Abstract
The location of a mobile user presents valuable information when deriving access control decisions. Hence, several location–aware extensions to role–based access control (RBAC) exist in literature. However, these approaches do not consider positioning errors. This leads to unexpected security breaches, when the user’s ground truth differs from the reported location. Further, most approaches simply define a polygon as authorized zone and authorize when the reported position lies inside. To overcome these limitations, this paper presents a risk–optimal approach to RBAC. Position estimates are represented as probability distributions instead of points. Location constraints are assigned to RBAC elements and include cost functions for false positive and false negative decisions as well as feature models, which replace traditionally used polygons. Feature models describe for each location the likelihood that a specific feature can be observed. The evaluation shows that such risk–optimal RBAC outperforms risk–ignoring, polygon–based approaches. However, this risk–optimality is bought at the expense of a runtime highly increasing with the number of applied location constraints.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abdunabi, R., Ray, I., France, R.B.: Specification and analysis of access control policies for mobile applications. In: SACMAT, pp. 173–184 (2013)
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P.: Supporting location-based conditions in access control policies. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 212–222. ACM (2006)
Chen, L., Crampton, J.: On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 205–216. ACM (2008)
Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: Proceedings of the 6th ACM Symposium on Access control Models and Technologies, pp. 10–20. ACM (2001)
Hansen, F., Oleshchuk, V.: Spatial role-based access control model for wireless networks. In: 2003 IEEE 58th Vehicular Technology Conference, VTC 2003-Fall, vol. 3, pp. 2093–2097. IEEE (2003)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Influence of attribute freshness on decision making in usage control. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 35–50. Springer, Heidelberg (2011)
Küpper, A.: Location-Based Services: Fundamentals and Operation. Wiley, New York (2005)
Marcus, P., Kessel, M., Linnhoff-Popien, C.: Enabling trajectory constraints for usage control policies with backtracking particle filters. In: 3rd International Conference on Mobile Services, Resources, and Users, MOBILITY 2013, pp. 52–58 (2013)
Marcus, P., Kessel, M., Werner, M.: Dynamic nearest neighbors and online error estimation for smartpos. Int. J. Adv. Internet Technol. 6(1 and 2), 1–11 (2013)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communication Security, pp. 250–260. ACM (2010)
Oleshchuk, V., et al.: Spatially-aware access control model: a step towards secure and energy-efficient mobile applications. J. Green Eng. 2(2), 125–138 (2012)
Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inform. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)
Ray, I., Toahchoodee, M.: A spatio-temporal role-based access control model. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 211–226. Springer, Heidelberg (2007)
Salim, F., Reid, J., Dawson, E., Dulleck, U.: An approach to access control under uncertainty. In: 2011 6th International Conference on Availability, Reliability and Security (ARES), pp. 1–8. IEEE (2011)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Shin, H., Atluri, V.: Spatiotemporal access control enforcement under uncertain location estimates. In: Gudes, E., Vaidya, J. (eds.) Data and Applications Security XXIII. LNCS, vol. 5645, pp. 159–174. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Marcus, P., Schauer, L., Linnhoff–Popien, C. (2015). Location–Aware RBAC Based on Spatial Feature Models and Realistic Positioning. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)