Abstract
There is an emerging recognition of the importance of utilizing contextual information in authorization decisions. Controlling access to resources in the field of wireless and mobile networking require the definition of a formal model for access control with supporting spatial context. However, traditional RBAC model does not specify these spatial requirements. In this paper, we extend the existing RBAC model and propose the SC-RBAC model that utilizes spatial and location-based information in security policy definitions. The concept of spatial role is presented, and the role is assigned a logical location domain to specify the spatial boundary. Roles are activated based on the current physical position of the user which obtained from a specific mobile terminal. We then extend SC-RBAC to deal with hierarchies, modeling permission, user and activation inheritance, and prove that the hierarchical spatial roles are capable of constructing a lattice which is a means for articulate multi-level security policy and more suitable to control the information flow security for safety-critical location-aware information systems. Next, constrained SC-RBAC allows express various spatial separations of duty constraints, location-based cardinality and temporal constraints for specify fine-grained spatial semantics that are typical in location-aware systems. Finally, we introduce 9 invariants for the constrained SC-RBAC and its basic security theorem is proven. The constrained SC-RBAC provides the foundation for applications in need of the constrained spatial context aware access control.
Similar content being viewed by others
References
Sandhu R, Coyne E, Feinstein H, et al. Role base access control models. IEEE Comp, 1996, 29(2): 38–47
Ferraolo D, Sandhu R, Gavrila S, et al. Proposed NIST standard for role-based access control. ACM Trans Inf Syst Sec, 2001, 4(3): 224–274
Covington M, Long W, Srinivasan S, et al. Securing context-aware applications using environment roles. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies. New York: ACM Press, 2001. 10–20
Cuppens F, Miège A. Modelling contexts in the Or-BAC model. In: Proceedings of the 19th Annual Computer Security Applications Conference. Washington: IEEE Computer Society Press, 2003. 416–427
Wilikens M, Feriti S, Sanna A, et al. A context-related authorization and access control method based on RBAC: A case study from the health care domain. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. New York: ACM Press, 2002. 117–124
Georgiadis C, Mavridis I, Pangalos G, et al. Flexible team-based access control using contexts. In: Proceedings of 6th ACM symposium on Access Control Models and Technologies. New York: ACM Press, 2001. 21–27
Thomas R. Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments. In: Proceedings of 2nd ACM Workshop on Role-based Access Control. New York: ACM Press, 1997. 13–19
Wolf R, Keinz T, Schenider M. A model for context-dependent access control for web-based services with role-based approach. In: Proceedings of 14th International Workshop on Database and Expert Systems Applications. Washington: IEEE Computer Society Press, 2003. 209–214
Kumar A, Karnik N, Chafle G. Context sensitivity in role-based access control. ACM SIGPOS Op Syst Rev, 2002, 36(3): 53–66
Covington M, Moyer M, Ahamad M. Generalized role-based access control for securing future applications. In: Proceedings of 23rd National Information Systems Security Conference. Washington: IEEE Computer Society, 2003. 416–427
Cholewka D G, Botha R H, Eloff J. H. P. A context sensitive access control model and prototype implementation. In: Proceedings of the IFIP TC11 15th International Conference on Information Security. Deventer: Kluwer, 2000. 341–350
Hulsebosch R J, Salden A H, Bargh MS, et al. Context-sensitive access control. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies. New York: ACM Press, 2005. 111–119
Bertino E, Catania B, Damiani M L, et al. GEO-RBAC: A spatially aware RBAC. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies. New York: ACM Press, 2005. 29–37
Hansen F, Oleshchuk V. Spatial role-based access control model for wireless networks. In: Proceedings of IEEE Vehicular Technology Conference (VTC). Washington: IEEE Computer Society Press, 2003. 2093–2097
Ardagna C A, Cremonini M, Damiani E, et al. Supporting location-based conditions in access control policies. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security. New York: ACM Press, 2006. 212–222
Denning D E. A lattice model of secure information flow. Comm ACM, 1976, 19(5): 236–243
Jiang C, Steenkiste P. A hybrid location model with a computable location identifier for ubiquitous computing. In: Proceedings of the 4th International Conference on Ubiquitous Computing. London: Springer-Verlag, 2002. 246–263
Clementini E, Felice P di, Oosterom P van. A small set of formal topological relationships suitable for end-user interaction. In: Proceedings of the 3rd International Symposium on Advances in Spatial Databases SSD’93. London: Springer-Verlag, 1993. 277–295
Bell D E, Lapadula L J. Secure computer systems: unified exposition and MULTICS interpretation. Technical Report MTR-2997. 1976
Davey B, Priestley H. Introduction to lattices and order. Cambridge: Cambridge University Press, 2002
Sandhu R S. Lattice-based access control models. IEEE Comp, 1993, 26(11): 9–19
Smith G W. The modeling and representation of security semantics for database applications. Dissertation for the Doctoral Degree. Fairfax: George Mason University, 1990
Gligor V D, Gavrila S I, Ferraiolo D. On the formal definition of separation-of-duty policies and their composition. In: Proceedings of 1998 IEEE Computer Security Symposium on Research in Security and Privacy. Washington: IEEE Computer Society, 1998. 172–183
Kuhn D R. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: Proceedings of the 2nd ACM Workshop on Role-based Access Control. New York: ACM Press, 1997, 23–30
Osborn S, Sandhu R, Munawer Q. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans Inf Syst Sec, 2000, 3(2): 85–106
Jaeger T, Tidswell J E. Practical safety in flexible access control models. ACM Trans Inf Syst Sec, 2001, 4(2): 158–190
Bertino E, Bettini C, Samarati P. A temporal authorization model. In: Proceedings of the 2nd ACM Conference on Computer and Communication Security. New York: ACM Press, 1994. 126–135
Gavrila S I, Barkley J F. Formal specification for role based access control user/role and role/role relationship management. In: Proceedings of the 3rd ACM Workshop on Role-Based Access Control. New York: ACM Press, 1998. 81–90
Atluri V, Mazzoleni P. A uniform indexing scheme for geo-spatial data and authorizations. In: Proceedings of the 16th IFIP WG11.3 Working Conference on Data and Applications Security. London: Springer-Verlag, 2002. 207–218
OpenGIS Consortium. OpenGIS simple features specification for SQL. Technical Report OGC 99-049. 1999
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhang, H., He, Y. & Shi, Z. A formal model for access control with supporting spatial context. SCI CHINA SER F 50, 419–439 (2007). https://doi.org/10.1007/s11432-007-0033-6
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/s11432-007-0033-6