Abstract
We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies are formally stated. By expressing the conditions on the attributes in the rules with formulae of theories that can be efficiently decided by Satisfiability Modulo Theories (SMT) solvers, we characterize the decidability and complexity of the problems of detecting redundancies and inconsistencies. The proof of the result is constructive and based on an algorithm that repeatedly solves SMT problems. An experimental evaluation with synthetic benchmark problems shows the practical viability of our technique.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii, S.: Typing for Conflict Detection in Access Control Policies. In: Babin, G., Kropf, P., Weiss, M. (eds.) MCETECH 2009. LNBIP, vol. 26, pp. 212–226. Springer, Heidelberg (2009)
Al-Kahtani, M., Sandhu, R.: A Model for Attribute-Based User-Role Assignment. In: Proc. of 18th Annual Comp. Sec. App. Conf., Las Vegas, Nevada (2002)
Al-Kahtani, M., Sandhu, R.: Induced Role Hierarchies with Attribute-Based RBAC. In: Proc. of 8th ACM SACMAT (2003)
Al-Kahtani, M., Sandhu, R.: Rule-based RBAC with negative authorization. In: Proc. of 20th Annual Comp. Sec. App. Conf., pp. 405–415 (2004)
Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: Proc. of 6th ACM Symp. on Info., Computer and Comm. Security, ASIACCS 2011 (2011)
Ardagna, C., De Capitani di Vimercati, S., Paraboschi, S., Pedrini, E., Samarati, P., Verdicchio, M.: Expressive and Deployable Access Control in Open Web Service Applications. IEEE Trans. on Serv. Comp. (TSC) 4(2), 96–109 (2011)
Armando, A., Ranise, S.: Automated Symbolic Analysis of ARBAC-Policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011)
Autrel, F., Cuppens, F., Cuppens, N., Coma, C.: MotOrBAC 2: a security policy tool. In: 3rd Conf. SARSSI, pp. 13–17 (2008)
De Moura, L., Bjørner, N.: Satisfiability modulo theories: introduction and applications. Commun. ACM 54, 69–77 (2011)
Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press, New York (1972)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access control policies. In: Int. Conf. on Sw Eng. (ICSE), pp. 196–206 (2005)
Hughes, G., Bultan, T.: Automated Verification of Access Control Policies Using a SAT Solver. Int. J. on Sw Tools for Tech. Trandf. (STTT) 10(6), 473–534 (2008)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. DB Syst. 26, 214–260 (2001)
Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Access Control Policy Analysis Using Free Variable Tableaux. Trans. of Inform. Proc. Soc. of Japan, 207–221 (2006)
Korovin, K., Voronkov, A.: GoRRiLA and Hard Reality. In: Clarke, E., Virbitskaite, I., Voronkov, A. (eds.) PSI 2011. LNCS, vol. 7162, pp. 243–250. Springer, Heidelberg (2012)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding Attributes to Role Based Access Control. IEEE Computer 43(6), 79–81 (2010)
Lahiri, S.K., Musuvathi, M.: An Efficient Decision Procedure for UTVPI Constraints. In: Gramlich, B. (ed.) FroCos 2005. LNCS (LNAI), vol. 3717, pp. 168–183. Springer, Heidelberg (2005)
Li, N., Mitchell, J.C.: DATALOG with Constraints: A Foundation for Trust Management Languages. In: Dahl, V. (ed.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2003)
Li, N., Mitchell, J.C.: RT: A Role-based Trust-management Framework. In: 3rd DARPA Infor. Surv. Conf. and Exp. (DISCEX III), pp. 201–212 (2003)
Lin, D., Rao, P., Bertino, E., Li, N., Lobo, K.: EXAM: a comprehensive environment for the analysis of access control policies. IJIS 9, 253–273 (2010)
Lupu, E., Sloman, M.: Reconciling Role Based Management and Role Based Access Control. In: 2nd ACM Ws. on Role Based Acc. Contr., pp. 135–142 (1997)
Mankai, M., Logrippo, L.: Access Control Policies: Modeling and Validation. In: Proc. of NOTERE, pp. 85–91 (2005)
Nelson, C.G., Oppen, D.: Simplification by Cooperating Decision Procedures. ACM Trans. on Programming Languages and Systems 1(2), 245–257 (1979)
Ranise, S., Tinelli, C.: The SMT-LIB Standard: Version 1.2, http://goedel.cs.uiowa.edu/smtlib/papers/format-v1.2-r06.08.30.pdf
Ribeiro, C., Zúquete, A., Ferreira, P., Guedes, P.: Security Policy Consistency. In: 1st Ws. on Rule-Based Constr. Reas. and Progr. CoRR cs.LO/0006045 (2000)
Samarati, P., De Capitani di Vimercati, S.: Access Control: Policies, Models, and Mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)
Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-Based Access Control Models. IEEE Computer 2(29), 38–47 (1996)
Sebastiani, R.: Lazy Satisfiability Modulo Theories. Journal on Satisfiability, Boolean Modeling and Computation, JSAT 3, 141–224 (2007)
Shaikh, R., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency Detection Method for Access Control Policies. In: IEEE 6th IAS, pp. 204–209 (2010)
Tarjan, R.E.: Efficiency of a Good But Not Linear Set Union Algorithm. Journal of the ACM 22(2), 215–225 (1975)
Yices, http://yices.csl.sri.com/
Yu, H., Xie, Q., Che, H.: Research on Description Logic Based Conflict Detection Methods for RB-RBAC Model. In: 4th Int. Conf. on AMT, pp. 335–339 (2006)
Yuan, E., Tong, J.: Attributed Based Access Control (ABAC) for Web Services. In: Proc. of IEEE ICWS, pp. 561–569 (2005)
Z3, http://research.microsoft.com/en-us/um/redmond/projects/z3
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Armando, A., Ranise, S. (2012). Automated and Efficient Analysis of Role-Based Access Control with Attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds) Data and Applications Security and Privacy XXVI. DBSec 2012. Lecture Notes in Computer Science, vol 7371. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31540-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-31540-4_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31539-8
Online ISBN: 978-3-642-31540-4
eBook Packages: Computer ScienceComputer Science (R0)