Prosunjit Biswas, Ravi Sandhu and Ram Krishnan

Slides:



Advertisements
Similar presentations
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
Advertisements

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
ROWLBAC – Representing Role Based Access Control in OWL
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
Institute for Cyber Security
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond
On Comparing the Expressing Power of Access Control Model Frameworks Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI) A.
Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
11 World-Leading Research with Real-World Impact! A Group-Centric Model for Collaboration with Expedient Insiders in Multilevel Systems Khalid Zaman Bijon,
INSTITUTE FOR CYBER SECURITY © Ravi Sandhu11 Group-Centric Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber.
1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,
Object Oriented Multi-Database Systems An Overview of Chapters 4 and 5.
Scaling Heterogeneous Databases and Design of DISCO Anthony Tomasic Louiqa Raschid Patrick Valduriez Presented by: Nazia Khatir Texas A&M University.
INSTITUTE FOR CYBER SECURITY A Hybrid Enforcement Model for Group-Centric Secure Information Sharing (g-SIS) Co-authored with Ram Krishnan, PhD Candidate,
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
A Conceptual Framework for Group-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough.
CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang.
Authorization Policy Specification and Enforcement for Group-Centric Secure Information Sharing Ram Krishnan and Ravi Sandhu University of Texas at San.
1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.
Mexico’s Experience Monitoring Millennium Development Goals New York, 17 th December, 2013 Enrique Ordaz INEGI 1 Open Working Group.
Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough (University of Texas at San Antonio) Foundations for Group-Centric.
1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.
ReBAC in ABAC Tahmina Ahmed Department of Computer Science University of Texas at San Antonio 4/29/ Institute for Cyber Security World-Leading Research.
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Presented By: Smriti Bhatt
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security An Attribute-Based Protection Model
Access Control Model for the Hadoop Ecosystem
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
Past, Present and Future
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
World-Leading Research with Real-World Impact!
An Access Control Perspective on the Science of Security
World-Leading Research with Real-World Impact!
Attribute-Based Access Control: Insights and Challenges
On the Value of Access Control Models
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
Attribute-Based Access Control (ABAC)
Cyber Security Research: Applied and Basic Combined*
Securing Home IoT Environments with Attribute-Based Access Control
Attribute-Based Access Control: Insights and Challenges
A Prologue to Enumerated Authorization Policy ABAC Model.
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control (ABAC)
Access Control Evolution and Prospects
Ph.D. Dissertation Defense
Access Control Evolution and Prospects
Presentation transcript:

A Comparison of Logical-Formula and Enumerated Authorization Policy ABAC Models Prosunjit Biswas, Ravi Sandhu and Ram Krishnan The University of Texas at San Antonio DBSec 2016 July 18, 2016

ABAC ABAC model components Users (U), subjects (S), objects (O), their attributes (UA, SA, OA) and access rights (R) Authorization policies… R

ABAC Auth Policies Boolean expression Set of authorizing tuples E.g.: auth(u,o,read) ↔ age(u)>18  age(u) <25 ABACα (Jin et al, DBSec 2012), HGABAC (Servos et al, FPS 2014) Set of authorizing tuples E.g.: {(age(u),19), (age(u),20), …(age(u),24)} Policy Machine (JSA 2011), 2-sorted-RBAC (Kuijper et al, SACMAT 2014)

Objective Gain insights into different forms of ABAC auth policy representations Logical Authorization Policy ABAC (LAP-ABAC) Enumerated Authorization Policy ABAC (EAP-ABAC) Quantitative and qualitative comparison Expressive power, ease of administration, etc. ABAC Auth Design Scale LAP-ABAC EAP-ABAC ??

Attribute Domain Assume attributes as functions UA = {age,clr,friends} Range(age) = {1…100}, Range(clr) = {H,L}, and Range(friends) = U Example finite domain attributes Age of user, roles of user, object classification, etc. Example unbounded domain attributes Friends of user, editors of objects, etc. We assume attribute domains to be finite

Contributions and Results Summary Candidate LAP-ABAC and EAP-ABAC models for the purpose of this investigation LAP-ABAC and EAP-ABAC are equally expressive (recall finite domain) Single (e.g. UA = {age}) and multi-attribute (e.g. UA = {age,group,clr}) ABACs are equally expressive However, LAP-ABACs and EAP-ABACs have their pros and cons on qualitative aspects

EAP-ABACm,n

LAP-ABACm,n

Expressive Power Equivalence Framework used: Tripunitara et al, A theory for comparing the expressive power of access control models, JCS 2007.

Auth Specification in LAP-ABAC Multiple ways to set up a policy (Authread allows manager to read TS objects from home or office).

Auth Update in LAP-ABAC Update Authread so that manager can no longer read TS objects from home

Auth Update in EAP-ABAC

Canonicalization of EAP-ABAC Suppose Authwrite = {({mgr},{TS}), ({mgr,Dir},{TS})} This can be reduced to Authwrite = {({mgr},{TS})} EAP-ABAC auth policies can be efficiently canonicalized as per policy semantics

Comparison Easy to setup Rich & flexible Concise Homogeneous Micro policy Easy to update Pros LAP-ABAC EAP-ABAC Difficult to update Monolithic Heterogeneous Large in size Difficult to setup Cons

Conclusion ABAC should be designed with objectives that go beyond expressive power E.g.: Administration of authorization policy Setting up new policies, update existing policies, etc ABAC Auth Design Scale LAP-ABAC EAP-ABAC ??

Q&A Thank you! Consider submitting your work to ACM CODASPY ’16 Submission deadline: Sept 15, 2016 http://www.codaspy.org/ Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.