A Comprehensive Formal Solution for Access Control Policies Management: Defect Detection, Analysis and Risk Assessment

Nowadays, the access control is becoming increasingly important for open, ubiquitous and critical systems. Nonetheless, efficient Administration, Management, Safety analysis and Risk assessment (AMSR) are recognized as fundamental and crucial challenges in todays access control infrastructures. In untrustworthy environment, the administration of an access control policy, which is a main security aspect, generally raises a critical analysis problem when the administration is distributed and/or potentially un-trusted users contribute to this process. Consequently, collusions attempts and inner threats may take place to generate crucial and invisible breaches to circumvent the policy. To address this issue, we introduce a rigorous and comprehensive solution for an efficient and secure management of access control policies. Our proposal gives a high visibility on the development process of an access control policy and allows in an elegant manner to detect, analyze and assess the risk associated to the policy defects. The strength of our proposal is that it relies on logic-like formalisms to ensure a high surety by verifying the correctness and the completeness of our formal reasoning. We rely on an example to illustrate the relevance of the proposal.

[1]  Faouzi Jaidi,et al.  An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies , 2014, 2014 IEEE 17th International Conference on Computational Science and Engineering.

[2]  Jianling Sun,et al.  Security Policy Management for Systems Employing Role Based Access Control Model , 2009 .

[3]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[4]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[5]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[6]  Abderrahim Ghadi Modèle hiérarchique de contrôle d'accès d'UNIX basé sur un graphe de rôles , 2010 .

[7]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[8]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[9]  Stéphane Coulondre,et al.  A relational database integrity framework for access control policies , 2010, Journal of Intelligent Information Systems.

[10]  Trent Jaeger On the increasing importance of constraints , 1999, RBAC '99.

[11]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Grzegorz Rozenberg,et al.  Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations , 1997 .

[13]  Vladimir A. Oleshchuk,et al.  Conformance Checking of RBAC Policy and its Implementation , 2005, ISPEC.

[14]  Adel Bouhoula,et al.  Advanced Techniques for Deploying Reliable and Efficient Access Control: Application to E-healthcare , 2016, Journal of Medical Systems.

[15]  Junshan Li,et al.  A Trust and Context Based Access Control Model for Distributed Systems , 2008, 2008 10th IEEE International Conference on High Performance Computing and Communications.

[16]  Régine Laleau,et al.  Taking into Account Functional Models in the Validation of IS Security Policies , 2011, CAiSE Workshops.

[17]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[18]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[19]  Faouzi Jaidi,et al.  A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies , 2015, CISIS 2015.

[20]  Faouzi Jaidi,et al.  A risk awareness approach for monitoring the compliance of RBAC-based policies , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).

[21]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[22]  Ji Ma,et al.  Risk analysis in access control systems , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[23]  Faouzi JAIDI,et al.  To Summarize the Problem of Non-Conformity in Concrete RBAC-Based Policies: Synthesis, System Proposal and Future Directives , 2015 .