Policy management using access control spaces

We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions explicitly assigned to a role defines its specified subspace, and the set of constraints precluding assignment to that role defines its prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of an access control space has unknown assignment semantics, which indicates that the policy is underspecified; and (2) often high-level assignments and constraints that are easily understood result in conflicts, where resolution often leads to significantly more complex specifications. We have developed a prototype system, called Gokyo, that computes access control spaces. Gokyo identifies the unknown subspace to assist system administrators in developing more complete policy specifications. Also, Gokyo identifies conflicting subspaces and enables system administrators to resolve conflicts in a variety of ways in order to preserve the simplicity of constraint specification. We demonstrate Gokyo by analyzing a Web server policy example and examine its utility by applying it to the SELinux example policy. Even for the extensive SELinux example policy, we find that only eight additional expressions are necessary to resolve Apache administrator policy conflicts.

[1]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[2]  Ravi S. Sandhu,et al.  The Extended Schematic Protection Model , 1992, J. Comput. Secur..

[3]  Ravi S. Sandhu,et al.  Safety analysis for the extended schematic protection model , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Mike A. Lockyer,et al.  A model of accountability, confidentiality and override for healthcare and other applications , 2000, RBAC '00.

[5]  Michael M. Swift,et al.  Improving the granularity of access control for Windows 2000 , 2002, TSEC.

[6]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[7]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[8]  Luigi V. Mancini,et al.  Decidability of Safety in Graph-Based Models for Access Control , 2002, ESORICS.

[9]  Won Kim,et al.  Introduction to Object-Oriented Databases , 1991, Computer systems.

[10]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[11]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[12]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[13]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[14]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.

[15]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[16]  Trent Jeager Managing access control complexity using metrices , 2001 .

[17]  Vijayalakshmi Atluri,et al.  An authorization model for temporal and derived data: securing information portals , 2002, TSEC.

[18]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[19]  Dan Thomsen,et al.  Role-Based Application Design and Enforcement , 1990, Database Security.

[20]  Trent Jaeger Managing access control complexity using metrices , 2001, SACMAT '01.

[21]  Ninghui Li,et al.  Beyond proof-of-compliance: safety and availability analysis in trust management , 2003, 2003 Symposium on Security and Privacy, 2003..

[22]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[23]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[24]  Lawrence Snyder On the synthesis and analysis of protection systems , 1977, SOSP '77.

[25]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[26]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[27]  Elisa Bertino,et al.  A logical framework for reasoning about access control models , 2001, SACMAT '01.

[28]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[29]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[30]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[31]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[32]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[33]  Ravi S. Sandhu,et al.  One-representative safety analysis in the non-monotonic transform model , 1994, Proceedings The Computer Security Foundations Workshop VII.

[34]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[35]  Michelle J. Gosselin,et al.  Confining the Apache Web Server with Security-Enhanced Linux , 2002 .

[36]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[37]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[38]  Trent Jaeger,et al.  Managing access control policies using access control spaces , 2002, SACMAT '02.