Abstract
Access Control is becoming increasingly important for today ubiquitous systems. Sophisticated security requirements need to be ensured by authorization policies for increasingly complex and large applications. As a consequence, designers need to understand such policies and ensure that they meet the desired security constraints while administrators must also maintain them so as to comply with the evolving needs of systems and applications. These tasks are greatly complicated by the expressiveness and the dimensions of the authorization policies. It is thus necessary to provide policy designers and administrators with automated analysis techniques that are capable to foresee if, and under what conditions, security properties may be violated. In this paper, we consider this analysis problem in the context of the Role-Based Access Control (RBAC), one of the most widespread access control models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex Administrative RBAC policies. We also discuss the capability of applying the techniques inside the tool to the analysis of location-based privacy policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alberti, F., Armando, A., Ranise, S.: ASASP: automated symbolic analysis of security policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 26–33. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22438-6_4
Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role based access control policies. In: Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011). ACM PR (2011)
Ardagna, C.A., Cremonini, M., Vimercati, S.D.C., Samarati, P.: Privacy-enhanced location-based access control. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security Applications and Trends, pp. 531–552. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-48533-1_22
Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC-policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22444-7_2
Bellavista, P., Corradi, A., Giannelli, C.: Efficiently managing location information with privacy requirements in Wi-Fi networks, a middleware approach. In: Proceedings of the Second International Symposium on Wireless Communication Systems, pp. 1–8. IEEE (2005)
Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of 19th ACM Conference on Computer and Communications Security (CCS 2005), pp. 158–167. ACM PR (2005)
Cuellar, J.R.: Location information privacy. In: Sarikaya, B. (ed.) Geographic Location in the Internet, pp. 179–208. Kluwer Academic Publishers, Boston (2002)
De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. Int. J. Comput. Sci. Eng. (IJCSE) 3(2), 94–102 (2007)
Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_12
Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Log. Methods Comput. Sci. (LMCS) 6(4), 1–48 (2010)
Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access-control policies. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011). ACM (2011)
Jha, S., Li, N., Tripunitara, M.V., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secure Comput. 5(4), 242–255 (2008)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)
Mohamed, F.M.: Privacy in location-based services: state-of-the-art and research directions. In: Proceedings of the 8th IEEE International Conference on Mobile Data Management (MDM 2007). IEEE (2007)
Ranise, S., Truong, A.: Incremental analysis of evolving administrative role based access control policies. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 260–275. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_17
Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38004-4_18
Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of 19th Symposium on Access control Models and Technologies (SACMAT 2014), pp. 103–114. ACM (2014)
Ranise, S., Truong, A., Traverso, R.: Parameterized model checking for security policy analysis. Int. J. Softw. Tools Technol. Transfer (STTT) 18, 559–573 (2016)
Ranise, S., Truong, A., Viganó, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: Proceedings of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)
Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996)
Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role based access control. In: Proceedings of 19th IEEE Computer Security Foundations Symposium (CSF 2006). IEEE Press, July 2006
Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: Proceedings of 21st ACM Conference on Computer and Communications Security (CCS 2007). ACM Press (2007)
Truong, A.T., Dang, T.K., Küng, J.: On guaranteeing k-anonymity in location databases. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011. LNCS, vol. 6860, pp. 280–287. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23088-2_20
Truong, A., Hai Ton That, D.: Solving the user-role reachability problem in ARBAC with role hierarchy. In: Proceedings of 2016 International Conference on Advanced Computing and Applications (ACOMP 2016), pp. 3–10. IEEE (2016)
Truong, A.T., Truong, Q.C., Dang, T.K.: An adaptive grid-based approach to location privacy preservation. In: Nguyen, N.T., Katarzyniak, R., Chen, S.M. (eds.) Advances in Intelligent Information and Database Systems. SCI, vol. 283, pp. 133–144. Springer, Heidelberg (2010)
Truong, Q.C., Truong, A.T., Dang, T.K.: Memorizing algorithm: protecting user privacy using historical information of location based services. Int. J. Mob. Comput. Multimedia Commun. 2, 65–86 (2010)
Yang, P., Gofman, M.I., Stoller, S., Yang, Z.: Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1–9 (2014)
Acknowledgement
This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-17.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer-Verlag GmbH Germany
About this chapter
Cite this chapter
Truong, A., Ranise, S., Nguyen, T.T. (2017). Scalable Automated Analysis of Access Control and Privacy Policies. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T., Thoai, N. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI. Lecture Notes in Computer Science(), vol 10720. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-56266-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-662-56266-6_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-56265-9
Online ISBN: 978-3-662-56266-6
eBook Packages: Computer ScienceComputer Science (R0)