Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

IFIP Annual Conference on Data and Applications Security and Privacy

DBSec 2012: Data and Applications Security and Privacy XXVI pp 25–40Cite as

  1. Home
  2. Data and Applications Security and Privacy XXVI
  3. Conference paper
Automated and Efficient Analysis of Role-Based Access Control with Attributes

Automated and Efficient Analysis of Role-Based Access Control with Attributes

  • Alessandro Armando17,18 &
  • Silvio Ranise18 
  • Conference paper
  • 2056 Accesses

  • 14 Citations

Part of the Lecture Notes in Computer Science book series (LNISA,volume 7371)

Abstract

We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies are formally stated. By expressing the conditions on the attributes in the rules with formulae of theories that can be efficiently decided by Satisfiability Modulo Theories (SMT) solvers, we characterize the decidability and complexity of the problems of detecting redundancies and inconsistencies. The proof of the result is constructive and based on an algorithm that repeatedly solves SMT problems. An experimental evaluation with synthetic benchmark problems shows the practical viability of our technique.

Keywords

  • Access Control
  • Background Theory
  • Access Control Policy
  • Role Base Access Control
  • Authorization Rule

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii, S.: Typing for Conflict Detection in Access Control Policies. In: Babin, G., Kropf, P., Weiss, M. (eds.) MCETECH 2009. LNBIP, vol. 26, pp. 212–226. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  2. Al-Kahtani, M., Sandhu, R.: A Model for Attribute-Based User-Role Assignment. In: Proc. of 18th Annual Comp. Sec. App. Conf., Las Vegas, Nevada (2002)

    Google Scholar 

  3. Al-Kahtani, M., Sandhu, R.: Induced Role Hierarchies with Attribute-Based RBAC. In: Proc. of 8th ACM SACMAT (2003)

    Google Scholar 

  4. Al-Kahtani, M., Sandhu, R.: Rule-based RBAC with negative authorization. In: Proc. of 20th Annual Comp. Sec. App. Conf., pp. 405–415 (2004)

    Google Scholar 

  5. Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: Proc. of 6th ACM Symp. on Info., Computer and Comm. Security, ASIACCS 2011 (2011)

    Google Scholar 

  6. Ardagna, C., De Capitani di Vimercati, S., Paraboschi, S., Pedrini, E., Samarati, P., Verdicchio, M.: Expressive and Deployable Access Control in Open Web Service Applications. IEEE Trans. on Serv. Comp. (TSC) 4(2), 96–109 (2011)

    CrossRef  Google Scholar 

  7. Armando, A., Ranise, S.: Automated Symbolic Analysis of ARBAC-Policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  8. Autrel, F., Cuppens, F., Cuppens, N., Coma, C.: MotOrBAC 2: a security policy tool. In: 3rd Conf. SARSSI, pp. 13–17 (2008)

    Google Scholar 

  9. De Moura, L., Bjørner, N.: Satisfiability modulo theories: introduction and applications. Commun. ACM 54, 69–77 (2011)

    CrossRef  Google Scholar 

  10. Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press, New York (1972)

    MATH  Google Scholar 

  11. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access control policies. In: Int. Conf. on Sw Eng. (ICSE), pp. 196–206 (2005)

    Google Scholar 

  12. Hughes, G., Bultan, T.: Automated Verification of Access Control Policies Using a SAT Solver. Int. J. on Sw Tools for Tech. Trandf. (STTT) 10(6), 473–534 (2008)

    CrossRef  Google Scholar 

  13. Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. DB Syst. 26, 214–260 (2001)

    CrossRef  MATH  Google Scholar 

  14. Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Access Control Policy Analysis Using Free Variable Tableaux. Trans. of Inform. Proc. Soc. of Japan, 207–221 (2006)

    Google Scholar 

  15. Korovin, K., Voronkov, A.: GoRRiLA and Hard Reality. In: Clarke, E., Virbitskaite, I., Voronkov, A. (eds.) PSI 2011. LNCS, vol. 7162, pp. 243–250. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  16. Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding Attributes to Role Based Access Control. IEEE Computer 43(6), 79–81 (2010)

    CrossRef  Google Scholar 

  17. Lahiri, S.K., Musuvathi, M.: An Efficient Decision Procedure for UTVPI Constraints. In: Gramlich, B. (ed.) FroCos 2005. LNCS (LNAI), vol. 3717, pp. 168–183. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  18. Li, N., Mitchell, J.C.: DATALOG with Constraints: A Foundation for Trust Management Languages. In: Dahl, V. (ed.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  19. Li, N., Mitchell, J.C.: RT: A Role-based Trust-management Framework. In: 3rd DARPA Infor. Surv. Conf. and Exp. (DISCEX III), pp. 201–212 (2003)

    Google Scholar 

  20. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, K.: EXAM: a comprehensive environment for the analysis of access control policies. IJIS 9, 253–273 (2010)

    CrossRef  Google Scholar 

  21. Lupu, E., Sloman, M.: Reconciling Role Based Management and Role Based Access Control. In: 2nd ACM Ws. on Role Based Acc. Contr., pp. 135–142 (1997)

    Google Scholar 

  22. Mankai, M., Logrippo, L.: Access Control Policies: Modeling and Validation. In: Proc. of NOTERE, pp. 85–91 (2005)

    Google Scholar 

  23. Nelson, C.G., Oppen, D.: Simplification by Cooperating Decision Procedures. ACM Trans. on Programming Languages and Systems 1(2), 245–257 (1979)

    CrossRef  MATH  Google Scholar 

  24. Ranise, S., Tinelli, C.: The SMT-LIB Standard: Version 1.2, http://goedel.cs.uiowa.edu/smtlib/papers/format-v1.2-r06.08.30.pdf

  25. Ribeiro, C., Zúquete, A., Ferreira, P., Guedes, P.: Security Policy Consistency. In: 1st Ws. on Rule-Based Constr. Reas. and Progr. CoRR cs.LO/0006045 (2000)

    Google Scholar 

  26. Samarati, P., De Capitani di Vimercati, S.: Access Control: Policies, Models, and Mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  27. Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-Based Access Control Models. IEEE Computer 2(29), 38–47 (1996)

    CrossRef  Google Scholar 

  28. Sebastiani, R.: Lazy Satisfiability Modulo Theories. Journal on Satisfiability, Boolean Modeling and Computation, JSAT 3, 141–224 (2007)

    MathSciNet  MATH  Google Scholar 

  29. Shaikh, R., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency Detection Method for Access Control Policies. In: IEEE 6th IAS, pp. 204–209 (2010)

    Google Scholar 

  30. Tarjan, R.E.: Efficiency of a Good But Not Linear Set Union Algorithm. Journal of the ACM 22(2), 215–225 (1975)

    CrossRef  MathSciNet  MATH  Google Scholar 

  31. Yices, http://yices.csl.sri.com/

  32. Yu, H., Xie, Q., Che, H.: Research on Description Logic Based Conflict Detection Methods for RB-RBAC Model. In: 4th Int. Conf. on AMT, pp. 335–339 (2006)

    Google Scholar 

  33. Yuan, E., Tong, J.: Attributed Based Access Control (ABAC) for Web Services. In: Proc. of IEEE ICWS, pp. 561–569 (2005)

    Google Scholar 

  34. Z3, http://research.microsoft.com/en-us/um/redmond/projects/z3

Download references

Author information

Authors and Affiliations

  1. DIST, Università degli Studi di Genova, Italia

    Alessandro Armando

  2. Security and Trust Unit, FBK-Irst, Trento, Italia

    Alessandro Armando & Silvio Ranise

Authors
  1. Alessandro Armando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Télécom Bretagne, Campus de Rennes 2, rue de la Châtaigneraie, 35512, Cesson Sévigné Cedex, France

    Nora Cuppens-Boulahia, Frédéric Cuppens & Joaquin Garcia-Alfaro,  & 

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Armando, A., Ranise, S. (2012). Automated and Efficient Analysis of Role-Based Access Control with Attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds) Data and Applications Security and Privacy XXVI. DBSec 2012. Lecture Notes in Computer Science, vol 7371. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31540-4_3

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-31540-4_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31539-8

  • Online ISBN: 978-3-642-31540-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature