A framework for the extended evaluation of ABAC policies

A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a naïve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.

[1]  Tao Xie,et al.  Designing Fast and Scalable XACML Policy Evaluation Engines , 2011, IEEE Transactions on Computers.

[2]  Jerry den Hartog,et al.  SAFAX – An Extensible Authorization Service for Cloud Environments , 2015, Front. ICT.

[3]  Robert K. Brayton,et al.  Algorithms for discrete function manipulation , 1990, 1990 IEEE International Conference on Computer-Aided Design. Digest of Technical Papers.

[4]  R. Rudell Dynamic variable ordering for ordered binary decision diagrams , 1993, ICCAD 1993.

[5]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[6]  Jerry den Hartog,et al.  Formal analysis of XACML policies using SMT , 2017, Comput. Secur..

[7]  Michael Huth,et al.  An Authorization Framework Resilient to Policy Evaluation Failures , 2010, ESORICS.

[8]  Banzhaf,et al.  Multi-Member Electoral Districts-Do They Violate the "One Man, One Vote" Principle , 1966 .

[9]  Behnam Bahrak,et al.  BRESAP: A Policy Reasoner for Processing Spectrum Access Policies Represented by Binary Decision Diagrams , 2010, 2010 IEEE Symposium on New Frontiers in Dynamic Spectrum (DySPAN).

[10]  Jason Crampton,et al.  On Missing Attributes in Access Control: Non-deterministic and Probabilistic Attribute Retrieval , 2015, SACMAT.

[11]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Charles Morisset,et al.  Reduction of access control decisions , 2014, SACMAT '14.

[13]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[14]  Jason Crampton,et al.  On Completeness in Languages for Attribute-Based Access Control , 2016, SACMAT.

[15]  Michael Carl Tschantz,et al.  Towards reasonability properties for access-control policy languages , 2006, SACMAT '06.

[16]  Charles Morisset,et al.  Efficient Extended ABAC Evaluation , 2018, SACMAT.

[17]  Gail-Joon Ahn,et al.  Discovery and Resolution of Anomalies in Web Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[18]  Jason Crampton,et al.  PTaCL: A Language for Attribute-Based Access Control in Open Systems , 2012, POST.