Abstract
Access control is widely used in large systems for restricting resource access to authorized users. In particular, role based access control (RBAC) is a generalized approach to access control and is well recognized for its many advantages in managing authorization policies.
This paper considers user-role reachability analysis of administrative role based access control (ARBAC), which defines administrative roles and specifies how members of each administrative role can change the RBAC policy. Most existing works on user-role reachability analysis assume the separate administration restriction in ARBAC policies. While this restriction greatly simplifies the user-role reachability analysis, it also limits the expressiveness and applicability of ARBAC. In this paper, we consider analysis of ARBAC without the separate administration restriction and present new techniques to reduce the number of ARBAC rules and users considered during analysis. We also present a number of parallel algorithms that speed up the analysis on multi-core systems. The experimental results show that our techniques significantly reduce the analysis time, making it practical to analyze ARBAC without separate administration.
Chapter PDF
Similar content being viewed by others
References
Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative attribute-based rbac-policies. In: ACM Symposium on Information, Computer and Communications Security, pp. 165–175 (2011)
A.N.S.I. (ANSI) Role-based access control. ANSI INCITS Standard 359-2004 (February 2004)
Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: 22nd IEEE Computer Security Foundations Symposium (CSF) (2009)
Ferrara, A.L., Madhusudan, P., Parlato, G.: Security analysis of role-based access control through program verification. In: Computer Security Foundations Symposium, pp. 113–125 (2012)
Ferrara, A.L., Madhusudan, P., Parlato, G.: Policy analysis for self-administrated role-based access control. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 432–447. Springer, Heidelberg (2013)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: International Conference on Software Engineering (ICSE), pp. 196–205 (2005)
Gofman, M., Luo, R., He, J., Zhang, Y., Yang, P.: Incremental information flow analysis of role based access control. In: International Conference on Security and Management, pp. 397–403 (2009)
Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009)
Gofman, M.I., Luo, R., Yang, P.: User-role reachability analysis of evolving administrative role based access control. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 455–471. Springer, Heidelberg (2010)
Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in Security-Enhanced Linux. Journal of Computer Security 13(1), 115–134 (2005)
Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: ACM Conference on Computer and Communications Security, pp. 134–143 (2006)
Jackson, D., Schechter, I., Shlyakhter, I.: Alcoa: the alloy constraint analyzer, pp. 730–733 (June 2000)
Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Symposium on Security and Privacy, pp. 31–42 (1997)
Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access control policies. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS) (2011)
Jha, S., Reps, T.: Model-checking SPKI-SDSI. Journal of Computer Security 12, 317–353 (2004)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security 9(4), 391–420 (2006)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security (TISSEC) 2(1), 105–135 (1999)
Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for administrative role based access control. In: IEEE Computer Security Foundations Workshop (2006)
Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for administrative role based access control. Theoretical Computer Science 412(44), 6208–6234 (2011)
Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: ACM Symposium on Access Control Models and Technologies, pp. 13–22 (2002)
Stoller, S.D., Yang, P., Gofman, M.I., Ramakrishnan, C.: Symbolic reachability analysis for parameterized administrative role-based access control. Journal of Computers & Security, 148–164 (2011)
Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 445–455 (2007)
Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.L., Parthasarathy, M.: Analyzing temporal role based access control models. In: ACM Symposium on Access Control Models and Technologies, pp. 177–186 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yang, P., Gofman, M., Yang, Z. (2013). Policy Analysis for Administrative Role Based Access Control without Separate Administration. In: Wang, L., Shafiq, B. (eds) Data and Applications Security and Privacy XXVII. DBSec 2013. Lecture Notes in Computer Science, vol 7964. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39256-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-39256-6_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39255-9
Online ISBN: 978-3-642-39256-6
eBook Packages: Computer ScienceComputer Science (R0)