Security Analysis of Unified Access Control Policies

  • Mahendra Pratap Singh
  • Shamik SuralEmail author
  • Vijayalakshmi Atluri
  • Jaideep Vaidya
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1186)


In the modern computing era, access to resources is often restricted through contextual information and the attributes of users, objects and various other entities. Attribute-Based Access Control (ABAC) can capture those requirements as a policy, but it is not yet adopted like Role Based Access Control (RBAC) due to lack of a comprehensive administrative model. In the last few years, several efforts have been made to combine ABAC with RBAC, but they are limited to specification and enforcement only. Recently, we have presented a unified framework along with a role based administrative model that enables specification, enforcement and maintenance of unified access control policies, such as ABAC, RBAC and Meta-Policy Based Access Control (MPBAC). This paper describes role-based administrative model components and then present a methodology which uses a fixed-point based approach for verifying the security properties (like safety and liveness) of those policies in the presence of the administrative model. We also analyse the impact of ABAC, RBAC, MPBAC and administrative model components on the time taken for security analysis. Experimental results demonstrate that the proposed approach is scalable as well as effective.


Security analysis Fixed-point analysis Attribute Based Access Control Role Based Access Control Meta-Policy Based Access Control 



Research reported in this publication was supported by the National Institutes of Health under award R01GM118574 and by the National Science Foundation under awards CNS-1564034, CNS-1624503, and CNS-1747728. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research.


  1. 1.
    Singh, M.P., Sural, S., Vaidya, J., Atluri, V.: Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database. Comput. Secur. 86, 183–205 (2019)CrossRefGoogle Scholar
  2. 2.
    Singh, M.P., Sural, S., Atluri, V., Vaidya, J., Yakub, U.: Managing multi-dimensional multi-granular security policies using data warehousing. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408, pp. 221–235. Springer, Cham (2015). Scholar
  3. 3.
    Hu, V.C., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2014)Google Scholar
  4. 4.
    Sandhu, R.S., Coyne, J.E., Feinstein, H.L., Youman, C.E.: Role based access control models. IEEE Comput. 29, 38–47 (1996)CrossRefGoogle Scholar
  5. 5.
    Aich, S., Mondal, S., Sural, S., Majumdar, A.K.: Role based access control with spatiotemporal context for mobile applications. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science IV. LNCS, vol. 5430, pp. 177–199. Springer, Heidelberg (2009). Scholar
  6. 6.
    Bertino, E., Andrea, B.P., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 191–233 (2001)CrossRefGoogle Scholar
  7. 7.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 105–135 (1999)CrossRefGoogle Scholar
  8. 8.
    Mondal, S., Sural, S., Atluri, V.: Towards formal security analysis of GTRBAC using timed automata. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 33–42 (2009)Google Scholar
  9. 9.
    Sharma, M., Sural, S., Vaidya, J., Atluri, V.: AMTRAC: an administrative model for temporal role-based access control. Comput. Secur. 39, 201–218 (2013)CrossRefGoogle Scholar
  10. 10.
    Sharma, M., Sural, S., Atluri, V., Vaidya, J.: An administrative model for spatio-temporal role based access control. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 375–389. Springer, Heidelberg (2013). Scholar
  11. 11.
    Jin, X., Krishnan, R., Sandhu, R.: Reachability analysis for role based administration of attributes. In: Proceedings of the 2013 ACM Workshop on Digital Identity Management, pp. 73–84 (2013)Google Scholar
  12. 12.
    Ninghui, N.L., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 391–420 (2006)CrossRefGoogle Scholar
  13. 13.
    Mondal, S., Sural, S.: Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th International Conference on Information Assurance and Security, pp. 37–40 (2008)Google Scholar
  14. 14.
    Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46, 154–172 (2014)CrossRefGoogle Scholar
  15. 15.
    Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 153–154 (2008)Google Scholar
  16. 16.
    Jha, S., Sural, S., Vaidya, J., Atluri, V.: Temporal RBAC security analysis using logic programming in the presence of administrative policies. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 129–148. Springer, Cham (2014). Scholar
  17. 17.
    Jha, S., Sural, S., Atluri, V., Vaidya, J.: An administrative model for collaborative management of ABAC systems and its security analysis. In: Proceedings of the 2016 IEEE 2nd International Conference on Collaboration and Internet Computing, pp. 64–73 (2016)Google Scholar
  18. 18.
    Uzun, E., Atluri, V., Sural, S., Madhusudan, P.: Analyzing temporal role-based access control models. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 177–186 (2012)Google Scholar
  19. 19.
    Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of ABAC under an administrative model. IET Inf. Secur. 13, 96–103 (2018)CrossRefGoogle Scholar
  20. 20.
    Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 3–17. Springer, Cham (2015). Scholar
  21. 21.
    Hoder, K., Bjørner, N., de Moura, L.: \({\mu }Z\)– an efficient engine for fixed points with constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011). Scholar
  22. 22.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Mahendra Pratap Singh
    • 1
  • Shamik Sural
    • 1
    Email author
  • Vijayalakshmi Atluri
    • 2
  • Jaideep Vaidya
    • 2
  1. 1.Department of CSEIndian Institute of Technology KharagpurKharagpurIndia
  2. 2.Department of MSISRutgers UniversityNewarkUSA

Personalised recommendations