The need for application-aware access control evaluation
Pages 115 - 126
Abstract
Access control is an area where one size does not fit all. However, previous work in access control has focused solely on expressiveness as an absolute measure. Thus, we discuss and justify the need for a new type of evaluation framework for access control, one that is application-aware. To this end, we apply previous work in access control evaluation, as well as lessons learned from evaluation frameworks used in other domains. We describe the analysis components required by such a framework, the challenges involved in building it, and our preliminary work in realizing this ambitious goal. We then theorize about other areas within the security domain that display a similar absence of such evaluation tools, and consider ways in which we can adapt our framework to analyze these broader types of security workloads.
References
[1]
P. Ammann, R. J. Lipton, and R. S. Sandhu. The expressive power of multi-parent creation in monotonic access control models. JCS, 4(2/3):149--166, 1996.
[2]
K. S. Anderson, J. P. Bigus, E. Bouillet, P. Dube, N. Halim, Z. Liu, and D. E. Pendarakis. Sword: scalable and exible workload generator for distributed data processing systems. In WinterSim, pages 2109--2116, Dec 2006.
[3]
Apache Shiro. http://shiro.apache.org.
[4]
D. Bell and L. LaPadula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, MITRE Corporation, 1975.
[5]
E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A logical framework for reasoning about access control models. TISSEC, 6(1):71--127, 2003.
[6]
E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. TISSEC, 2(1):65--104, Feb 1999.
[7]
A. Chander, J. C. Mitchell, and D. Dean. A state-transition model of trust management and access control. In CSFW, pages 27--43, 2001.
[8]
I. Comodo Group. Comodo report of incident, Mar 2011. https://www.comodo.com/ Comodo-Fraud-Incident-2011-03-23.html.
[9]
J. Crampton. A reference monitor for workow systems with constrained task execution. In SACMAT, pages 38--47, 2005.
[10]
G. R. Ganger. Generating representative synthetic workloads: An unsolved problem. In International CMG Conference, pages 1263--1269, Dec 1995.
[11]
M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Comm. of the ACM, Aug 1976.
[12]
T. Hinrichs, W. C. Garrison III, A. J. Lee, S. Saunders, and J. C. Mitchell. Tba: A hybrid of logic and extensional access control systems. In International Workshop on Formal Aspects of Security & Trust, 2011.
[13]
Horizontal integration: Broader access models for realizing information dominance. Technical Report JSR-04-13, MITRE Corporation JASON Program Office, 2004.
[14]
V. C. Hu, D. F. Ferraiolo, and D. R. Kuhn. Assessment of Access Control Systems. NIST, 2006.
[15]
T. Jim. SD3: A trust management system with certified evaluation. In IEEE S&P, pages 106--115, 2001.
[16]
N. Li, J. C. Mitchell, and W. H. Winsborough. Beyond proof-of-compliance: security analysis in trust management. J. ACM, 52(3):474--514, May 2005.
[17]
R. J. Lipton and L. Snyder. A linear time algorithm fordeciding subject security. J. ACM, 24(3):455--464, 1977.
[18]
Microsoft Web Protection Library. http://wpl.codeplex.com.
[19]
B. News. Iranians hit in email hack attack, Sep 2011. http://www.bbc.co.uk/news/technology-14802673.
[20]
S. Osborne, R. Sandhu, and Q. Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies. TISSEC, May 2000.
[21]
R. Sandhu. Expressive power of the schematic protection model. JCS, 1(1):59--98, 1992.
[22]
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, Feb 1996.
[23]
R. S. Sandhu and S. Ganta. On testing for absence of rights in access control models. In CSFW, pages 109--118, 1993.
[24]
Spring Security. http://static.springsource.org/spring-security/site/.
[25]
M. V. Tripunitara and N. Li. A theory for comparing the expressive power of access control models. JCS, 15(2):231--272, 2007.
[26]
U.S. Air Force Scientific Advisory Board. Networking to enable coalition operations. 2004.
[27]
Q. Wang, N. Li, and H. Chen. On the security of delegation in access control systems. In ESORICS, pages 317--332, 2008.
Index Terms
- The need for application-aware access control evaluation
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
September 2012
162 pages
ISBN:9781450317948
DOI:10.1145/2413296
- General Chairs:
- Richard Ford,
- Mary Ellen Zurko,
- Program Chairs:
- Cormac Herley,
- Tara Whalen
Copyright © 2012 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- ACSA: Applied Computing Security Assoc
In-Cooperation
- ACM: Association for Computing Machinery
- Microsoft: Microsoft
- CA Labs: CA Labs
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 September 2012
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
NSPW '12
Sponsor:
- ACSA
Acceptance Rates
Overall Acceptance Rate 98 of 265 submissions, 37%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 78Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Reflects downloads up to 20 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in