Abstract
Role Based Access Control (RBAC) has been widely used for restricting resource access to only authorized users. Administrative Role Based Access Control (ARBAC) specifies permissions for administrators to change RBAC policies. Due to complex interactions between changes made by different administrators, it is often difficult to comprehend the full effect of ARBAC policies by manual inspection alone. Policy analysis helps administrators detect potential flaws in the policy specification.
Prior work on ARBAC policy analysis considers only static ARBAC policies. In practice, ARBAC policies tend to change over time in order to fix design flaws or to cope with the changing requirements of an organization. Changes to ARBAC policies may invalidate security properties that were previously satisfied. In this paper, we present incremental algorithms for user-role reachability analysis of ARBAC policies, which asks whether a given user can be assigned to given roles by given administrators. Our incremental algorithms determine if a change may affect the analysis result, and if so, use the information of the previous analysis to incrementally update the analysis result. To the best of our knowledge, these are the first known incremental algorithms in literature for ARBAC analysis. Detailed evaluations show that our incremental algorithms outperform the non-incremental algorithm in terms of execution time.
This work was supported in part by NSF Grant CNS-0855204.
Chapter PDF
Similar content being viewed by others
References
Conway, C., Namjoshi, K., Dams, D., Edwards, S.: Incremental algorithms for inter-procedural analysis of safety properties. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 449–461. Springer, Heidelberg (2005)
Crampton, J.: Authorizations and antichains, ph.d. thesis, university of london (2002)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: International Conference on Software Engineering (ICSE), pp. 196–205 (2005)
Gupta, A., Katiyar, D., Mumick, I.S.: Counting solutions to the view maintenance problem. In: Workshop on Deductive Databases, pp. 185–194 (1992)
Gupta, A., Mumick, I.S., Subrahmanian, V.S.: Maintaining views incrementally. In: International Conference on Management of Data, pp. 157–166 (1993)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Jackson, D., Schechter, I., Shlyakhter, I.: Alcoa: the alloy constraint analyzer, pp. 730–733 (June 2000)
Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards formal verification of role-based access control policies. IEEE Transactions on Dependable and Secure Computing 5(2) (2008)
Jha, S., Reps, T.: Model-checking SPKI-SDSI. Journal of Computer Security 12, 317–353 (2004)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security 9(4), 391–420 (2006)
Lu, J., Moerkotte, G., Schu, J., Subrahmanian, V.S.: Efficient maintenance of materialized mediated views (1995)
Sandhu, D.F.F.R., Kuhn, D.R.: The NIST model for role based access control: Towards a unified standard. In: ACM SACMAT, pp. 47–63 (2000)
Saha, D., Ramakrishnan, C.R.: Incremental evaluation of tabled logic programs. In: International Conference on Logic Programming, pp. 392–406 (2003)
Sandhu, R.: The typed access matrix model. In: Proc. IEEE Symposium on Security and Privacy, pp. 122–136 (1992)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security 2(1), 105–135 (1999)
Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for administrative role based access control. In: 19th IEEE Computer Security Foundations Workshop (2006)
Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: Proc.of SACMAT, pp. 13–22 (2002)
Stoller, S., Yang, P., Ramakrishnan, C.R., Gofman, M.: Efficient policy analysis for administrative role based access control. In: ACM CCS, pp. 445–455 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gofman, M.I., Luo, R., Yang, P. (2010). User-Role Reachability Analysis of Evolving Administrative Role Based Access Control. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)