Practical safety in flexible access control models

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Practical safety in flexible access control models

Full text

Pdf (346 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 4 , Issue 2 (May 2001) table of contents

Pages: 158 - 190

Year of Publication: 2001

ISSN:1094-9224

Authors

Trent Jaeger	IBM T. J. Watson Research Center
Jonathon E. Tidswell	University of New South Wales, NSW, Australia

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 13, Downloads (12 Months): 120, Citation Count: 30

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/501963.501966 What is a DOI?

ABSTRACT

Assurance that an access control configuration will not result in the leakage of a right to an unauthorized principal, called safety, is fundamental to ensuring that the most basic of access control policies can be enforced. It has been proven that the safety of an access control configuration cannot be decided for a general access control model, such as Lampson's access matrix, so safety is achieved either through the use of limited access control models or the verification of safety via constraints. Currently, almost all safety critical systems use limited access control models, such as Bell--LaPadula or Domain and Type Enforcement, because constraint expression languages are far too complex for typical administrators to use properly. However, researchers have identified that most constraints belong to one of a few basic types, so our goal is to develop a constraint expression model in which these constraints can be expressed in a straightforward way and extensions can be made to add other constraints, if desired. Our approach to expressing constraints has the following properties: (1) an access control policy is expressed using a graphical model in which the nodes represent sets (e.g., of subjects, objects, etc.) and the edges represent binary relationships on those sets and (2) constraints are expressed using a few, simple set operators on graph nodes. The basic graphical model is very simple, and we extend this model only as necessary to satisfy the identified constraint types. Since the basic graphical model is also general, further extension to support other constraints is possible, but such extensions should be made with caution as each increases the complexity of the model. Our hope is that by keeping the complexity of constraint expression in check, flexible access control models, such as role-based access control, may also be used for expressing access control policy for safety-critical systems.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Gail-Joon Ahn , Ravi Sandhu, The RSL99 language for role-based separation of duty constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.43-54, October 28-29, 1999, Fairfax, Virginia, United States [doi>10.1145/319171.319176]
	2	Gail-Joon Ahn , Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.207-226, Nov. 2000 [doi>10.1145/382912.382913]
	3	AMMANN,P.E.,AND SANDHU, R. S. 1991. Safety analysis for the extended schematic protection model. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.
	4	AMMANN,P.E.,AND SANDHU, R. S. 1992. The extended Schematic Protection Model. J. Comput. Sec. 1.
	5	AMMANN,P.,AND SANDHU, R. 1994. One-representative safety analysis in the non-monotonic transform model. In Proceedings of the 7th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, Calif., pp. 138-149.
	6	BELL,D.,AND LA PADULA, L. 1973. Secure computer systems: Mathematical foundations (Volume 1). Tech. Rep. ESD-TR-73-278. Mitre Corporation.
	7	Elisa Bertino , Elena Ferrari , Vijay Atluri, The specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.65-104, Feb. 1999 [doi>10.1145/300830.300837]
	8	Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian , Eliza Bertino, A unified framework for enforcing multiple access control policies, Proceedings of the 1997 ACM SIGMOD international conference on Management of data, p.474-485, May 11-15, 1997, Tucson, Arizona, United States
	9	Matt Bishop , Lawrence Snyder, The transfer of information and authority in a protection system, Proceedings of the seventh ACM symposium on Operating systems principles, p.45-54, December 10-12, 1979, Pacific Grove, California, United States [doi>10.1145/800215.806569]
	10	BOEBERT,W.E.,AND KAIN, R. Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference (Gaithersburg, Md.).
	11	BREWER,D.F.C.,AND NASH, M. J. 1989. The Chinese wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif., May). IEEE Computer Society Press, Los Alamitos, Calif.
	12	CLARK,D.D.,AND WILSON, D. R. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, Calif., Apr.). IEEE Computer Society Press, Los Alamitos, Calif.
	13	Avigdor Gal , Vijayalakshmi Atluri, An authorization model for temporal data, Proceedings of the 7th ACM conference on Computer and communications security, p.144-153, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352621]
	14	Luigi Giuri , Pietro Iglio, Role templates for content-based access control, Proceedings of the second ACM workshop on Role-based access control, p.153-159, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266773]
	15	GLIGOR,V.D.,GAVRILA,S.I.,AND FERRAIOLO, D. 1998. On the formal definition of separation-of-duty policies and their composition. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.
	16	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976 [doi>10.1145/360303.360333]
	17	Trent Jeager, Managing access control complexity using metrices, Proceedings of the sixth ACM symposium on Access control models and technologies, p.131-139, May 2001, Chantilly, Virginia, United States [doi>10.1145/373256.373283]
	18	Trent Jaeger , Tony Michailidis , Roy Rada, Access Control in a Virtual University, Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, p.135-140, June 16-18, 1999
	19	Trent Jaeger , Atul Prakash , Jochen Liedtke , Nayeem Islam, Flexible control of downloaded executable content, ACM Transactions on Information and System Security (TISSEC), v.2 n.2, p.177-228, May 1999 [doi>10.1145/317087.317091]
	20	Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian, A Logical Language for Expressing Authorizations, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.31, May 04-07, 1997
	21	D. Richard Kuhn, Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the second ACM workshop on Role-based access control, p.23-30, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266749]
	22	Butler W. Lampson, Protection, ACM SIGOPS Operating Systems Review, v.8 n.1, p.18-24, January 1974 [doi>10.1145/775265.775268]
	23	Emil C. Lupu , Morris Sloman, Conflicts in Policy-Based Distributed Systems Management, IEEE Transactions on Software Engineering, v.25 n.6, p.852-869, November 1999 [doi>10.1109/32.824414]
	24	T. F. Lunt , D. E. Denning , R. R. Schell , M. Heckman , W. R. Shockley, The SeaView Security Model, IEEE Transactions on Software Engineering, v.16 n.6, p.593-607, June 1990 [doi>10.1109/32.55088]
	25	Emil Lupu , Morris Sloman, A Policy Based Role Object Model, Proceedings of the 1st International Conference on Enterprise Distributed Object Computing, p.36-47, October 24-26, 1997
	26	Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999 [doi>10.1145/300830.300832]
	27	Sylvia Osborn, Mandatory access control and role-based access control revisited, Proceedings of the second ACM workshop on Role-based access control, p.31-40, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266751]
	28	Sylvia Osborn , Yuxia Guo, Modeling users in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.31-37, July 26-28, 2000, Berlin, Germany [doi>10.1145/344287.344299]
	29	SALTZER,J.,AND SCHROEDER, M. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept.).
	30	Ravinderpal Singh Sandhu, The schematic protection model: its definition and analysis for acyclic attenuating schemes, Journal of the ACM (JACM), v.35 n.2, p.404-432, April 1988 [doi>10.1145/42282.42286]
	31	Ravi S. Sandhu, The Typed Access Matrix Model, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.122, May 04-06, 1992
	32	SANDHU, R. S. 1998. Transaction Control Expressions for Separation of Duties. In Proceeding of the 4th Aerospace Computer Security Applications Conference (Dec.).
	33	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999 [doi>10.1145/300830.300839]
	34	SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.F.,AND YOUMAN, C. E. 1994. Role-based access control: A multi-dimensional view. In Proceeding of the 10th Annual Computer Security Applications Conference (Dec.).
	35	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	36	Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997
	37	Lawrence Snyder, On the synthesis and analysis of protection systems, Proceedings of the sixth ACM symposium on Operating systems principles, p.141-150, November 16-18, 1977, West Lafayette, Indiana, United States
	38	Jonathon E. Tidswell , Trent Jaeger, Integrated constraints and inheritance in DTAC, Proceedings of the fifth ACM workshop on Role-based access control, p.93-102, July 26-28, 2000, Berlin, Germany [doi>10.1145/344287.344307]
	39	Jonathon E. Tidswell , Trent Jaeger, An access control model for simplifying constraint expression, Proceedings of the 7th ACM conference on Computer and communications security, p.154-163, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352622]
	40	Jonathon E. Tidswell , Geoffrey H. Outhred , John M. Potter, Dynamic rights: safe extensible access control, Proceedings of the fourth ACM workshop on Role-based access control, p.113-120, October 28-29, 1999, Fairfax, Virginia, United States [doi>10.1145/319171.319182]
	41	Jonathon Tidswell , John Potter, A Dynamically Typed Access Control Model, Proceedings of the Third Australasian Conference on Information Security and Privacy, p.308-319, July 01, 1998

CITED BY 30

	James B D Joshi , Elisa Bertino , Arif Ghafoor, Temporal hierarchies and inheritance semantics for GTRBAC, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Andreas Schaad , Jonathan D. Moffett, A lightweight approach to specification and analysis of role-based access control extensions, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Trent Jaeger , Antony Edwards , Xiaolan Zhang, Managing access control policies using access control spaces, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	David F. Ferraiolo , R. Chandramouli , Gail-Joon Ahn , Serban I. Gavrila, The role control center: features and case studies, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Elisa Bertino , Barbara Catania , Elena Ferrari , Paolo Perlasca, A logical framework for reasoning about access control models, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.71-127, February 2003
	James B. D. Joshi , Basit Shafiq , Arif Ghafoor , Elisa Bertino, Dependencies and separation of duty constraints in GTRBAC, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Tanvir Ahmed , Anand R. Tripathi, Static verification of security requirements in role based CSCW systems, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Trent Jaeger , Xiaolan Zhang , Fidel Cacheda, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003
	Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Resolving constraint conflicts, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Jason Crampton, Specifying and enforcing constraints in role-based access control, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Ninghui Li , Qihua Wang, Beyond separation of duty: an algebra for specifying high-level security policies, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Karsten Sohr , Gail-Joon Ahn , Lars Migge, Articulating and enforcing authorisation policies with UML and OCL, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
	Ninghui Li , Ziad Bizri , Mahesh V. Tripunitara, On mutually-exclusive roles and separation of duty, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
	Ninghui Li , Qihua Wang, Beyond separation of duty: An algebra for specifying high-level security policies, Journal of the ACM (JACM), v.55 n.3, p.1-46, July 2008
	Ninghui Li , Mahesh V. Tripunitara , Qihua Wang, Resiliency policies in access control, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, ACM Transactions on Information and System Security (TISSEC), v.9 n.4, p.391-420, November 2006
	Hong Chen , Ninghui Li, Constraint generation for separation of duty, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Xinwen Zhang , Ravi Sandhu , Francesco Parisi-Presicce, Safety analysis of usage control authorization models, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
	Jon A. Solworth, Approvability, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
	Andreas Schaad , Volkmar Lotz , Karsten Sohr, A model-checking approach to analysing organisational controls in a loan origination process, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Chaoyi Pang , David Hansen , Anthony Maeder, Managing RBAC states with transitive relations, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy, Proceedings of the 12th conference on USENIX Security Symposium, p.5-5, August 04-08, 2003, Washington, DC
	Tanvir Ahmed , Anand R. Tripathi, Specification and verification of security requirements in a programming model for decentralized CSCW systems, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.7-es, May 2007
	Gail-Joon Ahn , Hongxin Hu, Towards realizing a formal RBAC model in real systems, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	Ninghui Li , Mahesh V. Tripunitara , Ziad Bizri, On mutually exclusive roles and separation-of-duty, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.5-es, May 2007
	Michael LeMay , Omid Fatemieh , Carl A. Gunter, PolicyMorph: interactive policy transformations for a logical attribute-based access control framework, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor , Yue Zhang, Formal foundations for hybrid hierarchies in GTRBAC, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-39, January 2008
	Ninghui Li , Qihua Wang , Mahesh Tripunitara, Resiliency Policies in Access Control, ACM Transactions on Information and System Security (TISSEC), v.12 n.4, p.1-34, April 2009
	Ram Krishnan , Ravi Sandhu , Jianwei Niu , William H. Winsborough, Foundations for group-centric secure information sharing models, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy