Decidable Administrative Controls based on Security Properties

A security property is a high-level statement about what may occur (is authorized) within a system. One of the oldest such security properties is information flow confidentiality. Given a security property p, it is a desirable goal for an authorization model to be expressive for p (enabling p to be both enforced and violated in different parts of the system), robust (enabling the authorization state to change without invalidating p where it holds), and analyzable (so it can be understood where p holds). Of particular interest in analyzing an authorization model is the decidability of security properties. If the system is not analyzable, how does one know what protections are being provided? Protections can be provided at two levels: the ordinary privileges and the ability to change the system via administrative controls. Administrative controls provide a graceful means to perform the inevitable modifications to the system, that is to provide robust authorization systems. To date, existing authorization systems are known to achieve at most two of expressibility, robustness, and decidability with respect to a security property. This paper proves that a previously proposed authorization model with administrative controls is decidable with respect to information flow confidentiality, thus simultaneously achieving all three of these goals.

[1]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[2]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[5]  Jon A. Solworth,et al.  Security Property Based Administrative Controls , 2004, ESORICS.

[6]  Trent Jaeger,et al.  An access control model for simplifying constraint expression , 2000, CCS.

[7]  Trent Jaeger,et al.  Integrated constraints and inheritance in DTAC , 2000, RBAC '00.

[8]  Luigi V. Mancini,et al.  Decidability of Safety in Graph-Based Models for Access Control , 2002, ESORICS.

[9]  Qamar Munawer,et al.  Simulation of the Augmented Typed Access Matrix Model (ATAM) using Roles , 1999 .

[10]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[12]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[13]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[14]  Jeffrey D. Ullman,et al.  On protection in operating systems , 1975, SOSP.

[15]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[16]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[17]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[18]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[19]  Masakazu Soshi,et al.  Safety Analysis of the Dynamic-Typed Access Matrix Model , 2000, ESORICS.

[20]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[21]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[22]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[23]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[24]  Simon N. Foley,et al.  A security model of dynamic labelling providing a tiered approach to verification , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[25]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.