New York, NY, 645--654. DOI=http://doi.acm.org/10.1145/1753326.1753421. Google ScholarDigital Library
- Z. Cliffe Schreuders, Tanya McGill, and Christian Payne. 2011. Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM. ACM Transactions on Information and System Security (TISSEC). v. 14 n. 2, 1--28, September 2011. DOI=http://doi.acm.org/10.1145/2019599.2019604. Google ScholarDigital Library
Index Terms
- An empirical study of three access control systems
Recommendations
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument
Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application securityThe most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Comments