ABSTRACT
Relationship-based access control (ReBAC) policies can express intricate protection requirements in terms of relationships among users and resources (which can be modeled as a graph). Such policies are useful in domains beyond online social networks. However, given the updating graph of user and resources in a system and expressive conditions in access control policy rules, it can be very challenging for security administrators to envision what can (or cannot) happen as the protection system evolves.
In this paper, we introduce the security analysis problem for this class of policies, where we seek to answer security queries about future states of the system graph and authorizations that are decided accordingly. Towards achieving this goal, we propose a state-transition model of a ReBAC protection system, called RePM. We discuss about formulation of security analysis queries in RePM and present our initial results for a limited version of this model.
- T. Ahmed, R. Sandhu, and J. Park. Classifying and Comparing Attribute-Based and Relationship-Based Access Control. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY '17, pages 59--70, New York, NY, USA. ACM, 2017. Google ScholarDigital Library
- G. Bruns, P. Fong, I. Siahaan, and M. Huth. Relationship- based Access Control: Its Expression and Enforcement Through Hybrid Logic. In Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY '12, pages 117--124, New York, NY, USA. ACM, 2012. Google ScholarDigital Library
- B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thuraisingham. A semantic web based framework for social network access control. In Proc. 14th ACM Symposium on Access Control Models and Technologies, pages 177--186. ACM, 2009. Google ScholarDigital Library
- B. Carminati, E. Ferrari, and A. Perego. Enforcing access control in Web-based social networks. ACM Trans. Inf. Syst. Secur., 13(1):1--38, Nov. 2009. issn: 1094--9224. Google ScholarDigital Library
- B. Carminati, E. Ferrari, and A. Perego. Rule-Based Access Control for Social Networks. In R. Meersman, Z. Tari, and P. Herrero, editors, Proc. OTM 2006 Workshops (On the Move to Meaningful Internet Systems), volume 4278 of LNCS, pages 1734--1744. Springer, Oct. 2006. Google ScholarDigital Library
- Y. Cheng, J. Park, and R. Sandhu. Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships. In Proc. 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing, pages 646--655, Sept. 2012. Google ScholarDigital Library
- M. Cramer, J. Pang, and Y. Zhang. A Logical Approach to Restricting Access in Online Social Networks. In Pro- ceedings of the 20th ACM Symposium on Access Control Models and Technologies, SACMAT '15, pages 75--86, New York, NY, USA. ACM, 2015. Google ScholarDigital Library
- J. Crampton and J. Sellwood. ARPPM: Administra- tion in the RPPM Model. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 219--230, New York, NY, USA. ACM, 2016. Google ScholarDigital Library
- J. Crampton and J. Sellwood. Path Conditions and Principal Matching: A New Approach to Access Con- trol. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, SACMAT '14, pages 187--198, New York, NY, USA. ACM, 2014. Google ScholarDigital Library
- J. Crampton and J. Sellwood. Relationships, Paths and Principal Matching: A New Approach to Access Control. arXiv:1505.07945 {cs}, May 29, 2015. arXiv: 1505.07945;.Google Scholar
- eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS, 2013.Google Scholar
- P. W. Fong. Relationship-based access control: protection model and policy language. In Proc. CODASPY '11, pages 191--202, San Antonio, TX, USA. ACM, 2011. Google ScholarDigital Library
- P. W. Fong and I. Siahaan. Relationship-based access control policies and their policy languages. In Proc. 16th ACM Symposium on Access Control Models and Technologies, SACMAT '11, pages 51--60, Innsbruck, Austria. ACM, 2011. Google ScholarDigital Library
- M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461-- 471, Aug. 1976. issn: 0001-0782. Google ScholarDigital Library
- H. Hu, G. J. Ahn, and K. Kulkarni. Discovery and Resolution of Anomalies in Web Access Control Poli- cies. IEEE Transactions on Dependable and Secure Computing, 10(6):341--354, Nov. 2013. issn: 1545--5971. Google ScholarDigital Library
- H. Hu and G.-j. Ahn. Multiparty Authorization Frame- work for Data Sharing in Online Social Networks. In Y. Li, editor, Proceedings of the 25th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, volume 6818 of Lecture Notes in Computer Science, pages 29--43. Springer Berlin / Heidelberg, 2011. Google ScholarDigital Library
- S. R. Kruk. FOAF-Realm: control your friends access to the resource. In Workshop on Friend of a Friend, Social Networking and the Semantic Web, 2004.Google Scholar
- N. Li and M. V. Tripunitara. Security Analysis in Role- based Access Control. In Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT '04, pages 126--135, New York, NY, USA. ACM, 2004. Google ScholarDigital Library
- N. Li and W. H. Winsborough. Beyond proof-of-compliance: safety and availability analysis in trust management. In Proceedings of the 2003 Symposium on Security and Privacy, pages 123--139, May 2003. Google ScholarDigital Library
- N. Li, W. H. Winsborough, and J. C. Mitchell. Dis- tributed credential chain discovery in trust manage- ment. Journal of Computer Security, 11(1):35--86, Jan. 1, 2003. issn: 0926--227X. Google ScholarDigital Library
- D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. EXAM: a comprehensive environment for the analysis of access control policies. International Journal of Information Security, 9(4):253--273, Aug. 2010. issn: 1615--5262. Google ScholarDigital Library
- A. Masoumzadeh and J. Joshi. OSNAC: An Ontology- based Access Control Model for Social Networking Systems. In Proc. 2nd IEEE Int'l Conference on Information Privacy, Security, Risk and Trust (PASSAT 2010), pages 751--759, Minneapolis, MN, USA, Aug. 2010. Google ScholarDigital Library
- T. Nelson, D. J. Dougherty, C. Barratt, and K. Fisler. The Margrave Tool for Firewall Analysis. In Proceedings of the 24th USENIX Large Installation System Administration Conference (LISA 2010), 2010. Google ScholarDigital Library
- E. Pasarella and J. Lobo. A Datalog Framework for Modeling Relationship-based Access Control Policies. In Proceedings of the 22Nd ACM on Symposium on Access Control Models and Technologies, pages 91--102, New York, NY, USA. ACM, 2017. Google ScholarDigital Library
- S. Z. R. Rizvi, P. W. Fong, J. Crampton, and J. Sellwood. Relationship-Based Access Control for an Open- Source Medical Records System. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, SACMAT '15, pages 113--124, New York, NY, USA. ACM, 2015. Google ScholarDigital Library
- R. S. Sandhu. The typed access matrix model. In Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 122--136, May 1992. Google ScholarDigital Library
- R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and Systems Security, 2(1):105--135, 1999. Google ScholarDigital Library
- R. S. Sandhu. The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes. J. ACM, 35(2):404--432, Apr. 1988. issn: 0004--5411. Google ScholarDigital Library
- A. Sasturkar, P. Yang, S. D. Stoller, and C. R. Ramakrishnan. Policy analysis for administrative role based access control. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), 13 pp.--138, 2006. Google ScholarDigital Library
- S. D. Stoller. An Administrative Model for Relationship- Based Access Control. In SpringerLink. IFIP Annual Conference on Data and Applications Security and Privacy, pages 53--68. Springer, Cham, July 13, 2015.Google Scholar
Index Terms
- Security Analysis of Relationship-Based Access Control Policies
Recommendations
Relationship-Based Access Control for an Open-Source Medical Records System
SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and TechnologiesInspired by the access control models of social network systems, Relationship-Based Access Control (ReBAC) was recently proposed as a general-purpose access control paradigm for application domains in which authorization must take into account the ...
Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...
Active Learning of Relationship-Based Access Control Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesUnderstanding access control policies is essential in understanding the security behavior of systems. However, often times, a complete and accurate specification of the enforced access control policy in a system is not available. In fact, scale and ...
Comments