Abstract
Access Control (AC) is a critical and challenging security aspect within an IT infrastructure. Different AC models have been proposed to define AC policies that dictate the conditions under which a resource may be accessed by a subject. Attribute- Based Access Control (ABAC) is one of the most promising of those models and has received meaningful attention in recent years. Higher-order Attribute-Based Access Control (HoBAC) is a new AC model we recently proposed as a generalization of ABAC that offers more flexibility when designing AC policies. In this paper, theoretical foundations of HoBAC are further developed and an Access Control System (ACS) and an AC policy framework are presented. An application example related to the Internet of Things (IoT) is used to illustrate the different concepts of HoBAC.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
In this work, without loss of generality, the term context will be used to refer to the environment
\({\mathcal {F}}_f\): function that does not depend on any other \({\mathcal {S}}\)-Structure type. We call it a final function.
CoDom(F): codomain of F.
\({\mathcal {R}}\): universe of references
\(\lceil F \rceil \) represents a reference to F and its dual operator \(\lfloor \rfloor \) evaluates the referenced function.
\({\mathcal {P}}(X)\) represents the powerset of the set X
Special case: if \([A_{2}]_{U_A} = [A_{1}]_{U_A}\) then \(A_{1}\) is said equivalent to \(A_{2}\)
x[i]: the element at position i in the list x
|x|: cardinality of the list x
Having the same position in the lists (the list of the entities’ attributes and the list of the entity types’ attribute types)
Special case: if \([E_{2}]_{U_E} = [E_{1}]_{U_E}\) then \(E_{1}\) is said equivalent to \(E_{2}\)
They may play the role of objects or subjects or both depending on the setting and use case.
Policy enforcer: set of algorithms and mechanisms that enforce an AC policy.
\(\{s,o,a,ac\}\) are called the category of entity types.
The strategy may be a simple strategy or a composed strategy that is built upon other strategies.
\(U_{cds}\): Universe of conditions that may be applied to attributes
Coverage relationships are introduced in Sect. 4.3.3
\(ats \models cd_s\): all conditions \(cd_s\) are satisfied by the attributes ats
Special case: if \(({\mathcal {C}}^{r}(r_2) \subseteq {\mathcal {C}}^{r}(r_1))\) and that \(r_1.d = r_2.d\) then \(r_{1}\) is equivalent to \(r_{2}\), noted \(r_1 \equiv r_2\).
The components of a capability \(ab = \langle s_o, s_a, s_{ac},d\rangle \) are referred to as \(ab.s_o, ab.s_a, s_{ac}\) and ab.d respectively.
Two capabilities are contradictory if they cover in common at least one object, action and context and a different decision value (set to Deny in one and to Allow in the other)
References
Adda M, Abdelaziz J, Mcheick H, Saad R (2015) Toward an access control model for iotcollab. In: Proceedings of the 6th international conference on ambient systems, networks and technologies (ANT 2015), the 5th international conference on sustainable energy information technology (SEIT-2015), London, June 2–5, 2015, pp 428–435. https://doi.org/10.1016/j.procs.2015.05.009
Alam M, Emmanuel N, Khan T, Xiang Y, Hassan H (2018) Garbled role-based access control in the cloud. J Ambient Intell Humaniz Comput 9(4):1153–1166. https://doi.org/10.1007/s12652-017-0573-6
Aliane L, Adda M (2019) Hobac: toward a higher-order attribute-based access control model. Procedia Computer Science 155:303 – 310. The 16th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2019),The 14th International Conference on Future Networks and Communications (FNC-2019),The 9th International Conference on Sustainable Energy Information Technology. https://doi.org/10.1016/j.procs.2019.08.044, http://www.sciencedirect.com/science/article/pii/S1877050919309585
Alshehri A, Sandhu R (2017) Access control models for virtual object communication in cloud-enabled iot. In: 2017 IEEE international conference on information reuse and integration (IRI), pp 16–25. https://doi.org/10.1109/IRI.2017.60
Barkley J (1997) Comparing simple role based access control models and access control lists. In: Proceedings of the second ACM workshop on role-based access control. ACM, New York, RBAC ’97, pp 127–132. https://doi.org/10.1145/266741.266769
Bertino E, Bonatti PA, Ferrari E (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191–233. https://doi.org/10.1145/501978.501979
Bhatt S, Patwa F, Sandhu R (2017) Abac with group attributes and attribute hierarchies utilizing the policy machine. In: Proceedings of the 2nd ACM workshop on attribute-based access control. ACM, New York, ABAC ’17, pp 17–28. https://doi.org/10.1145/3041048.3041053
Cruz JP, Kaji Y, Yanai N (2018) RBAC-SC: role-based access control using smart contract. IEEE Access 6:12240–12251. https://doi.org/10.1109/ACCESS.2018.2812844
Dong Y, Wan K, Huang X, Yue Y (2018) Contexts-states-aware access control for internet of things. In: 2018 IEEE 22nd international conference on computer supported cooperative work in design (CSCWD), pp 666–671. https://doi.org/10.1109/CSCWD.2018.8465364
Hassija V, Chamola V, Saxena V, Jain D, Goyal P, Sikdar B (2019) A survey on iot security: application areas, security threats, and solution architectures. IEEE Access 7:82721–82743. https://doi.org/10.1109/ACCESS.2019.2924045
Hu VC, Kuhn DR, Ferraiolo DF, Voas J (2015) Attribute-based access control. Computer 48(2):85–88. https://doi.org/10.1109/MC.2015.33
Hu K, Cai G, Shen C (2016/04) An enhanced access control model based on trusted computing. In: 2nd International conference on advances in mechanical engineering and industrial informatics (AMEII 2016). Atlantis Press. https://doi.org/10.2991/ameii-16.2016.177
Jin X, Krishnan R, Sandhu R (2012) A unified attribute-based access control model covering dac, mac and rbac. In: Proceedings of the 26th annual IFIP WG 11.3 conference on data and applications security and privacy. Springer, Berlin, DBSec’12, pp 41–55. https://doi.org/10.1007/978-3-642-31540-4_4
Kalam AAE, Baida RE, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks, pp 120–131. https://doi.org/10.1109/POLICY.2003.1206966
Kuhn DR, Coyne EJ, Weil TR (2010) Adding attributes to role-based access control. Computer 43(6):79–81. https://doi.org/10.1109/MC.2010.155
Layouni F, Pollet Y (2009) FI-ORBAC: a model of access control for federated identity platform. In: IADIS 2009, the international conference on information system, Barcelona.https://hal.archives-ouvertes.fr/hal-01125878, ISBN: 978-972-8924-79-9
Lee C, Fumagalli A (2019) Internet of things security—multilayered method for end to end data communications over cellular networks. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp 24–28. https://doi.org/10.1109/WF-IoT.2019.8767227
Lee Y, Lim J, Jeon Y, Kim J (2015) Technology trends of access control in iot and requirements analysis. In: 2015 International conference on information and communication technology convergence (ICTC), pp 1031–1033. https://doi.org/10.1109/ICTC.2015.7354730
Maia Neto AL, Pereira LY, Souza ALF, Cunha I, Oliveira BL (2018) Demo abstract: attributed-based authentication and access control for iot home devices. In: 2018 17th ACM/IEEE international conference on information processing in sensor networks (IPSN), pp 112–113. https://doi.org/10.1109/IPSN.2018.00019
Manaligod HJT, Diño MJS, Ghose S, Han J (2019) Context computing for internet of things. J Ambient Intell Humaniz Comput. https://doi.org/10.1007/s12652-019-01560-3
Meneghello F, Calore M, Zucchetto D, Polese M, Zanella A (2019) Iot: Internet of threats? A survey of practical security vulnerabilities in real iot devices. IEEE Internet of Things J 6(5):8182–8201. https://doi.org/10.1109/JIOT.2019.2935189
Miraz MH, Ali M, Excell PS, Picking R (2015) A review on internet of things (iot), internet of everything (ioe) and internet of nano things (iont). In: 2015 Internet technologies and applications (ITA), pp 219–224. https://doi.org/10.1109/ITechA.2015.7317398
Mitra B, Sural S, Vaidya J, Atluri V (2017) Migrating from rbac to temporal rbac. IET Inf Secur 11(5):294–300. https://doi.org/10.1049/iet-ifs.2016.0258
Murray WH (1993) Information security management, chap Introduction to access controls, Auerbach Publishers, pp 515–523
Nakamura S, Enokido T, Takizawa M (2018) A flexible read-write abortion protocol with role safety concept to prevent illegal information flow. J Ambient Intell Humaniz Comput 9(5):1415–1425. https://doi.org/10.1007/s12652-017-0541-1
Neshenko N, Bou-Harb E, Crichigno J, Kaddoum G, Ghani N (2019) Demystifying iot security: an exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations. IEEE Commun Surv Tutor 21(3):2702–2733. https://doi.org/10.1109/COMST.2019.2910750
Pournaghi SM, Bayat M, Farjami Y (2020) MEDSBA: a novel and secure scheme to share medical data based on blockchain technology and attribute-based encryption. J Ambient Intell Humaniz Comput. https://doi.org/10.1007/s12652-020-01710-y
Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32:40–48. https://doi.org/10.1109/35.312842
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1994) Role-based access control: a multi-dimensional view. In: Tenth annual computer security applications conference, pp 54–62. https://doi.org/10.1109/CSAC.1994.367293
Servos D, Osborn SL (2015) HGABAC: towards a formal model of hierarchical attribute-based access control. In: Cuppens F, Garcia-Alfaro J, Zincir Heywood N, Fong PWL (eds) Foundations and practice of security. Springer International Publishing, Cham, pp 187–204
Sicuranza M, Esposito A, Ciampi M (2015) An access control model to minimize the data exchange in the information retrieval. J Ambient Intell Humaniz Comput 6(6):741–752. https://doi.org/10.1007/s12652-015-0275-x
Singh S, Singh N (2015) Internet of things (iot): Security challenges, business opportunities reference architecture for e-commerce. In: 2015 International conference on green computing and internet of things (ICGCIoT), pp 1577–1581. https://doi.org/10.1109/ICGCIoT.2015.7380718
Xu Z, Stoller SD (2013) Mining attribute-based access control policies. vol abs/1306.2401. arXiv:1306.2401
Zhang G, Liu J (2011) A model of workflow-oriented attributed based access control. Int J Comput Netw Inf Secur (IJCNIS) 3:47–53
Acknowledgements
We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada (NSERC), 06351. Cette recherche a été financée par le Conseil de recherches en sciences naturelles et en génie du Canada (CRSNG), 06351.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Adda, M., Aliane, L. HoBAC: fundamentals, principles, and policies. J Ambient Intell Human Comput 11, 5927–5941 (2020). https://doi.org/10.1007/s12652-020-02102-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-020-02102-y