research-article

Towards Unifying RBAC with Information Flow Control

Authors:

Narendra Kumar N. V.,

R. K. ShyamasundarAuthors Info & Claims

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

Pages 45 - 54

https://doi.org/10.1145/3450569.3463570

Published: 11 June 2021 Publication History

Abstract

Role-based Access Control (RBAC) is one of the most widely implemented access control models. In today's complex computing systems, one of the increasingly sought-after features for reliable security is information flow control. Although RBAC is a policy-neutral and generic model, its implementations generally do not provide information flow control. In this paper, we present two approaches to address this issue. In the first method, we describe how a lattice model can be captured using an RBAC configuration. In the second method, we analyze the information flows in a given RBAC policy using a decentralized lattice model called Readers-Writers Flow Model. This method identifies the indirect information flows in the policy and helps in creating flow-secure RBAC policies. We discuss the scope and limitations of these methods in detail and also present a brief case study. Finally, we investigate the use of flow-secure RBAC policies in creating flow-secure Attribute-based Access Control (ABAC) policies.

References

[1]

Peter Amthor, Winfried E. Kühnhauser, and Anja Pölck. 2014. WorSE: A Work-bench for Model-based Security Engineering. Computers & Security 42 (2014),40--55.

[2]

D Elliott Bell and Leonard J LaPadula. 1973. Secure computer systems: Mathematical foundations. Technical Report MTR-2547-VOL-1. MITRE Corp Bedford, MA.

[3]

Kenneth J Biba. 1977. Integrity considerations for secure computer systems. Technical Report MTR-3153-REV-1. MITRE Corp Bedford MA.

[4]

D. F. C. Brewer and Michael J. Nash. 1989. The Chinese Wall Security Policy. In Proceedings of the IEEE Symposium on Security and Privacy. 206--214.

[5]

Niklas Broberg and David Sands. 2010. Paralocks: role-based information flow control and beyond. In Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL. 431--444.

Digital Library

[6]

Shuvra Chakraborty, Ravi Sandhu, and Ram Krishnan. 2019. On the Feasibility of RBAC to ABAC Policy Mining: A Formal Analysis. In Secure Knowledge Management In Artificial Intelligence Era - 8th International Conference, SKM, Proceedings. 147--163.

[7]

Dorothy E Denning. 1976. A lattice model of secure information flow. Communications of the ACM 19, 5 (1976), 236--243.

Digital Library

[8]

Mikhail I. Gofman, Ruiqi Luo, Ayla C. Solomon, Yingbin Zhang, Ping Yang, and Scott D. Stoller. 2009. RBAC-PAT: A Policy Analysis Tool for Role Based Access Control. In Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS. Proceedings. 46--49.

[9]

Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In The ACM Conference on Computer and Communications Security, CCS'12. 748--759.

Digital Library

[10]

Vincent C Hu, David Ferraiolo, Rick Kuhn, Arthur R Friedman, Alan J Lang, Margaret M Cogdell, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone, et al.2013. Guide to attribute based access control (abac) definition and considerations (draft). NIST special publication800, 162 (2013).

[11]

D. Richard Kuhn, Edward J. Coyne, and Timothy R. Weil. 2010. Adding Attributes to Role-Based Access Control. IEEE Computer 43, 6 (2010), 79--81.

Digital Library

[12]

N. V. Narendra Kumar and R. K. Shyamasundar. 2017. A Complete Generative Label Model for Lattice-Based Access Control Models. In Software Engineering and Formal Methods - 15th International Conference, SEFM. Proceedings. 35--53.

[13]

Bishop Matt. 2002. Computer Security: Art and Science. Addison-Wesley Professional.

[14]

Microsoft. 2021. Microsoft Azure. Retrieved March, 2021 from https://azure.microsoft.com

[15]

James Morris, Stephen Smalley, and Greg Kroah-Hartman. 2002. Linux security modules: General security support for the linux kernel. In USENIX Security Symposium. 17--31.

[16]

Matunda Nyanchama and Sylvia L. Osborn. 1995. Modeling Mandatory Access Control in Role-Based Security Systems. In Proceedings of the Ninth Annual IFIPWG11 Working Conference on Database Security DBSec. 129--144.

[17]

Matunda Nyanchama and Sylvia L. Osborn. 1999. The Role Graph Model andConflict of Interest. ACM Transactions on Information and System Security (TISSEC)2, 1 (1999), 3--33.

[18]

Sylvia L. Osborn. 2002. Information flow analysis of an RBAC system. In 7th ACM Symposium on Access Control Models and Technologies, SACMAT. 163--168.

Digital Library

[19]

Sylvia L. Osborn, Ravi S. Sandhu, and Qamar Munawer. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security (TISSEC)3, 2(2000), 85--106.

[20]

Kyle Pullicino. 2014. Jif: Language-based Information-flow Security in Java. CoRRabs/1412.8639 (2014).

[21]

B S Radhika, N. V. Narendra Kumar, and R. K. Shyamasundar. 2018. FlowConSEAL: Automatic Flow Consistency Analysis of SEAndroid and SELinux Policies. In Annual IFIP Conference on Data and Applications Security and Privacy, DBSec. 219--231.

[22]

B. S. Radhika, N. V. Narendra Kumar, R. K. Shyamasundar, and Parjanya Vyas. 2020. Consistency analysis and flow secure enforcement of SELinux policies. Computers & Security 94 (2020), 101816.

[23]

Ravi S. Sandhu. 1995. Rationale for the RBAC 96 family of access control models. In Proceedings of the First ACM Workshop on Role-Based Access Control, RBAC.

[24]

Ravi S. Sandhu. 1996. Role Hierarchies and Constraints for Lattice-Based Access Controls. In Computer Security - ESORICS 96, 4th European Symposium on Research in Computer Security. Proceedings. 65--79.

[25]

Ravi S. Sandhu. 2012. The authorization leap from rights to attributes: maturation or chaos?. In 17th ACM Symposium on Access Control Models and Technologies, SACMAT. 69--70.

Digital Library

[26]

Ravi S. Sandhu, David F. Ferraiolo, and D. Richard Kuhn. 2000. The NIST model for role-based access control: towards a unified standard. In Fifth ACM Workshop on Role-Based Access Control, RBAC. 47--63.

Digital Library

[27]

Noa Tuval and Ehud Gudes. 2006. Resolving Information Flow Conflicts in RBAC Systems. In Annual IFIP Conference on Data and Applications Security, DBSec. Proceedings. 148--162.

[28]

Zhongyuan Xu and Scott D. Stoller. 2013. Mining Attribute-based Access Control Policies. CoRRabs/1306.2401 (2013).

Cited By

Tsai MLee SShieh S(2024)Strategy for Implementing of Zero Trust ArchitectureIEEE Transactions on Reliability10.1109/TR.2023.334566573:1(93-100)Online publication date: Mar-2024
https://doi.org/10.1109/TR.2023.3345665
Radhika BShyamasundar R(2021)Realizing Information Flow Control in ABAC MiningCyberspace Safety and Security10.1007/978-3-030-94029-4_8(107-119)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-94029-4_8

Index Terms

Towards Unifying RBAC with Information Flow Control
1. Security and privacy
  1. Security services
    1. Access control
    2. Authorization

Recommendations

Realizing Information Flow Control in ABAC Mining
Cyberspace Safety and Security
Abstract
Attribute-Based Access Control (ABAC) is an emerging access control model. It is increasingly gaining popularity, mainly because of its flexible and fine-grained access control. As a result, many Role-Based Access Control (RBAC) systems are ...
ABAC and RBAC: Scalable, Flexible, and Auditable Access Management

Is it possible to obtain the flexibility and advantages of attribute-based access control while maintaining role-based access control's advantages for analysis and risk control?
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument

Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

June 2021

194 pages

ISBN:9781450383653

DOI:10.1145/3450569

General Chair:
Jorge Lobo
ICREA & Universitat Pompeu Fabra, Spain
,
Program Chairs:
Roberto Di Pietro
Hamad Bin Khalifa University
,
Omar Chowdhury
The University of Iowa

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '21

Sponsor:

SIGSAC

SACMAT '21: The 26th ACM Symposium on Access Control Models and Technologies

June 16 - 18, 2021

Virtual Event, Spain

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
254
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tsai MLee SShieh S(2024)Strategy for Implementing of Zero Trust ArchitectureIEEE Transactions on Reliability10.1109/TR.2023.334566573:1(93-100)Online publication date: Mar-2024
https://doi.org/10.1109/TR.2023.3345665
Radhika BShyamasundar R(2021)Realizing Information Flow Control in ABAC MiningCyberspace Safety and Security10.1007/978-3-030-94029-4_8(107-119)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-94029-4_8

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten