Analysis and Comparison of Access Control Policies Validation Mechanisms

Aqib, Muhammad; Shaikh, Riaz Ahmed

doi:10.5815/ijcnis.2015.01.08

Cited by 13 publications

(13 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An undefined request in fact leads to a problem since its evaluation leads to multiple incompatible replies. This definition is stricter than satisfiability and covers the usual notion of conflicts we found for instance in security policies [25,6]. This has two simple consequences: i) any useful system has undefined requests and ii) these undefined requests are included in 1≤i≤n D i .…”

Section: Definition 3 (Undefined Requests)mentioning

confidence: 96%

“…There are already several verification methods and algorithms for rule-based policies, in expert systems and databases [2], for Web policies and contracts [3], and in the security domain [4,5,6]. In this paper we will focus on formal methods and assume a formal policy written in a decidable logic.…”

Section: Introductionmentioning

confidence: 99%

“…In the domain of security policies, the problem of conflicts has been intensively studied. In surveys on security [4,5,6], conflict detection is a central problem but it is typically treated together with other tasks like finding bugs, redundancies, misconfigurations, etc. We propose a specific solution for static conflict detection, that we believe to be one of most critical issues in modern rule-based systems.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Cheng

Royer

Tisi

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Rule-based systems are used to define complex policies in several contexts, because of the flexibility and modularity they provide. This is especially critical for security systems, which may require to compose evolving policies for privacy, accountability, access control, etc. The inclusion of conflicting rules in complex policies, results in the inability of the system to unambiguously answer to certain requests, with possibly unpredictable effects. The static identification of these undefined requests is particularly challenging for unconstrained rule-based systems, including quantifiers, computations and chaining of rules. In this paper we introduce a static method to precisely characterize the set of all undefined requests for a given unconstrained rule-based system, providing the user with a global view of the rule conflicts. We propose an enumerative approach, made usable in practice by two key performance optimizations: a finer classification of the rules and the resort of the topological sorting. We demonstrate its application on a well-known policy with more than fifty rules.

show abstract

Section: Definition 3 (Undefined Requests)mentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Cheng

Royer

Tisi

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…A brief comparison of the model checking tools we considered. A more complete treatment can be found in the work of Aqib and Shaikh [27].…”

Section: Verification and Validationmentioning

confidence: 99%

“…A brief summary of the tools or approaches based on model checking is given in Table 8. We refer the readers to Aqib and Shaikh [27] for a detailed survey of verification and validation tools and approaches for access control policies.…”

Section: T-way Combination Tests: a Policy Developermentioning

confidence: 99%

Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems

Tasali¹,

Sublett²,

Vasserman³

2020

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

INTRODUCTION:In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of "Break the Glass" (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or "crash cart". In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a "BTG event" completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override.OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS:We do this by constructing a BTG "meta-policy" which works with existing access control policies by explicitly allowing override when requested. RESULTS:We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies.

show abstract

Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML

Stepien

Felty

2016

2016 11th International Conference on Availability, Reliability and Security (ARES)

View full text Add to dashboard Cite

Analysis and Comparison of Access Control Policies Validation Mechanisms

Cited by 13 publications

References 46 publications

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Efficiently Characterizing the Undefined Requests of a Rule-Based System

Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems

Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML

Contact Info

Product

Resources

About