Abstract
In many ubiquitous systems, Role-based Access Control (RBAC) is often used to restrict system access to authorized users. Spatial-Temporal Role-Based Access Control (STRBAC) is an extension of RBAC with contextual information (such as time and space) and has been adopted in real world applications. In a large organization, the RBAC policy may be complex and managed by multiple collaborative administrators to satisfy the evolving needs of the organization. Collaborative administrative actions may interact in unintended ways with each other’s that may result in undesired effects to the security requirement of the organization. Analysis of these RBAC security concerns have been studied, especially with the Administrative Role-Based Access Control (ARBAC97). However, the analysis of its extension with contextual information, e.g., STRBAC, has not been considered in the literature. In this paper, we introduce a security analysis technique for the safety of Administrative STRBAC (ASTRBAC) Policies. We leverage First-Order Logic and Symbolic Model Checking (SMT) by translating ASTRBAC policy to decidable reachability problems. An extensive experimental evaluation confirms the correctness of our proposed solution, which supports finite ASTRBAC policies analysis without prior knowledge about the number of users.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Samarati, P., Vimercati, S.: Access control policies, models, and mechanisms. In: FOSAD: International School on Foundations of Security Analysis and Design, pp. 137–196 (2000)
National Computer Security Center (NCSC): A Guide to Understanding Discretionary Access Control in Trusted System, Report NSCD-TG-003 Version1, 30 September 1987
Osborn, S.: Mandatory access control and role-based access control revisited. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, RBAC 1997, pp. 31–40. ACM (1997)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Comput. 29(7), 38–47 (1996)
Ferraiolo, K.: Role-based access control. In: 15th National Computer Security Conference, pp. 554–563, October 1992
Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role based access control: toward a unified standard. In: 5th ACM Workshop Role-Based Access Control, pp. 47–63, July 2000
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inform. Syst. Secur. (TISSEC) 2(1), 105–135 (1999)
Kumar, M., Newman, R.: STRBAC - an approach towards spatiotemporal role-based access control. In: Proceedings of the Third IASTED International Conference on Communication Network and Information Security CNIS, pp. 150–155 (2006)
Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45204-8_28
Li, N., Tripunitara, M.: Security analysis in role-based access control. In: The Proceedings of ACM Symposium on Access Control Models and Technologies, pp. 126–135. ACM Press (2004)
Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE TDSC 5(4), 242–255 (2008)
Gofman, M.I., Luo, R., Solomon, Ayla C., Zhang, Y., Yang, P., Stoller, Scott D.: RBAC-PAT: a policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00768-2_4
Jayaraman, K., Tripunitara, M., Ganesh, V., Rinard, M., Chapin, S.: Mohawk: abstraction-refinement and bound-estimation for verifying access control policies. ACM TISSEC 15(4), 18 (2013)
Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9_12
Ranise, S., Truong, A., Vigano, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: The Proceeding of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)
Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, pp. 103–114. ACM (2014)
Ranise, S., Truong, A.: ASASPXL new clother for analysing ARBAC policies. In: International Conference on Future Data and Security Engineering, FDSE (2016)
Ghilardi, S., Ranise, S.: MCMT: a model checker modulo theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14203-1_3
Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
Bertino, E., Bonatti, P., Ferrari, E.: TRBAC a temporal role based access control model. ACM TISSEC 4(3), 191–233 (2001)
Joshi, J., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)
Kumar, M., Newman, R.: STRBAC - an approach towards spatio-temporal role-based access control. In: Communication, Network, and Information Security, pp. 150–155 (2006)
Aich, S., Mondal, S., Sural, S., Majumdar, A.: Role based access control with spatio-temporal context for mobile applications. Trans. Comput. Sci. IV, 177–199 (2009)
Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.: Analyzing temporal role based access control models. In: SACMAT, pp. 177–186. ACM (2012)
Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving termination and invariant synthesis. Logical Methods Comput. Sci. LMCS 6(4), 1–48 (2010)
Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control, pp. 103–114 (2014)
Ranise, S.: Symbolic backward reachability with effectively propositional logic: applications to security policy analysis. FMSD 42(1), 24–45 (2013)
Piskac, R., Moura, L., Bjørner, N.: Deciding effectively propositional logic using DPLL and substitution sets. J. Autom. Reasoning 44(4), 401–424 (2010)
Sasturkar, A., Yang, A., Stoller, S., Ramakrishnan, C.: Policy analysis for administrative role based access control. In: 19th IEEE Computer Security Foundations Workshop, pp. 124–138 (2006)
Acknowledgements
This research is funded by Vietnam National University HoChiMinh City (VNU-HCM) under grant number C2017-20-17.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Dinh, K.K.Q., Tran, T.D., Truong, A. (2017). Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information. In: Dang, T., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E. (eds) Future Data and Security Engineering. FDSE 2017. Lecture Notes in Computer Science(), vol 10646. Springer, Cham. https://doi.org/10.1007/978-3-319-70004-5_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-70004-5_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70003-8
Online ISBN: 978-3-319-70004-5
eBook Packages: Computer ScienceComputer Science (R0)