skip to main content
10.1145/3589608.3593840acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

The Hardness of Learning Access Control Policies

Published: 24 May 2023 Publication History

Abstract

The problem of learning access control policies is receiving increasing attention in research. We contribute to the foundations of this problem by posing and addressing meaningful questions on computational hardness. Our work addresses learning access control policies in the context of three different models from the literature: the access matrix, and Role- and Relationship-Based Access Control (RBAC and ReBAC, respectively). Our underlying theory is the well-established notion of Probably Approximately Correct (PAC), with careful extensions for our setting. The data, or examples, a learning algorithm is provided in our setup is that related to access enforcement, which is the process by which a request for access to a resource is decided. For the access matrix, we pose a learning problem that turns out to be computationally easy, and another that we prove is computationally hard. We generalize the former result so we have a sufficient condition for establishing other problems to be computationally easy. With these results as the basis, we consider five learning problems in the context of RBAC, two of which turn out to be computationally hard. Finally, we consider four learning problems in the context of ReBAC, all of which turn out to be computationally easy. Every proof for a problem that is computationally easy is constructive, in that we propose a learning algorithm for the problem that is efficient, and probably, approximately correct. As such, our work makes contributions at the foundations of an important, emerging aspect of access control, and thereby, information security.

References

[1]
Dana Angluin. Learning regular sets from queries and counterexamples. Information and Computation, 75(2):87--106, 1987.
[2]
Thomas Cormen, Charles Leiserson, Ronald Rivest, and Clifford Stein. Introduction to Algorithms, Fourth Edition. MIT Press, 2022.
[3]
Carlos Cotrini, Thilo Weghorn, and David Basin. Mining abac rules from sparse logs. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pages 31--46. IEEE, 2018.
[4]
Alina Ene, William Horne, Nikola Milosavljevic, Prasad Rao, Robert Schreiber, and Robert E. Tarjan. Fast exact and heuristic methods for role minimization problems. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT '08, pages 1--10, New York, NY, USA, 2008. Association for Computing Machinery.
[5]
Philip W.L. Fong. Relationship-based access control: Protection model and policy language. In Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY '11, pages 191--202, New York, NY, USA, 2011. Association for Computing Machinery.
[6]
Michael R. Garey and David S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.
[7]
E Mark Gold. Complexity of automaton identification from given data. Information and Control, 37(3):302--320, 1978.
[8]
Oded Goldreich. Computational Complexity: A Conceptual Perspective. Cambridge University Press, 2008.
[9]
Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461--471, aug 1976.
[10]
John E Hopcroft, Rajeev Motwani, and Jeffrey D Ullman. Introduction to automata theory, languages, and computation. Acm Sigact News, 32(1):60--65, 2001.
[11]
Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800--162, https://doi.org/10.6028/NIST.SP.800--162, 2014.
[12]
Padmavathi Iyer and Amirreza Masoumzadeh. Active learning of relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, SACMAT '20, pages 155--166, New York, NY, USA, 2020. Association for Computing Machinery.
[13]
Padmavathi Iyer and Amirreza Masoumzadeh. Learning relationship-based access control policies from black-box systems. ACM Transactions on Privacy and Security, 25(3):1--36, 2022.
[14]
Michael J Kearns and Umesh Vazirani. An introduction to computational learning theory. MIT press, 1994.
[15]
Johannes Kobler, Uwe Schöning, and Jacobo Torán. The graph isomorphism problem: its structural complexity. Springer Science & Business Media, 2012.
[16]
Ha Thanh Le, Cu Duy Nguyen, Lionel Briand, and Benjamin Hourte. Automated inference of access control policies for web applications. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, SACMAT '15, pages 27--37, New York, NY, USA, 2015. Association for Computing Machinery.
[17]
Amirreza Masoumzadeh. Inferring unknown privacy control policies in a social networking system. In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society, WPES '15, pages 21--25, New York, NY, USA, 2015. Association for Computing Machinery.
[18]
Barsha Mitra, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. A survey of role mining. ACM Comput. Surv., 48(4), feb 2016.
[19]
Mohammad Nur Nobi, Maanak Gupta, Lopamudra Praharaj, Mahmoud Abdelsalam, Ram Krishnan, and Ravi Sandhu. Machine learning in access control: A taxonomy and survey. https://arxiv.org/abs/2207.01739, 2022.
[20]
Leonard Pitt and Leslie G Valiant. Computational limitations on learning from examples. Journal of the ACM (JACM), 35(4):965--984, 1988.
[21]
Jerome H. Saltzer. Protection and the control of information sharing in multics. Commun. ACM, 17(7):388--402, jul 1974.
[22]
R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.
[23]
Leslie G Valiant. A theory of the learnable. Communications of the ACM, 27(11):1134--1142, 1984.
[24]
Zhongyuan Xu and Scott D Stoller. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing, 12(5):533--545, 2014.

Cited By

View all
  • (2024)BlueSky: How to Raise a Robot - A Case for Neuro-Symbolic AI in Constrained Task Planning for Humanoid Assistive RobotsProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657034(117-125)Online publication date: 24-Jun-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '23: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies
May 2023
218 pages
ISBN:9798400701733
DOI:10.1145/3589608
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 May 2023

Permissions

Request permissions for this article.

Check for updates

Badges

  • Best Paper

Author Tags

  1. computational hardness
  2. probably approximately correct

Qualifiers

  • Research-article

Funding Sources

  • NSERC

Conference

SACMAT '23
Sponsor:

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)53
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)BlueSky: How to Raise a Robot - A Case for Neuro-Symbolic AI in Constrained Task Planning for Humanoid Assistive RobotsProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657034(117-125)Online publication date: 24-Jun-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media