Abstract
Insiders misuse their access to data and are known to pose serious risks to organizations. From a security engineering viewpoint, each insider threat incident is associated to full, or partial, failure of an access control system. Here, we introduce Function-Based Access Control (FBAC). FBAC is inspired by Functional Encryption but takes a system approach towards the problem. Abstractly, access authorizations are n longer stored as a two-dimensional Access Control Matrix (ACM). Instead, FBAC stores access authorizations as a three-dimensional tensor (called Access Control Tensor). Hence, applications no longer give blind folded execution right and users can only invoke commands that have been authorized at different levels such as data segments. Simply put, one might be authorized to use a certain command on one object while being forbidden to use the same command on another object. Evidently, this level of granularity and customization can not be efficently modeled using the classical access control matrix. The theoretical foundations of FBAC are presented along with Policy, Enforcement, and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.
A preliminary version of this work has been published as “Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor.” Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats. ACM, 2016.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that the number of different functions one can define with a given finite domain is finite, but too large to have practical value.
References
Emerging technologies that will change the world. MIT Technology Review, January 2001
US State Dept limits military access to its database, November 2010. www.defencetalk.com/us-state-dept-limits-military-access-to-its-database-30387/
Apple’s Apps economy as big as Hollywood. The Telegraph, January 2015. http://www.telegraph.co.uk/technology/apple/11362562/Apples-apps-economy-as-big-as-Hollywood.html
Batane, T.: Turning to Turnitin to fight plagiarism among university students. J. Educ. Technol. Soc. 13(2), 1–12 (2010)
Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations and model. Technical report M74–244, The MITRE Corporation, Bedford, Massachusetts, May 1973
Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: Proceedings of the Twentieth Annual ACM Symposium Theory of Computing, STOC, 2–4 May 1988, pp. 113–131 (1988)
Bertino, E., Castano, S., Ferrari, E.: Securing XML documents: the author-X project demonstration. SIGMOD Rec. 30(2), 605 (2001)
Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Specifying and enforcing access control policies for XML document sources. World Wide Web 3(3), 139–151 (2000)
Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Protection and administration of XML data sources. Data Knowl. Eng. 43(3), 237–260 (2002)
Bertino, E., Ferrari, E.: Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 290–331 (2002)
Biba, K.J.: Integrity considerations for secure computer systems. Technical report ESD-TR-76-372, USAF Electronic Systems Division, April 1977
Bird, R., Bird, R., Jain, S.: The Global Challenge of Intellectual Property Rights. Edward Elgar Publishing, Incorporated, Cheltenham (2009)
Bishop, M.: Computer Security. Addison-Wesley, Reading (2003)
Biswas, P., Patwa, F., Sandhu, R.: Content level access control for openstack swift storage. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 123–126. ACM (2015)
Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference. AFIPS Conference Proceedings, vol. 48, pp. 313–317 (1979)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Boneh, D., Sahai, A., Waters, B.: Functional encryption: a new vision for public-key cryptography. Commun. ACM 55(11), 56–64 (2012)
Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7(6), 22–29 (2009)
Brdiczka, O., et al.: Proactive insider threat detection through graph learning and psychological context. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 142–149. IEEE (2012)
Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Secur. Priv. 6, 14–21 (2009)
Cole, E., Ring, S.: Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft: Protecting the Enterprise from Sabotage, Spying, and Theft. Syngress, Rockland (2005)
Crampton, J., Huth, M.: Towards an access-control framework for countering insider threats. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds.) Insider Threats in Cyber Security. ADIS, vol. 49, pp. 173–195. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-7133-3_8
Damiani, E., Capitani, D., di Vimercati, S., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2), 169–202 (2002)
Upton, D.M., Creese, S.: The danger from within. Harv. Bus. Rev. 92, 94–101 (2014)
Denning, D.E.R.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
Desmedt, Y.: Computer security by redefining what a computer is. In: Michael, J.B., Ashby, V., Meadows, C. (eds.) Proceedings on the (1992–1993) New Security Paradigms II Workshop, ACM-SIGSAC, Little Compton, Rhode Island, U.S.A, pp. 160–166. IEEE Computer Society Press (1992, 1993)
Desmedt, Y.: Computer security by redefining what a computer is. In: Proceedings on the 1992–1993 Workshop on New Security Paradigms, pp. 160–166. ACM (1993)
Fadhel, A.B., Bianculli, D., Briand, L.: A comprehensive modeling framework for role-based access control policies. J. Syst. Softw. 107, 110–126 (2015)
Fong, P.W.: Relationship-based access control: protection model and policy language. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 191–202. ACM (2011)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the Nineteenth Annual ACM Symposium Theory of Computing, STOC, 25–27 May 1987, pp. 218–229 (1987)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
Ito, M., Saito, A., Nishizeki, T.: Secret sharing schemes realizing general access structures. In: Proceedings of IEEE Global Telecommunications Conference, Globecom 1987, pp. 99–102. IEEE Communications Society Press (1987)
Jin, X.: Attribute-based access control models and implementation in cloud infrastructure as a service. The University of Texas at San Antonio (2014)
Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_8
Joshi, J.B., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)
Lampson, B.W.: Protection. ACM Oper. Syst. Rev. 8(1), 18–24 (1974). Also. In: Proceedings of the 5th Princeton Symposium of Information Science and Systems (1971)
Latimer, J.: Deception in War. Overlook Press, New York (2001)
Leigh, D., Harding, L.: Wikileaks: Inside Julian Assange’s War on Secrecy. Public Affairs, New York (2011)
Levine, J.: Operation Fortitude: The True Story of the Key Spy Operation of WWII that Saved D-Day. HarperCollins, London (2011)
Morrow, B.: BYOD security challenges: control and protect your most sensitive data. Netw. Secur. 2012(12), 5–8 (2012)
Moses, T., et al.: eXtensible Access Control Markup Language (XACML) version 2.0. Oasis Standard 200502 (2005)
Murphy, J.P., Berk, V.H., Gregorio-de Souza, I.: Decision support procedure in the insider threat domain. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 159–163. IEEE (2012)
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release, vol. 2005 (2001). Located at http://www.cs.cornell.edu/jif
Nurse, J.R.C., et al.: A critical reflection on the threat from human insiders – its nature, industry perceptions, and detection approaches. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 270–281. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_24
Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)
Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)
Park, J.S., Giordano, J.: Access control requirements for preventing insider threats. In: Mehrotra, S., Zeng, D.D., Chen, H., Thuraisingham, B., Wang, F.-Y. (eds.) ISI 2006. LNCS, vol. 3975, pp. 529–534. Springer, Heidelberg (2006). https://doi.org/10.1007/11760146_52
Price, D.: Sizing the piracy universe. NetNames (2013). http://copyrightalliance.org/sites/default/files/2013-netnames-piracy.pdf
Sandhu, R., Ranganathan, K., Zhang, X.: Secure information sharing enabled by trusted computing and PEI models. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 2–12. ACM(2006)
Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)
Saunders, G., Hitchens, M., Varadharajan, V.: Role-based access control and the access control matrix. ACM SIGOPS Oper. Syst. Rev. 35(4), 6–20 (2001)
Savage, S.: Staff and student responses to a trial of Turnitin plagiarism detection software. In: Proceedings of the Australian Universities Quality Forum, pp. 2–7. Citeseer (2004)
Schneier, B.: Bruce Schneier on Trust Set. Wiley, New York (2014)
Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)
Smith, T.: 5 Ways to Encourage BYOD and Keep Your Company Data Secure. Entrepreneur, January 2015. http://www.entrepreneur.com/article/241645
Spitzner, L.: Honeypots: catching the insider threat. In: 2003 Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)
Stapleton, P.: Gauging the effectiveness of anti-plagiarism software: an empirical study of second language graduate writers. J. Engl. Acad. Purp. 11(2), 125–133 (2012)
Subramanya, S., Yi, B.K.: Digital rights management. IEEE Potentials 25(2), 31–34 (2006)
The British Broadcasting Corporation (BBC): UK’s families put on fraud alert. http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm
The Guardain: Cheating found to be rife in British schools and universities. http://www.theguardian.com/education/2015/jun/15/cheating-rife-in-uk-education-system-dispatches-investigation-shows
The Telegraph: The cheating epidemic at Britain’s universities. http://www.telegraph.co.uk/education/educationnews/8363345/The-cheating-epidemic-at-Britains-universities.html
Thompson, P.: Weak models for insider threat detection. In: Defense and Security, pp. 40–48. International Society for Optics and Photonics (2004)
Thomson, G.: BYOD: enabling the chaos. Netw. Secur. 2012(2), 5–8 (2012)
Erlingsson, U.: Keynote: Advances in Cryptology - ASIACRYPT 2011: Proceedings of the 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, 4–8 December 2011 (2011)
Vandebogart, S., et al.: Labels and event processes in the asbestos operating system. ACM Trans. Comput. Syst. (TOCS) 25(4), 11 (2007)
di Vimercati, S.D.C., Foresti, S., Samarati, P.: Data security issues in cloud scenarios. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2015. LNCS, vol. 9478, pp. 3–10. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26961-0_1
Wall, D.S.: Enemies within: redefining the insider threat in organizational security policy. Secur. J. 26(2), 107–124 (2013)
Yao, A.C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science (FOCS), Toronto, Ontario, Canada, 27–29 October 1986, pp. 162–167. IEEE Computer Society Press (1986)
Desmedt, Y.: Keynote: Security and Privacy in Communication Networks: 7th International ICST Conference, SecureComm 2011, London, 7–9 September 2011 (2011)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 263–278. USENIX Association (2006)
Zhang, Z., Pei, Q., Ma, J., Yang, L.: Security and trust in digital rights management: a survey. IJ Netw. Secur. 9(3), 247–263 (2009)
Acknowledgments
Arash Shaghaghi acknowledges the support provided by his Ph.D. supervisor Prof. Sanjay Jha at UNSW Sydney. A/Prof. Salil Kanhere also provided useful insights and suggestions in designing deployment scenarios for FBAC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Desmedt, Y., Shaghaghi, A. (2018). Function-Based Access Control (FBAC): Towards Preventing Insider Threats in Organizations. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-04834-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04833-4
Online ISBN: 978-3-030-04834-1
eBook Packages: Computer ScienceComputer Science (R0)