Temporal RBAC Security Analysis Using Logic Programming in the Presence of Administrative Policies

  • Sadhana Jha
  • Shamik Sural
  • Jaideep Vaidya
  • Vijayalakshmi Atluri
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


Temporal Role Based Access Control (TRBAC) is an extension of the role based access control (RBAC) model in the temporal domain. It is used by organizations needing to enforce temporal constraints on enabling and disabling of roles. For any chosen access control model, decentralization of administrative authority necessitates the use of a separate administrative model. Even with the use of an administrative model, decentralization often leads to an increased concern for security. Analysis of security properties of RBAC has been extensively done using its administrative model (ARBAC97). However, TRBAC security analysis in the presence of an administrative model so far has received limited attention. This paper proposes a method for performing formal security analysis of TRBAC considering a recently proposed administrative model named AMTRAC, which includes all the relations of ARBAC97 as well as an additional set of relations (named REBA) for administering the role enabling base of a TRBAC system. All the components of TRBAC and AMTRAC are specified in Prolog along with the desired safety and liveness properties. Initially, these properties are verified considering the non-temporal relations only, followed by handling of the temporal relations as well. Experimental results show that the method is both effective as well as scalable.


TRBAC AMTRAC Prolog Security Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: A temporal role-based access control model. ACM Transactions on Information and System Security, 191–233 (2001)Google Scholar
  2. 2.
    Bertino, E., Catania, B., Damiani, M.L., Perlasca, P.: Geo-rbac: A spatially aware rbac. In: Proc. of the 10th ACM Symposium on Access Control Models and Technologies, pp. 29–37. ACM (2005)Google Scholar
  3. 3.
    Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards formal verification of role-based access control policies. IEEE Transactions on Dependable and Secure Computing, 242–255 (2008)Google Scholar
  4. 4.
    Joshi, J.B., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering, 4–23 (2005)Google Scholar
  5. 5.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 114–130. IEEE (2002)Google Scholar
  6. 6.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security, 391–420 (2006)Google Scholar
  7. 7.
    Mondal, S., Sural, S.: Security analysis of temporal-rbac using timed automata. In: Proc. of the 4th International Conference on Information Assurance and Security, pp. 37–40. IEEE (2008)Google Scholar
  8. 8.
    Mondal, S., Sural, S., Atluri, V.: Towards formal security analysis of gtrbac using timed automata. In: Symposium on Access Control Models and Technologies, pp. 33–42. ACM (2009)Google Scholar
  9. 9.
    Oh, S., Sandhu, R.: A model for role administration using organization structure. In: Proc. of the 7th ACM Symposium on Access Control Models and Technologies, pp. 155–162. ACM (2002)Google Scholar
  10. 10.
    Ray, I., Kumar, M., Yu, L.: LRBAC: A location-aware role-based access control model. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 147–161. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Ray, I., Toahchoodee, M.: A spatio-temporal role-based access control model. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 211–226. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The arbac97 model for role-based administration of roles. ACM Transactions on Information and System Security, 105–135 (1999)Google Scholar
  13. 13.
    Sandhu, R., Munawer, Q.: The arbac99 model for administration of roles. In: Proc. of the 15th Annual Conference on Computer Security Applications, pp. 229–238. IEEE (1999)Google Scholar
  14. 14.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer, 38–47 (1996)Google Scholar
  15. 15.
    Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: 10th International Workshop Object-Oriented Real-Time Dependable Systems, pp. 13–20. IEEE (2005)Google Scholar
  16. 16.
    Sharma, M., Sural, S., Vaidya, J., Atluri, V.: Amtrac: An administrative model for temporal role-based access control. Computers & Security (2013)Google Scholar
  17. 17.
    Toahchoodee, M., Ray, I.: Using alloy to analyze a spatio-temporal access control model supporting delegation. IET Information Security, 75–113 (2009)Google Scholar
  18. 18.
    Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.L., Parthasarathy, M.: Analyzing temporal role-based access control models. In: Proc. of the 17th ACM Symposium on Access Control Models and Technologies, pp. 177–186. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Sadhana Jha
    • 1
  • Shamik Sural
    • 2
  • Jaideep Vaidya
    • 3
  • Vijayalakshmi Atluri
    • 3
  1. 1.Advanced Technology Development CentreIndian Institute of TechnologyKharagpurIndia
  2. 2.School of Information TechnologyIndian Institute of TechnologyKharagpurIndia
  3. 3.Management Science and Information Systems DepartmentRutgers UniversityUSA

Personalised recommendations