Hard Instances for Verification Problems in Access Control

We address the generation and analysis of hard instances for verification problems in access control that are NP-hard. Given the customary assumption that P ≠ NP, we know that such classes exist. We focus on a particular problem, the user-authorization query problem (UAQ) in Role-Based Access Control (RBAC). We show how to systematically generate hard instances for it. We then analyze what we call the structure of those hard instances. Our work brings the important aspect of systematic investigation of hard input classes to access control research.

[1]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[2]  James B. D. Joshi,et al.  UAQ: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints , 2008, SACMAT '08.

[3]  R. Halin S-functions for graphs , 1976 .

[4]  Vibhav Gogate,et al.  A Complete Anytime Algorithm for Treewidth , 2004, UAI.

[5]  Ninghui Li,et al.  Satisfiability and Resiliency in Workflow Authorization Systems , 2010, TSEC.

[6]  Ke Xu,et al.  A Simple Model to Generate Hard Satisfiable Instances , 2005, IJCAI.

[7]  Mikhail I. Gofman,et al.  RBAC-PAT: A Policy Analysis Tool for Role Based Access Control , 2009, TACAS.

[8]  Arie M. C. A. Koster,et al.  Treewidth: Computational Experiments , 2001, Electron. Notes Discret. Math..

[9]  Ninghui Li,et al.  Security analysis in role-based access control , 2004, SACMAT '04.

[10]  Nima Mousavi,et al.  Algorithmic Problems in Access Control , 2014 .

[11]  Ninghui Li,et al.  Resiliency Policies in Access Control , 2009, TSEC.

[12]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[13]  Ninghui Li,et al.  An efficient framework for user authorization queries in RBAC systems , 2009, SACMAT '09.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Nima Mousavi,et al.  Mitigating the Intractability of the User Authorization Query Problem in Role-Based Access Control (RBAC) , 2012, NSS.

[16]  James B. D. Joshi,et al.  Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy , 2006, SACMAT '06.

[17]  Alessandro Armando,et al.  Efficient run-time solving of RBAC user authorization queries: pushing the envelope , 2012, CODASPY '12.

[18]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[19]  Martin C. Rinard,et al.  Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies , 2013, TSEC.

[20]  Liang Chen,et al.  Set Covering Problems in Role-Based Access Control , 2009, ESORICS.

[21]  Wei Li,et al.  Many hard examples in exact phase transitions , 2003, Theor. Comput. Sci..