Scalable Automated Analysis of Access Control and Privacy Policies
Access Control is becoming increasingly important for today ubiquitous systems. Sophisticated security requirements need to be ensured by authorization policies for increasingly complex and large applications. As a consequence, designers need to understand such policies and ensure that they meet the desired security constraints while administrators must also maintain them so as to comply with the evolving needs of systems and applications. These tasks are greatly complicated by the expressiveness and the dimensions of the authorization policies. It is thus necessary to provide policy designers and administrators with automated analysis techniques that are capable to foresee if, and under what conditions, security properties may be violated. In this paper, we consider this analysis problem in the context of the Role-Based Access Control (RBAC), one of the most widespread access control models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex Administrative RBAC policies. We also discuss the capability of applying the techniques inside the tool to the analysis of location-based privacy policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.
This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-17.
- 4.Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role based access control policies. In: Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011). ACM PR (2011)Google Scholar
- 5.Ardagna, C.A., Cremonini, M., Vimercati, S.D.C., Samarati, P.: Privacy-enhanced location-based access control. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security Applications and Trends, pp. 531–552. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-48533-1_22 CrossRefGoogle Scholar
- 7.Bellavista, P., Corradi, A., Giannelli, C.: Efficiently managing location information with privacy requirements in Wi-Fi networks, a middleware approach. In: Proceedings of the Second International Symposium on Wireless Communication Systems, pp. 1–8. IEEE (2005)Google Scholar
- 8.Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of 19th ACM Conference on Computer and Communications Security (CCS 2005), pp. 158–167. ACM PR (2005)Google Scholar
- 13.Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access-control policies. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011). ACM (2011)Google Scholar
- 16.Mohamed, F.M.: Privacy in location-based services: state-of-the-art and research directions. In: Proceedings of the 8th IEEE International Conference on Mobile Data Management (MDM 2007). IEEE (2007)Google Scholar
- 19.Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of 19th Symposium on Access control Models and Technologies (SACMAT 2014), pp. 103–114. ACM (2014)Google Scholar
- 21.Ranise, S., Truong, A., Viganó, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: Proceedings of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)Google Scholar
- 23.Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role based access control. In: Proceedings of 19th IEEE Computer Security Foundations Symposium (CSF 2006). IEEE Press, July 2006Google Scholar
- 24.Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: Proceedings of 21st ACM Conference on Computer and Communications Security (CCS 2007). ACM Press (2007)Google Scholar
- 26.Truong, A., Hai Ton That, D.: Solving the user-role reachability problem in ARBAC with role hierarchy. In: Proceedings of 2016 International Conference on Advanced Computing and Applications (ACOMP 2016), pp. 3–10. IEEE (2016)Google Scholar
- 29.Yang, P., Gofman, M.I., Stoller, S., Yang, Z.: Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1–9 (2014)Google Scholar