Automated fixing of access policy implementation in Industrial Networked Systems

Access control (AC) is the core of every architectural solution for information security. Indeed, no effective protection scheme can abstract from the careful design of access control policies, and infrastructures underlying modern Industrial Networked Systems (INSs) are not exceptions from this point of view. This paper presents a comprehensive framework for INS access control. The proposed approach enables the description of both positive and negative AC policies, by applying the Role Based Access Control (RBAC) paradigm to typical INS implementations, while taking into account different levels of abstraction. Suitable techniques are adopted to check whether or not policies are correctly implemented in the system (verification). When conflicts are detected, possible (re)assignments of credentials to the system users are automatically computed, that can be adopted to correct anomalies (conflict resolution).

[1]  David M. Nicol,et al.  PolicyGlobe: a framework for integrating network and operating system security policies , 2009, SafeConfig '09.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Elisa Bertino,et al.  On the Complexity of Authorization in RBAC under Qualification and Security Constraints , 2011, IEEE Transactions on Dependable and Secure Computing.

[4]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[5]  William H. Sanders,et al.  Usable Global Network Access Policy for Process Control Systems , 2008, IEEE Security & Privacy Magazine.

[6]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[7]  Gail-Joon Ahn,et al.  Anomaly discovery and resolution in web access control policies , 2011, SACMAT '11.

[8]  Cataldo Basile,et al.  Assessing network authorization policies via reachability analysis , 2017, Comput. Electr. Eng..

[9]  Adriano Valenzano,et al.  A twofold model for the analysis of access control policies in industrial networked systems , 2015, Comput. Stand. Interfaces.

[10]  William H. Sanders,et al.  Experiences Validating the Access Policy Tool in Industrial Settings , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[11]  Martin C. Rinard,et al.  Automatic error finding in access-control policies , 2011, CCS '11.

[12]  Adriano Valenzano,et al.  Semiautomated Verification of Access Control Implementation in Industrial Networked Systems , 2015, IEEE Transactions on Industrial Informatics.

[13]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[14]  Luigi V. Mancini,et al.  Conflict Detection and Resolution in Access Control Policy Specifications , 2002, FoSSaCS.

[15]  Alessandro Panebianco,et al.  Application-Sensitive Access Control Evaluation Using Parameterized Expressiveness , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[16]  Lionel C. Briand,et al.  Automated Inference of Access Control Policies for Web Applications , 2015, SACMAT.

[17]  Helge Janicke,et al.  Verification and enforcement of access control policies , 2013, Formal Methods Syst. Des..