ABSTRACT
Resiliency is a relatively new topic in the context of access control. Informally, it refers to the extent to which a multi-user computer system, subject to an authorization policy, is able to continue functioning if a number of authorized users are unavailable. Several interesting problems connected to resiliency were introduced by Li, Wang and Tripunitara [13], many of which were found to be intractable. In this paper, we show that these resiliency problems have unexpected connections with the workflow satisfiability problem (WSP). In particular, we show that an instance of the resiliency checking problem (RCP) may be reduced to an instance of WSP. We then demonstrate that recent advances in our understanding of WSP enable us to develop fixed-parameter tractable algorithms for RCP. Moreover, these algorithms are likely to be useful in practice, given recent experimental work demonstrating the advantages of bespoke algorithms to solve WSP. We also generalize RCP in several different ways, showing in each case how to adapt the reduction to WSP. Li et al also showed that the coexistence of resiliency policies and static separation-of-duty policies gives rise to further interesting questions. We show how our reduction of RCP to WSP may be extended to solve these problems as well and establish that they are also fixed-parameter tractable.
- American National Standards Institute. ANSI INCITS 359--2004 for Role Based Access Control, 2004.Google Scholar
- Bertino, E., Ferrari, E., and Atluri, V. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65--104. Google ScholarDigital Library
- Cohen, D., Crampton, J., Gagarin, A., Gutin, G., and Jones, M. Iterative plan construction for the workflow satisfiability problem. J. Artif. Intell. Res. (JAIR) 51 (2014), 555--577. Google ScholarDigital Library
- Crampton, J., Gutin, G., and Karapetyan, D. Valued workflow satisfiability problem. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, June 1-3, 2015 (2015), E. R. Weippl, F. Kerschbaum, and A. J. Lee, Eds., ACM, pp. 3--13. Google ScholarDigital Library
- Crampton, J., Gutin, G., and Watrigant, R. A multivariate approach for checking resiliency in access control. CoRR 1604.01550 (2016).Google Scholar
- Cygan, M., Dell, H., Lokshtanov, D., Marx, D., Nederlof, J., Okamoto, Y., Paturi, R., Saurabh, S., and Wahlstrom, M. On problems as hard as CNF-SAT. In Proceedings of the 2012 IEEE Conference on Computational Complexity (CCC) (Washington, DC, USA, 2012), CCC '12, IEEE Computer Society, pp. 74--84. Google ScholarDigital Library
- Downey, R. G., and Fellows, M. R. Fundamentals of Parameterized Complexity. Texts in Computer Science. Springer, 2013. Google ScholarDigital Library
- Fomin, F. V., Grandoni, F., and Kratsch, D. Measure and conquer: Domination - a case study. In Automata, Languages and Programming, L. Caires, G. Italiano, L. Monteiro, C. Palamidessi, and M. Yung, Eds., vol. 3580 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, pp. 191--203. Google ScholarDigital Library
- Gutin, G., Kratsch, S., and Wahlström, M. Polynomial kernels and user reductions for the workflow satisfiability problem. In Parameterized and Exact Computation - 9th International Symposium, IPEC 2014, Wroclaw, Poland, September 10-12, 2014. Revised Selected Papers (2014), pp. 208--220.Google Scholar
- Impagliazzo, R., Paturi, R., and Zane, F. Which problems have strongly exponential complexity? J. Comput. Syst. Sci. 63, 4 (2001), 512--530. Google ScholarDigital Library
- Karapetyan, D., Gagarin, A. V., and Gutin, G. Pattern backtracking algorithm for the workflow satisfiability problem with user-independent constraints. In Frontiers in Algorithmics - 9th International Workshop, FAW 2015, Guilin, China, July 3-5, 2015, Proceedings (2015), J. Wang and C. Yap, Eds., vol. 9130 of Lecture Notes in Computer Science, Springer, pp. 138--149.Google Scholar
- Khan, A. A., and Fong, P. W. L. Satisfiability and feasibility in a relationship-based workflow authorization model. In Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings (2012), S. Foresti, M. Yung, and F. Martinelli, Eds., vol. 7459 of Lecture Notes in Computer Science, Springer, pp. 109--126.Google Scholar
- Li, N., Wang, Q., and Tripunitara, M. V. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur. 12, 4 (2009). Google ScholarDigital Library
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. Role-based access control models. IEEE Computer 29, 2 (1996), 38--47. Google ScholarDigital Library
- Wang, Q., and Li, N. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 4 (2010), 40. Google ScholarDigital Library
Index Terms
- Resiliency Policies in Access Control Revisited
Recommendations
Resiliency policies in access control
CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityWe introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that, upon removal of any s users, ...
Resiliency Policies in Access Control
We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that upon removal of any s users, ...
The Authorization Policy Existence Problem
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyConstraints such as separation-of-duty are widely used to specify requirements that supplement basic authorization policies. However, the existence of constraints (and authorization policies) may mean that a user is unable to fulfill her/his ...
Comments