Automated and Efficient Analysis of Role-Based Access Control with Attributes

Armando, Alessandro; Ranise, Silvio

doi:10.1007/978-3-642-31540-4_3

Cited by 16 publications

(8 citation statements)

References 27 publications

(44 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This can no more be done when the hierarchy is time-dependent, rising a new challenge for our safety analysis technique. As a final remark, we would like to point out the problem of finding adequate benchmark sets that we have faced several times in our efforts for this paper and previous works [3,1,5,4,20,19] for the design of safety analysis techniques in access control. As in many other papers in the literature (see, e.g., [24,13,9]), the evaluation is based on benchmarks derived from synthetic policies.…”

Section: Discussionmentioning

confidence: 97%

Scalable and precise automated analysis of administrative temporal role-based access control

Ranise¹,

Truong

Armando

2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

Extensions of Role-Based Access Control (RBAC) policies taking into account contextual information (such as time and space) are increasingly being adopted in real-world applications. Their administration is complex since they must satisfy rapidly evolving needs. For this reason, automated techniques to identify unsafe sequences of administrative actions (i.e. actions generating policies by which a user can acquire permissions that may compromise some security goals) are fundamental tools in the administrator's tool-kit.In this paper, we propose a precise and scalable automated analysis technique for the safety of administrative temporal RBAC policies. Our approach is to translate safety problems for this kind of policy to (decidable) reachability problems of a certain class of symbolic transition systems. The correctness of the translation allows us to design a precise analysis technique for the safety of administrative RBAC policies with a finite but unknown number of users. For scalability, we present a heuristics that allows us to reduce the set of administrative actions without losing the precision of the analysis. An extensive experimental analysis confirms the scalability and precision of the approach also in comparison with a recent analysis technique developed for the same class of temporal RBAC policies.

show abstract

Section: Discussionmentioning

confidence: 97%

Scalable and precise automated analysis of administrative temporal role-based access control

Ranise¹,

Truong

Armando

2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

show abstract

“…Although the parameters of role can be considered as user attributes, all parameters are treated as atomicvalued and are only changed together with the modification of role. Similar works are [3,4] which presented symbolic analysis for attribute RBAC models. Our work is fundamentally different from these in consideration of administration of multiple attributes including atomic valued attributes, whereas the ARBAC97 analysis only deals with a single set-valued attribute called role.…”

Section: Related Workmentioning

confidence: 93%

Reachability analysis for role-based administration of attributes

Jin

Krishnan

Sandhu

2013

Proceedings of the 2013 ACM Workshop on Digital Identity Management

View full text Add to dashboard Cite

Attribute-based access control (ABAC) is well-known and increasingly prevalent. Nonetheless, administration of attributes is not well-studied so far. Recently, the Generalized User-Role Assignment model (GURA) was proposed to provide ARBAC97-style (administrative role-based access control) administration of user attributes. An attribute is simply a name-value pair, examples of which include clearance, group and affiliations. In GURA, user attributes are collectively administered by different administrative roles to enable distributed administration. Given an administrative policy that specifies the conditions under which administrative roles can modify user attributes, it is useful to understand whether an attribute of a particular user can reach a specific value because user attributes are used for security-sensitive activities such as authentication, authorization and audit. In this paper, we study the user-attribute reachability problems in a restricted GURA model called rGURA. We formalize rGURA as a state transition system and show that the reachability problems for its general cases are PSPACE-complete. However, we do find polynomial-time solutions to reachability problems for limited versions of rGURA that are still useful in practice. The algorithms not only answer reachability problem but also provide a plan of sequential attribute updates by one or more administrators in order to reach particular values for user attributes. rGURA is relatively simple and practical. It is likely that other proposals will subsume the functionality of rGURA and thereby subsume its complexity results.

show abstract

“…SMT and SAT solvers are commonly used in policies analysis. Authors in [36,37] present analysis techniques based on SMT solvers for analyzing XACML and variant of RBAC policies. Abductive reasoning solutions were also proposed to reason out policies conflicts and gaps.…”

Section: Verification and Validation Of Access Control Policiesmentioning

confidence: 99%

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Jaidi

Ayachi

Bouhoula

2018

Security and Communication Networks

View full text Add to dashboard Cite

Substantial advances in Information and Communication Technologies (ICT) bring out novel concepts, solutions, trends, and challenges to integrate intelligent and autonomous systems in critical infrastructures. A new generation of ICT environments (such as smart cities, Internet of Things,edge-fog-social-cloudcomputing, and big data analytics) is emerging; it has different applications to critical domains (such as transportation, communication, finance, commerce, and healthcare) and different interconnections via multiple layers of public and private networks, forming a grid of critical cyberphysical infrastructures. Protecting sensitive and private data and services in critical infrastructures is, at the same time, a main objective and a great challenge for deploying secure systems. It essentially requires setting up trusted security policies. Unfortunately, security solutions should remain compliant and regularly updated to follow and track the evolution of security threats. To address this issue, we propose an advanced methodology for deploying and monitoring the compliance of trusted access control policies. Our proposal extends the traditional life cycle of access control policies with pertinent activities. It integrates formal and semiformal techniques allowing the specification, the verification, the implementation, the reverse-engineering, the validation, the risk assessment, and the optimization of access control policies. To automate and facilitate the practice of our methodology, we introduce our systemSVIRVROthat allows managing the extended life cycle of access control policies. We refer to an illustrative example to highlight the relevance of our contributions.

show abstract

Automated and Efficient Analysis of Role-Based Access Control with Attributes

Cited by 16 publications

References 27 publications

Scalable and precise automated analysis of administrative temporal role-based access control

Scalable and precise automated analysis of administrative temporal role-based access control

Reachability analysis for role-based administration of attributes

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Contact Info

Product

Resources

About