Skip to main content
SpringerLink
Log in

Shadowed Authorization Policies - A Disaster Waiting to Happen?

  • Conference paper
  • First Online:
Book cover Web Information Systems Engineering – WISE 2019 (WISE 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11881))

Included in the following conference series:

Abstract

Information security has been in the mainstream of computing for the last few decades and our increasing reliance on the large scale distributed systems, such as the Cloud, has put greater emphasis on the security capabilities of these systems. The security concerns are amongst the important factors affecting adoption of Cloud. This paper identifies and addresses issues concerning management of hierarchical authorization policies in the Cloud. These policy models pose the risk of policy shadowing where the decision taken at higher levels mask the possibly erroneous or conflicting policies specification at the lower levels. We introduce the notion of shadowed policies and present a model which is based on formal Event-Calculus (EC); for the identification of shadowed policies. The results show that our proposed approach is scalable and practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://decreasoner.sourceforge.net.

  2. 2.

    Complete models along with setup and execution instructions are available at https://www.icloud.com/iclouddrive/0E4u-NuXGiGkpoql5BMamWhGQ#wise19.

References

  1. Ferraiolo, D., Kuhn, R.: Role-based access controls. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)

    Google Scholar 

  2. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)

    Article  Google Scholar 

  3. Sandhu, R.S., Munawer, Q.: The RRA97 model for role-based administration of role hierarchies. In: 14th Annual Computer Security Applications Conference (ACSAC 1998), Scottsdale, AZ, USA, 7–11 December 1998, pp. 39–49 (1998)

    Google Scholar 

  4. Coyne, E., Weil, T.R.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 14–16 (2013)

    Article  Google Scholar 

  5. Shafiq, B., Vaidya, J., Ghafoor, A., Bertino, E.: A framework for verification and optimal reconfiguration of event-driven role based access control policies. In: 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, Newark, NJ, USA, 20–22 June 2012, pp. 197–208 (2012)

    Google Scholar 

  6. Wang, H., Sun, L., Bertino, E.: Building access control policy model for privacy preserving and testing policy conflicting problems. J. Comput. Syst. Sci. 80(8), 1493–1503 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  7. Rouached, M., Godart, C.: Specification and verification of authorization policies for web services composition. In: CAiSE 2007 Forum, Proceedings of the CAiSE 2007 Forum at the 19th International Conference on Advanced Information Systems Engineering, Trondheim, Norway, 11–15 June 2007 (2007)

    Google Scholar 

  8. Cau, A., Janicke, H., Moszkowski, B.C.: Verification and enforcement of access control policies. Formal Methods Syst. Design 43(3), 450–492 (2013)

    Article  MATH  Google Scholar 

  9. Janicke, H., Cau, A., Siewe, F., Zedan, H.: Dynamic access control policies: specification and verification. Comput. J. 56(4), 440–463 (2013)

    Article  Google Scholar 

  10. Sabri, K.E.: Automated verification of role-based access control policies constraints using prover9. CoRR abs/1503.07645 (2015)

    Google Scholar 

  11. Huynh, N., Frappier, M., Mammar, A., Laleau, R.: Verification of SGAC access control policies using alloy and prob. In: 18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017, Singapore (2017)

    Google Scholar 

  12. Bertino, E., Jabal, A.A., Calo, S.B., Verma, D.C., Williams, C.: The challenge of access control policies quality. J. Data Inf. Qual. 10(2), 6 (2018)

    Google Scholar 

  13. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)

    Article  Google Scholar 

  14. Nguyen, T.N., Thi, K.T.L., Dang, A.T., Van, H.D.S., Dang, T.K.: Towards a flexible framework to support a generalized extension of XACML for spatio-temporal RBAC model with reasoning ability. In: ICCSA, vol. 5 (2013)

    Google Scholar 

  15. Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686 (2007)

    Google Scholar 

  16. Bandara, A.K., Lupu, E., Russo, A.: Using event calculus to formalise policy specification and analysis. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Como, Italy (2003)

    Google Scholar 

  17. Chomicki, J., Lobo, J., Naqvi, S.: A logic programming approach to conflict resolution in policy management. In: 7th International Conference on Principles of Knowledge Representation and Reasoning (KR 2000), Morgan Kaufman (2000)

    Google Scholar 

  18. Bandara, A.K.: Formal approach to analysis and refinement of policies. PhD thesis, University College London, University of London (2005)

    Google Scholar 

  19. Agrawal, D., Giles, J., Lee, K.W., Lobo, J.: Policy ratification. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), pp. 223–232 (2005)

    Google Scholar 

  20. Zahoor, E., Asma, Z., Perrin, O.: A formal approach for the verification of AWS IAM access control policies. In: De Paoli, F., Schulte, S., Broch Johnsen, E. (eds.) ESOCC 2017. LNCS, vol. 10465, pp. 59–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67262-5_5

    Chapter  Google Scholar 

  21. Zahoor, E., Ikram, A., Akhtar, S., Perrin, O.: Authorization policies specification and consistency management within multi-cloud environments. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 272–288. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_17

    Chapter  Google Scholar 

  22. Guarnieri, M., Neri, M.A., Magri, E., Mutti, S.: On the notion of redundancy in access control policies. In: 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, Amsterdam, The Netherlands, 12–14 June 2013, pp. 161–172 (2013)

    Google Scholar 

  23. Mueller, E.T.: Commonsense Reasoning. Morgan Kaufmann Publishers Inc., Burlington (2006)

    Book  Google Scholar 

  24. Zahoor, E., Perrin, O., Godart, C.: An event-based reasoning approach to web services monitoring. In: ICWS (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure Networks and Distributed Systems Lab (SENDS), National University of Computer and Emerging Sciences, Islamabad, Pakistan

    Ehtesham Zahoor & Uzma Bibi

  2. LORIA, Université de Lorraine, BP 239, 54506, Vandoeuvre-lès-Nancy Cedex, France

    Olivier Perrin

Authors
  1. Ehtesham Zahoor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Uzma Bibi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Perrin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Ehtesham Zahoor , Uzma Bibi or Olivier Perrin .

Editor information

Editors and Affiliations

  1. University of Hong Kong, Hong Kong SAR, China

    Reynold Cheng

  2. University of Ioannina, Ioannina, Greece

    Nikos Mamoulis

  3. University of California, Los Angeles, CA, USA

    Yizhou Sun

  4. Hong Kong Baptist University, Kowloon Tong, Hong Kong SAR, China

    Xin Huang

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zahoor, E., Bibi, U., Perrin, O. (2019). Shadowed Authorization Policies - A Disaster Waiting to Happen?. In: Cheng, R., Mamoulis, N., Sun, Y., Huang, X. (eds) Web Information Systems Engineering – WISE 2019. WISE 2020. Lecture Notes in Computer Science(), vol 11881. Springer, Cham. https://doi.org/10.1007/978-3-030-34223-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34223-4_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34222-7

  • Online ISBN: 978-3-030-34223-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation