Trent Jaeger
Abstract
Assurance that an access control configuration will not result in the leakage of a right to an unauthorized principal, called safety, is fundamental to ensuring that the most basic of access control policies can be enforced. It has been proven that the safety of an access control configuration cannot be decided for a general access control model, such as Lampson's access matrix, so safety is achieved either through the use of limited access control models or the verification of safety via constraints. Currently, almost all safety critical systems use limited access control models, such as Bell--LaPadula or Domain and Type Enforcement, because constraint expression languages are far too complex for typical administrators to use properly. However, researchers have identified that most constraints belong to one of a few basic types, so our goal is to develop a constraint expression model in which these constraints can be expressed in a straightforward way and extensions can be made to add other constraints, if desired. Our approach to expressing constraints has the following properties: (1) an access control policy is expressed using a graphical model in which the nodes represent sets (e.g., of subjects, objects, etc.) and the edges represent binary relationships on those sets and (2) constraints are expressed using a few, simple set operators on graph nodes. The basic graphical model is very simple, and we extend this model only as necessary to satisfy the identified constraint types. Since the basic graphical model is also general, further extension to support other constraints is possible, but such extensions should be made with caution as each increases the complexity of the model. Our hope is that by keeping the complexity of constraint expression in check, flexible access control models, such as role-based access control, may also be used for expressing access control policy for safety-critical systems.
- AHN,G.,AND SANDHU, R. 1999. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control. Google Scholar
Digital Library
- AHN,G.,AND SANDHU, R. 2000. Role-based authorization constraint specification. ACMTrans. Inf. Syst. Sec. 3, 4 (Nov.). Google ScholarDigital Library
- AMMANN,P.E.,AND SANDHU, R. S. 1991. Safety analysis for the extended schematic protection model. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.Google ScholarCross Ref
- AMMANN,P.E.,AND SANDHU, R. S. 1992. The extended Schematic Protection Model. J. Comput. Sec. 1.Google ScholarCross Ref
- AMMANN,P.,AND SANDHU, R. 1994. One-representative safety analysis in the non-monotonic transform model. In Proceedings of the 7th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, Calif., pp. 138-149.Google ScholarCross Ref
- BELL,D.,AND LA PADULA, L. 1973. Secure computer systems: Mathematical foundations (Volume 1). Tech. Rep. ESD-TR-73-278. Mitre Corporation.Google Scholar
- BERTINO, E., FERRARI, E., AND ATLURI, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Sec. (TISSEC) 1, 2 (Feb). Google ScholarDigital Library
- BERTINO, E., JAJODIA, S., SAMARATI,P.,AND SUBRAHMANIAN, V. S. 1997. Aunified framework for enforcing multiple access control policies. In Proceedings of ACMSIGMOD Conference on Management of Data (May). ACM, New York. Google ScholarDigital Library
- BISHOP, M., AND SNYDER, L. 1979. The transfer of information and authority in a protection system. In Proceedings of the 7th Annual ACM Symposium on Operating System Principles. ACM, New York, pp. 45-54. Google ScholarDigital Library
- BOEBERT,W.E.,AND KAIN, R. Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference (Gaithersburg, Md.).Google Scholar
- BREWER,D.F.C.,AND NASH, M. J. 1989. The Chinese wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif., May). IEEE Computer Society Press, Los Alamitos, Calif.Google ScholarCross Ref
- CLARK,D.D.,AND WILSON, D. R. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif., Apr.). IEEE Computer Society Press, Los Alamitos, Calif.Google ScholarCross Ref
- GAL, A., AND ATLURI, V. 2000. An authorization model for temporal data. In Proceedings of the 7th Conference on Computer and Communication Security. Google ScholarDigital Library
- GIURI, L., AND IGLIO, P. 1997. Role templates for content-based access control. In Proceedings of the 2nd Workshop on Role-Based Access Control. Google ScholarDigital Library
- GLIGOR,V.D.,GAVRILA,S.I.,AND FERRAIOLO, D. 1998. On the formal definition of separation-of-duty policies and their composition. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.Google ScholarCross Ref
- HARRISON, M. A., RUZZO,W.L.,AND ULLMAN, J. D. 1976. Protection in operating systems. Commun. ACM 19, 8 (Aug.). Google ScholarDigital Library
- JAEGER, T. 2001. Managing access control complexity using metrics. In Proceedings of 6th ACM Symposium on Access Control Models and Technologies (May). ACM, New York. Google ScholarDigital Library
- JAEGER, T., MICHAILIDIS,T.,AND RADA, R. 1999a. Access control in a virtual university. In Proceedings of 5th IEEE International Workshop on Enterprise Security (WETICE 1999) (June). IEEE Computer Society Press, Los Alamitos, Calif. Google ScholarDigital Library
- JAEGER, T., PRAKASH, A., LIEDTKE,J.,AND ISLAM, N. 1999b. Flexible control of downloaded executable content. ACM Trans. Inf. and Syst. Sec. (TISSEC) 2, 2 (May). Google ScholarDigital Library
- JAJODIA, S., SAMARATI,P.,AND SUBRAHMANIAN, V. S. 1997. A logical language for expressing authorizations. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif. Google ScholarDigital Library
- KUHN, D. R. 1997. Mutual exclusion of roles as a means of implementing separation of duty in a role-based access control system. In Proceedings of the 2nd ACM Role-Based Access Control Workshop. ACM, New York. Google ScholarDigital Library
- LAMPSON, B. W. 1974. Protection. Oper. Syst. Revi., 8, 1 (Jan.), pp. 18-24. Google ScholarDigital Library
- LUPU, E., AND SLOMAN, M. 1999. Conflicts in policy-based distributed systems management. IEEE Trans. Softw. Eng. 25, 6 (Nov./ Dec.). Google ScholarDigital Library
- LUNT, T., DENNING, D., SCHELL, R., HECKMAN, M., AND SHOCKLEY, W. 1990. The SeaView security model. IEEE Trans. Softw. Eng., 16, 6 (June). Google ScholarDigital Library
- LUPU,E.C.,AND SLOMAN, M. 1997. A policy based role object model. In Proceedings of the 1st IEEE Enterprise Distributed Object Computing Workshop (Oct.). IEEE Computer Society Press, Los Alamitos, Calif. Google ScholarDigital Library
- NYANCHAMA, M., AND OSBORN, S. 1999. The role graph model and conflict of interest. ACM Trans Inf. Syst. Sec. 2,1 (Feb.). Google ScholarDigital Library
- OSBORN, S. 1997. Mandatory access control and role-based access control revisited. In Proceedings of 2nd ACM Workshop on Role-Based Access Control (Nov.). ACM, New York. Google ScholarDigital Library
- OSBORN,S.,AND GUO, Y. 2000. Modelling users in role-based access control. In Proceedings of the 5th ACM Role-Based Access Control Workshop (July). Google ScholarDigital Library
- SALTZER,J.,AND SCHROEDER, M. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept.).Google ScholarCross Ref
- SANDHU, R. S. 1988. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. J. ACM 35, 2 (Apr.), 404-432. Google ScholarDigital Library
- SANDHU, R. S. 1992. The typed access matrix model. In Proceedings of the IEEE Symposium on Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, Calif. Google ScholarDigital Library
- SANDHU, R. S. 1998. Transaction Control Expressions for Separation of Duties. In Proceeding of the 4th Aerospace Computer Security Applications Conference (Dec.).Google Scholar
- SANDHU,R.S.,BHAMIDIPATI,V.,AND MUNAWER, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Sec. 1,2 (Feb.). Google ScholarDigital Library
- SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.F.,AND YOUMAN, C. E. 1994. Role-based access control: A multi-dimensional view. In Proceeding of the 10th Annual Computer Security Applications Conference (Dec.).Google ScholarCross Ref
- SANDHU,R.S.,COYNE, E., FEINSTEIN,H.L.,AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38-47. Google ScholarDigital Library
- SIMON, R., AND ZURKO, M. E. 1997. Mutual exclusion of roles as a means of implementing separation of duty in a role-based access control system. In Proceeding of the 10th IEEE Computer Security Foundations Workshop (June). IEEE Computer Society Press, Los Alamitos, Calif. Google ScholarDigital Library
- SYNDER, L. 1977. On the synthesis and analysis of protection systems. In Proceedings of the 6th ACM Symposium on Operating System Principles. pp. 141-150. ACM New York. Google ScholarDigital Library
- TIDSWELL,J.E.,AND JAEGER, T. 2000a. Integrated constraints and inheritance in DTAC. In Proceedings of the 5th ACM Role-Based Access Control Workshop (July). ACM, New York. Google ScholarDigital Library
- TIDSWELL,J.E.AND JAEGER, T. 2000b. An access control model for simplifying constraint expression. In Proceedings of the 7th ACMConference on Computer and Communication Security (Nov.). ACM, New York. Google ScholarDigital Library
- TIDSWELL, J. E., OUTHRED,G.,AND POTTER, J. 1999. Dynamic rights: Safe extensible access control. In Proceedings of the 4th ACM Role-Based Access Control Workshop (Nov.) ACM, New York. Google ScholarDigital Library
- TIDSWELL,J.E.,AND POTTER, J. 1998. A dynamically typed access control model. In Proceedings of the Third Australasian Conference on Information Security and Privacy (July). Google ScholarDigital Library
Index Terms
- Practical safety in flexible access control models
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Policy management using access control spaces
We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments