Skip to main content
SpringerLink
Log in

Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information

  • Conference paper
  • First Online:
Future Data and Security Engineering (FDSE 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10646))

Included in the following conference series:

Abstract

In many ubiquitous systems, Role-based Access Control (RBAC) is often used to restrict system access to authorized users. Spatial-Temporal Role-Based Access Control (STRBAC) is an extension of RBAC with contextual information (such as time and space) and has been adopted in real world applications. In a large organization, the RBAC policy may be complex and managed by multiple collaborative administrators to satisfy the evolving needs of the organization. Collaborative administrative actions may interact in unintended ways with each other’s that may result in undesired effects to the security requirement of the organization. Analysis of these RBAC security concerns have been studied, especially with the Administrative Role-Based Access Control (ARBAC97). However, the analysis of its extension with contextual information, e.g., STRBAC, has not been considered in the literature. In this paper, we introduce a security analysis technique for the safety of Administrative STRBAC (ASTRBAC) Policies. We leverage First-Order Logic and Symbolic Model Checking (SMT) by translating ASTRBAC policy to decidable reachability problems. An extensive experimental evaluation confirms the correctness of our proposed solution, which supports finite ASTRBAC policies analysis without prior knowledge about the number of users.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Samarati, P., Vimercati, S.: Access control policies, models, and mechanisms. In: FOSAD: International School on Foundations of Security Analysis and Design, pp. 137–196 (2000)

    Google Scholar 

  2. National Computer Security Center (NCSC): A Guide to Understanding Discretionary Access Control in Trusted System, Report NSCD-TG-003 Version1, 30 September 1987

    Google Scholar 

  3. Osborn, S.: Mandatory access control and role-based access control revisited. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, RBAC 1997, pp. 31–40. ACM (1997)

    Google Scholar 

  4. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Comput. 29(7), 38–47 (1996)

    Article  Google Scholar 

  5. Ferraiolo, K.: Role-based access control. In: 15th National Computer Security Conference, pp. 554–563, October 1992

    Google Scholar 

  6. Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role based access control: toward a unified standard. In: 5th ACM Workshop Role-Based Access Control, pp. 47–63, July 2000

    Google Scholar 

  7. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inform. Syst. Secur. (TISSEC) 2(1), 105–135 (1999)

    Article  Google Scholar 

  8. Kumar, M., Newman, R.: STRBAC - an approach towards spatiotemporal role-based access control. In: Proceedings of the Third IASTED International Conference on Communication Network and Information Security CNIS, pp. 150–155 (2006)

    Google Scholar 

  9. Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45204-8_28

    Chapter  Google Scholar 

  10. Li, N., Tripunitara, M.: Security analysis in role-based access control. In: The Proceedings of ACM Symposium on Access Control Models and Technologies, pp. 126–135. ACM Press (2004)

    Google Scholar 

  11. Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE TDSC 5(4), 242–255 (2008)

    Google Scholar 

  12. Gofman, M.I., Luo, R., Solomon, Ayla C., Zhang, Y., Yang, P., Stoller, Scott D.: RBAC-PAT: a policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00768-2_4

    Chapter  Google Scholar 

  13. Jayaraman, K., Tripunitara, M., Ganesh, V., Rinard, M., Chapin, S.: Mohawk: abstraction-refinement and bound-estimation for verifying access control policies. ACM TISSEC 15(4), 18 (2013)

    Article  Google Scholar 

  14. Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9_12

    Google Scholar 

  15. Ranise, S., Truong, A., Vigano, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: The Proceeding of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)

    Google Scholar 

  16. Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, pp. 103–114. ACM (2014)

    Google Scholar 

  17. Ranise, S., Truong, A.: ASASPXL new clother for analysing ARBAC policies. In: International Conference on Future Data and Security Engineering, FDSE (2016)

    Google Scholar 

  18. Ghilardi, S., Ranise, S.: MCMT: a model checker modulo theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14203-1_3

    Chapter  Google Scholar 

  19. Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)

    Article  MATH  Google Scholar 

  20. Bertino, E., Bonatti, P., Ferrari, E.: TRBAC a temporal role based access control model. ACM TISSEC 4(3), 191–233 (2001)

    Article  Google Scholar 

  21. Joshi, J., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)

    Article  Google Scholar 

  22. Kumar, M., Newman, R.: STRBAC - an approach towards spatio-temporal role-based access control. In: Communication, Network, and Information Security, pp. 150–155 (2006)

    Google Scholar 

  23. Aich, S., Mondal, S., Sural, S., Majumdar, A.: Role based access control with spatio-temporal context for mobile applications. Trans. Comput. Sci. IV, 177–199 (2009)

    Google Scholar 

  24. Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.: Analyzing temporal role based access control models. In: SACMAT, pp. 177–186. ACM (2012)

    Google Scholar 

  25. Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving termination and invariant synthesis. Logical Methods Comput. Sci. LMCS 6(4), 1–48 (2010)

    MATH  MathSciNet  Google Scholar 

  26. http://research.microsoft.com/en-us/um/redmond/projects/z3

  27. Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control, pp. 103–114 (2014)

    Google Scholar 

  28. Ranise, S.: Symbolic backward reachability with effectively propositional logic: applications to security policy analysis. FMSD 42(1), 24–45 (2013)

    MATH  Google Scholar 

  29. Piskac, R., Moura, L., Bjørner, N.: Deciding effectively propositional logic using DPLL and substitution sets. J. Autom. Reasoning 44(4), 401–424 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  30. Sasturkar, A., Yang, A., Stoller, S., Ramakrishnan, C.: Policy analysis for administrative role based access control. In: 19th IEEE Computer Security Foundations Workshop, pp. 124–138 (2006)

    Google Scholar 

Download references

Acknowledgements

This research is funded by Vietnam National University HoChiMinh City (VNU-HCM) under grant number C2017-20-17.

Author information

Authors and Affiliations

  1. Ho Chi Minh City University of Technology, Ho Chi Minh, Vietnam

    Khai Kim Quoc Dinh, Tuan Duc Tran & Anh Truong

Authors
  1. Khai Kim Quoc Dinh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tuan Duc Tran
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anh Truong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anh Truong .

Editor information

Editors and Affiliations

  1. HCMC University of Technology, Ho Chi Minh City, Vietnam

    Tran Khanh Dang

  2. Johannes Kepler University Linz, Linz, Austria

    Roland Wagner

  3. Johannes Kepler University Linz, Linz, Austria

    Josef Küng

  4. Ho Chi Minh City University of Technolog , Ho Chi Minh City, Vietnam

    Nam Thoai

  5. Hosei University, Koganei, Tokyo, Japan

    Makoto Takizawa

  6. University of Vienna, Vienna, Austria

    Erich J. Neuhold

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dinh, K.K.Q., Tran, T.D., Truong, A. (2017). Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information. In: Dang, T., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E. (eds) Future Data and Security Engineering. FDSE 2017. Lecture Notes in Computer Science(), vol 10646. Springer, Cham. https://doi.org/10.1007/978-3-319-70004-5_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70004-5_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70003-8

  • Online ISBN: 978-3-319-70004-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation