Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA 2 Institute for Cyber-Security Research at the University of Texas, San Antonio, USA 3 Samsung Information Systems America, San Jose, CA, USA 4 Nanjing University of Aeronautics and Astronautics, Nanjing, China presented by Baoxian Zhao

Outline Reviewing access control models –Traditional access control models –Temporal access control models Construction of the TUCON model –Preliminaries of the TUCON model –Times-based authorizations –Authorization rules –The implementation of access control Conclusion and Future work

Reviewing existing access control models Traditional access control models >Discretionary Access Control (DAC) >Mandatory Access Control (MAC) >Role-based Access Control (RBAC) Temporal access control models > The temporal authorization models suggested by E.Bertino et al 94,96,98 »Only applied to the DAC model >Temporal Data Authorization Model (TDAM), A. Gal et al 02 »Adding transaction time and valid time >TRBAC 01, GTRBAC 05 >> Adding temporal constraints to RBAC Model

Limitations of existing access control models Primary consider authorization decisions constrained by certain time periods Authorizations are static authorization decisions > Authorizations are made at the requested time and hardly recognize ongoing controls for times constrained access or for immediate revocation > Once an authorization decision is made, the object can be accessed without limitation during a valid period!

Requirements of new access control Usage of a digital object can not only be time- independent, like read and write But also temporal and times-consuming, such as payment-based online reading, or a downloadable music file that can only be played 10 times within a valid period. It means that authorization can be updated during ongoing usage

The principle of the TUCON model Keeping the time periods »Authorizations are still constrained by the time periods Introducing usage times »Times are consumed, to meet the request that the usage of digital objects can be consumed and limited »Times are decreased by 1, to update authorization during a single access process New features of the TUCON model »Authorizations can be updated during ongoing usage. »Authorizations can be consumed »Effectively prevent systems from the attacks of DoS, such as nimda and red codes.

Difference From UCON In UCON model, it uses ABC (Authorization, oBligation, Condition) core models to solve these problems In TUCON model, we consider temporal and consumed factors as attributes of Authorizations rather than attributes of subjects or objects Support delegation TUCON is simple to be implemented.

Preliminaries of TUCON Definition 1 (Periodic expression) [ Bertino et al. 98] A periodic expression is defined as, where, and are calendars for and. Here let D present the set of all valid periods. Example : From 9:00 AM to 12:00PM during workdays Definition 2 (Times) Times are a set of natural numbers, formally defined as

Times-based Authorizations Definition 3 (Times Authorization) A times authorization is a 6-tuple pt,s, o, priv, pn, g, where, Example : Mary grants Bob 5 read privilege on the book of Sun (5, Bob, Sun, read, +, Mary) Definition 4 (Non-Times Authorization) When pt= -1 in a tuple of times authorization, we call this kind of times authorization non-times authorization.

Times-based Authorizations (cont) Definition 5 (Times-based Authorization) A times- based authorization is a 3-tuple (time, period, auth) where time represents a time interval, period is a periodical expression, and auth is a 6- tuple authorization. ( ) Example : Between Jan. 12, 2001 and Dec. 24, 2005, Tom has 6 times of privilege read on object file, but he can operate this privilege only on Tuesday each week. [1/12/2001, 12/24/2005] Weaks+2.days,(6,Tom, file, read,+, Sam) )

Authorization rules Definition 6 (Grant Rule) A grant rule is defined as the form of: Li can be a trigger condition expression. Example 1 In an application system Business_system, if a registered user Bob pre-pays $1000, he can enjoy a certain super-value service m for 6 times during every Friday since the time 09/12/2006. Let this privilege be super. access( [09/12/2006,+ ], Weeks+5.days, (6, Bob, m, super, +, Business_system)) prepay(Bob,1000) & register (Bob)

Authorization rules (cont) Definition 7 (Derived Rule) A derived rule is defined as the form of: Li can be access with conditional expressions Example 2 Now Bob wants to transfer 3 times for enjoying the service m to another user Alice. deraccess( [09/12/2006,+ ], Weeks+5.days, (3, Alice, m, super, +, Business_system)) access ( [09/12/2006,+ ], Weeks+5.days, (6, Bob, m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6) deraccess( [09/12/2006,+ ], Weaks+5.days, (3, Bob, m, super, +, Business_system)) access ( [09/12/2006,+ ], Weeks+5.days, (6, Bob, m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6)

Authorization rules (cont) Definition 8 (Resolution Rule) A resolution rule is defined as the form of: Li can be access or deraccess or condition expressions specified by security policy Example 3 In example 2, if Alice has 4 times super right on service m. force_access( [09/12/2006,+ ], Weaks+5.days, (7, Alice, m, super, +, Business_system)) access ( [09/12/2006,+ ], Weeks+5.days, (4, Alice, m, super, +, Business system)) & deraccess ( [09/12/2006,+ ], Weeks+5.days, (3, Alice, m, super, +, Business system))

THEOREM 1 ( Completeness) The policy in TUCON can be specified by a non-empty set of TUCON rules. Proof: 1 no conflict decisions 2 specifying all possible decisions Completeness of rules

The Implementation of Access control Grant privileges Access objects Revoke privileges

Grant privileges Times-based authorization >here, pt >0 and pn= + Unlimited authorization >pt=-1 and pn = + How about Times-based authorization &Unlimited authorization?

Access objects Times-based Authorization Base (TAB) > A set of authorizations, in which there is no conflict authorizations. Valid Access Function > A function to check every access request against the current TAB to determine whether the access is authorized.

Revoke privileges Time intervals > time intervals is expired! Usage Times > pt=0 Other factors > Abusing privileges > Breaking security policies

Conclusion and Future Work Wide applications, especially in times- metered systems Viewed as a solution to some specific problems of mutable attributes in modern access control Extend the model by considering different intervals and different periods. Develop the administration of authorization in UCON Using temporal logic to express?

Any Question? Thank you !