Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor

The misuse of legitimate access to data is a serious information security concern for both organizations and individuals. From a security engineering viewpoint, this might be due to the failure of access control. Inspired by Functional Encryption, we introduce Function-Based Access Control (FBAC). From an abstract viewpoint, we suggest storing access authorizations as a three-dimensional tensor, or an Access Control Tensor (ACT) rather than the two-dimensional Access Control Matrix (ACM). In FBAC, applications do not give blind folded execution right and can only invoke commands that have been authorized for function defined data segments. So, one might be authorized to use a certain command on one object, while being forbidden to use the same command on another object. Such behavior can not be efficiently modeled using the classical access control matrix or achieved efficiently using cryptographic mechanisms. Here, we lay the theoretical foundations of FBAC and summarize our extended work on implementation and deployment recommendations.

[1]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[2]  Xin Jin,et al.  Attribute-based access control models and implementation in cloud infrastructure as a service , 2014 .

[3]  Dirk Günnewig,et al.  Digital Rights Management , 2005, Wirtsch..

[4]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[5]  E. Cole,et al.  Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft , 2005 .

[6]  Brent Waters,et al.  Functional encryption: a new vision for public-key cryptography , 2012, CACM.

[7]  Paul Stapleton,et al.  Gauging the effectiveness of anti-plagiarism software: An empirical study of second language graduate writers , 2012 .

[8]  Mitsuru Ito,et al.  Secret sharing scheme realizing general access structure , 1989 .

[9]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[10]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[11]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[12]  Gordon Thomson BYOD: enabling the chaos , 2012, Netw. Secur..

[13]  Yudhijit Bhattacharjee,et al.  The Danger Within , 2009, Science.

[14]  Ravi S. Sandhu,et al.  Secure information sharing enabled by Trusted Computing and PEI models , 2006, ASIACCS '06.

[15]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[16]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[17]  Paul Thompson,et al.  Weak models for insider threat detection , 2004, SPIE Defense + Commercial Sensing.

[18]  Sabrina De Capitani di Vimercati,et al.  Data Security Issues in Cloud Scenarios , 2015, ICISS.

[19]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[20]  Elisa Bertino,et al.  Securing XML documents: the author-X project demonstration , 2001, SIGMOD '01.

[21]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[22]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[23]  D. Wall Enemies within: Redefining the insider threat in organizational security policy , 2012, Security Journal.

[24]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[25]  Shelly Savage Staff and Student Responses to a Trial of Turnitin Plagiarism Detection Software , 2004 .

[26]  Elisa Bertino,et al.  Protection and administration of XML data sources , 2002, Data Knowl. Eng..

[27]  Joon S. Park,et al.  Access Control Requirements for Preventing Insider Threats , 2006, ISI.

[28]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[29]  BertinoElisa,et al.  A Generalized Temporal Role-Based Access Control Model , 2005 .

[30]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[31]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[32]  Jianfeng Ma,et al.  Security and Trust in Digital Rights Management: A Survey , 2009, Int. J. Netw. Secur..

[33]  Lionel C. Briand,et al.  A comprehensive modeling framework for role-based access control policies , 2015, J. Syst. Softw..

[34]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[35]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[36]  Vijay Varadharajan,et al.  Role-based access control and the access control matrix , 2001, OPSR.

[37]  Kouya Tochikubo,et al.  New Secret Sharing Schemes Realizing General Access Structures , 2015, J. Inf. Process..

[38]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[39]  L. Harding,et al.  WikiLeaks: Inside Julian Assange's War on Secrecy , 2011 .

[40]  Sadie Creese,et al.  A Critical Reflection on the Threat from Human Insiders - Its Nature, Industry Perceptions, and Detection Approaches , 2014, HCI.

[41]  Elisa Bertino,et al.  Secure and selective dissemination of XML documents , 2002, TSEC.

[42]  Yvo Desmedt,et al.  Computer security by redefining what a computer is , 1993, NSPW '92-93.

[43]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[44]  Michael Huth,et al.  Towards an Access-Control Framework for Countering Insider Threats , 2010, Insider Threats in Cyber Security.

[45]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[46]  Avi Wigderson,et al.  Multi-prover interactive proofs: how to remove intractability assumptions , 2019, STOC '88.

[47]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[48]  Vincent H. Berk,et al.  Decision Support Procedure in the Insider Threat Domain , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[49]  Robert C. Bird,et al.  The global challenge of intellectual property rights , 2008 .

[50]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[51]  Ravi S. Sandhu,et al.  Content Level Access Control for OpenStack Swift Storage , 2015, CODASPY.

[52]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[53]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.

[54]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[55]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[56]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[57]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[58]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[59]  Tshepo Batane,et al.  Turning to Turnitin to Fight Plagiarism among University Students , 2010, J. Educ. Technol. Soc..

[60]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[61]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[62]  Chen Youping Task-role-based access control model , 2006 .