Security analysis for temporal role based access control

Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. For every model, it is necessary to analyze and prove that the corresponding system is secure. Such analysis helps understand the implications of security policies and helps organizations gain confidence on the control they have on resources while providing access, and devise and maintain policies.In this paper, we consider security analysis for the Temporal RBAC (TRBAC), one of the extensions of RBAC. The TRBAC considered in this paper allows temporal restrictions on roles themselves, user-permission assignments (UA), permission-role assignments (PA), as well as role hierarchies (RH). Towards this end, we first propose a suitable administrative model that governs changes to temporal policies. Then we propose our security analysis strategy, that essentially decomposes the temporal security analysis problem into smaller and more manageable RBAC security analysis sub-problems for which the existing RBAC security analysis tools can be employed. We then evaluate them from a practical perspective by evaluating their performance using simulated data sets.

[1]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[2]  Anna Lisa Ferrara,et al.  Security Analysis of Role-Based Access Control through Program Verification , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[3]  Vijayalakshmi Atluri,et al.  Analyzing temporal role based access control models , 2012, SACMAT '12.

[4]  Akhil Kumar,et al.  A fine-grained, controllable, user-to-user delegation method in RBAC , 2005, SACMAT '05.

[5]  AhnGail-Joon,et al.  A rule-based framework for role-based delegation and revocation , 2003 .

[6]  Masakazu Soshi,et al.  Safety Analysis of the Dynamic-Typed Access Matrix Model , 2000, ESORICS.

[7]  Neil Genzlinger A. and Q , 2006 .

[8]  Elisa Bertino,et al.  Fine-grained role-based delegation in presence of the hybrid role hierarchy , 2006, SACMAT '06.

[9]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[10]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[11]  C. R. Ramakrishnan,et al.  Policy Analysis for Administrative Role Based Access Control , 2006, CSFW.

[12]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[13]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[14]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[15]  W. Marsden I and J , 2012 .

[16]  Ninghui Li,et al.  Security analysis in role-based access control , 2004, SACMAT '04.

[17]  Ravi S. Sandhu,et al.  The schematic protection model: its definition and analysis for acyclic attenuating schemes , 1988, JACM.

[18]  Vijayalakshmi Atluri,et al.  An authorization model for temporal and derived data: securing information portals , 2002, TSEC.

[19]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[20]  Shamik Sural,et al.  STARBAC: Spatio temporal Role Based Access C ontrol , 2007, OTM Conferences.

[21]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[22]  Gabriel Kofi Armah,et al.  Role-Based Access Control ( Rbac ) Based In Hospital Management , 2014 .

[23]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[24]  Vijayalakshmi Atluri,et al.  The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[25]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[26]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[27]  Ravi S. Sandhu,et al.  Safety analysis for the extended schematic protection model , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[28]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[29]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[30]  Vijayalakshmi Atluri,et al.  Analysis of TRBAC with Dynamic Temporal Role Hierarchies , 2013, DBSec.

[31]  Elisa Bertino,et al.  Hybrid role hierarchy for generalized temporal role based access control model , 2002, Proceedings 26th Annual International Computer Software and Applications.

[32]  Elisa Bertino,et al.  A temporal authorization model , 1994, CCS '94.

[33]  C. R. Ramakrishnan,et al.  Efficient policy analysis for administrative role based access control , 2007, CCS '07.

[34]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[35]  Anna Lisa Ferrara,et al.  Security Analysis of Access Control Policies through Program Verification , 2011 .

[36]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[37]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[38]  Vijayalakshmi Atluri,et al.  Towards formal security analysis of GTRBAC using timed automata , 2009, SACMAT '09.

[39]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[40]  Hagit Borer How Fine-Grained? , 2005 .