Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security

Published byMervin Henderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Institute for Cyber Security"— Presentation transcript:

1 Institute for Cyber Security
ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine 2nd ACM Workshop on Attribute-Based Access Control (ABAC) March 24, 2017 By Smriti Bhatt, Farhan Patwa and Ravi Sandhu Department of Computer Science University of Texas at San Antonio World-Leading Research with Real-World Impact!

2 World-Leading Research with Real-World Impact!
Outline Introduction Motivation Background & Related Work A Restricted HGABAC (rHGABAC) Model Policy Machine (PM) and its Architecture Authorization Architecture rHGABAC Utilizing Policy Machine Use Cases Policy Evaluation in PM Conclusion © Smriti Bhatt World-Leading Research with Real-World Impact!

3 World-Leading Research with Real-World Impact!
Introduction Attribute-Based Access Control (ABAC) Access control based on attributes of users and objects Flexible and fine grained access control model Core Entities: Users Objects Attributes (Users & Objects) Permissions/Actions Authorization Policy © Smriti Bhatt World-Leading Research with Real-World Impact!

4 Introduction Many different ABAC models
Authorization policy specification in ABAC Models Additional components and capabilities in ABAC User and Object Groups Group Attributes and Group Hierarchy Attribute Hierarchy ABAC Models LAPs EAPs LAPs – Logical-Formula Authorization Policy EAPs – Enumerated Authorization Policy ( uai , oaj ) © Smriti Bhatt World-Leading Research with Real-World Impact!

5 World-Leading Research with Real-World Impact!
Motivation ABAC models and policies in real-world applications Enforcement of ABAC policies through existing ABAC frameworks and tools XACML Policy Machine Ease of policy and attribute administration and management LAP EAP © Smriti Bhatt World-Leading Research with Real-World Impact!

6 Background & Related Work
HGABAC – A hierarchical attribute-based access control model User and Object Groups Group Attributes and Hierarchies HABE – A hierarchical attribute-based encryption mechanism LaBACH – Label-based access control model with hierarchy Hierarchical relationship among attribute values © Smriti Bhatt World-Leading Research with Real-World Impact!

7 Group Attributes and Hierarchies Group Attribute Inheritance
Hierarchy among groups Senior Group Group Attribute Inheritance Junior Group Fig 1. An Example of User Group Hierarchy Adapted from [*] * Gupta, Maanak, and Ravi Sandhu. "The GURA_G Administrative Model for User and Group Attribute Assignment." International Conference on Network and System Security. Springer International Publishing, 2016. © Smriti Bhatt World-Leading Research with Real-World Impact!

8 World-Leading Research with Real-World Impact!
Attribute Hierarchy A partial ordering of Range of attribute values a. User Attribute-value Hierarchy b. Object Attribute-value Hierarchy Fig 2. An Example of Attribute Hierarchy © Smriti Bhatt World-Leading Research with Real-World Impact!

9 A Restricted HGABAC (rHGABAC) Model
 Formalized as Single-Value EAP e.g. Policyread = (Manager, Private) uav oav Fig 3. rHGABAC Model Adapted from [1,2] Servos, Daniel, and Sylvia L. Osborn. "HGABAC: Towards a formal model of hierarchical attribute-based access control." International Symposium on Foundations and Practice of Security. Springer International Publishing, 2014. Gupta, Maanak, and Ravi Sandhu. "The GURA_G Administrative Model for User and Group Attribute Assignment." International Conference on Network and System Security. Springer International Publishing, 2016. © Smriti Bhatt World-Leading Research with Real-World Impact!

10 rHGABAC Model with Attribute Hierarchy Attribute-Value Hierarchy
Fig 4. rHGABAC Model with Attribute Hierarchy © Smriti Bhatt World-Leading Research with Real-World Impact!

11 World-Leading Research with Real-World Impact!
Policy Machine (PM) Unified attribute-based access control framework Express and enforce variety of access control policies utilizing PM Policy Configuration Points Commonly known and implemented access control policies (DAC, MAC, RBAC) Combinations of policies New access control policies PM Core Elements Users Objects User Attributes Object Attributes Operations, Access Rights Processes Policy Classes PM Relations Assignment Association Prohibition Obligation assignment—for specifying relationships between policies, users, and user attributes, objects and object attributes association – for defining policies through associations between user attributes and object attributes or objects through some operations © Smriti Bhatt World-Leading Research with Real-World Impact!

12 PM Architectural Components
Fig 5. Architectural Components of PM Adapted from [*] * D. Ferraiolo, S. Gavrila, and W. Jansen, “Policy Machine: Features, architecture, and specification,” National Institute of Standards and Technology Internal Report 7987, 2014. © Smriti Bhatt World-Leading Research with Real-World Impact!

13 PM Architectural Components
Applications Fig 5. Architectural Components of PM Adapted from [*] * D. Ferraiolo, S. Gavrila, and W. Jansen, “Policy Machine: Features, architecture, and specification,” National Institute of Standards and Technology Internal Report 7987, 2014. © Smriti Bhatt World-Leading Research with Real-World Impact!

14 Authorization Architecture
Fig 6. Authorization Architecture Utilizing PM and AE © Smriti Bhatt World-Leading Research with Real-World Impact!

15 rHGABAC Utilizing Policy Machine
Implementation PM Version 1.5 Utilized PM Server (PAP + PDP) and PM Database (Active Directory) PM Agnostic Applications Need support for RESTful API in order to communicate to our Authorization Engine (AE)* Resources and their access points are abstracted within applications * S. Bhatt, F. Patwa, and R. Sandhu, “An attribute-based access control extension for OpenStack and its enforcement utilizing the Policy Machine,” in IEEE 2nd International Conference on Collaboration and Internet Computing (CIC). IEEE, 2016, pp. 37–45. © Smriti Bhatt World-Leading Research with Real-World Impact!

16 rHGABAC Utilizing Policy Machine
rHGABAC Policy Configuration in PM User groups, user attributes and their values modeled as PM User Attributes Object groups, object attributes and their values modeled as PM Object Attributes Hierarchical relationships represented using PM’s assignment relation and containment property both oa1 and oa2 are contained by oa20 and acquire the properties of oa20, and oa1, oa2, and oa20 are contained by oa21 and likewise acquire its properties. Inverted inheritance © Smriti Bhatt World-Leading Research with Real-World Impact!

17 rHGABAC Utilizing Policy Machine
A simplified Policy Element Diagram in Policy Machine read A both oa1 and oa2 are contained by oa20 and acquire the properties of oa20, and oa1, oa2, and oa20 are contained by oa21 and likewise acquire its properties. Inverted inheritance © Smriti Bhatt World-Leading Research with Real-World Impact!

18 Use Case – Group Attributes and Hierarchy
a. User Groups and their assigned user attributes and values b. Object Groups and their assigned object attributes and values © Smriti Bhatt World-Leading Research with Real-World Impact!

19 World-Leading Research with Real-World Impact!
Use Case – PM Graph Fig 7. Group Hierarchy Policy Graph (Based on PM Graph Structure) © Smriti Bhatt World-Leading Research with Real-World Impact!

20 Authorization Policy Request and Response
Use Case – Policy Authorization Policy Request and Response © Smriti Bhatt World-Leading Research with Real-World Impact!

21 Use Case Extended with Attribute Hierarchy
Subgraph Showing Attribute Hierarchy in skills Attribute b. Subgraph Showing Attribute Hierarchy in type Attribute © Smriti Bhatt World-Leading Research with Real-World Impact!

22 Use Case Extended with Attribute Hierarchy
Policy Without Attribute Hierarchy Policy With Attribute Hierarchy © Smriti Bhatt World-Leading Research with Real-World Impact!

23 Policy Evaluation in PM
Comparison of policy evaluation times for different ABAC policies in PM using our authorization architecture with AE Average Policy Evaluation Time for ABAC Policies © Smriti Bhatt World-Leading Research with Real-World Impact!

24 World-Leading Research with Real-World Impact!
Conclusion A restricted HGABAC model (rHGABAC) presented and formalized as a single-value EAP Employed group attributes and group hierarchies, as well as attribute hierarchies in an ABAC model Presented a generalized authorization architecture for enforcement of ABAC policies rHGABAC simplifies Policy and Attribute management and administration in ABAC policies New versions of PM tool would provide better insights in new ways of expressing and enforcing ABAC policies © Smriti Bhatt World-Leading Research with Real-World Impact!

25 Institute for Cyber Security
Thank you!!! Questions??? World-Leading Research with Real-World Impact!

Download ppt "Institute for Cyber Security"

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security

Institute for Cyber Security
Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.

Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,

1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
CSIIR Workshop March 14-15, 20051 Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth.

CSIIR Workshop March 14-15, Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth.

Similar presentations

Ads by Google