Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prosunjit Biswas, Ravi Sandhu and Ram Krishnan

Published byMiles Phelps Modified over 6 years ago

Similar presentations

Presentation on theme: "Prosunjit Biswas, Ravi Sandhu and Ram Krishnan"— Presentation transcript:

1 A Comparison of Logical-Formula and Enumerated Authorization Policy ABAC Models
Prosunjit Biswas, Ravi Sandhu and Ram Krishnan The University of Texas at San Antonio DBSec 2016 July 18, 2016

2 ABAC ABAC model components
Users (U), subjects (S), objects (O), their attributes (UA, SA, OA) and access rights (R) Authorization policies… R

3 ABAC Auth Policies Boolean expression Set of authorizing tuples
E.g.: auth(u,o,read) ↔ age(u)>18  age(u) <25 ABACα (Jin et al, DBSec 2012), HGABAC (Servos et al, FPS 2014) Set of authorizing tuples E.g.: {(age(u),19), (age(u),20), …(age(u),24)} Policy Machine (JSA 2011), 2-sorted-RBAC (Kuijper et al, SACMAT 2014)

4 Objective Gain insights into different forms of ABAC auth policy representations Logical Authorization Policy ABAC (LAP-ABAC) Enumerated Authorization Policy ABAC (EAP-ABAC) Quantitative and qualitative comparison Expressive power, ease of administration, etc. ABAC Auth Design Scale LAP-ABAC EAP-ABAC ??

5 Attribute Domain Assume attributes as functions
UA = {age,clr,friends} Range(age) = {1…100}, Range(clr) = {H,L}, and Range(friends) = U Example finite domain attributes Age of user, roles of user, object classification, etc. Example unbounded domain attributes Friends of user, editors of objects, etc. We assume attribute domains to be finite

6 Contributions and Results Summary
Candidate LAP-ABAC and EAP-ABAC models for the purpose of this investigation LAP-ABAC and EAP-ABAC are equally expressive (recall finite domain) Single (e.g. UA = {age}) and multi-attribute (e.g. UA = {age,group,clr}) ABACs are equally expressive However, LAP-ABACs and EAP-ABACs have their pros and cons on qualitative aspects

7 EAP-ABACm,n

8 LAP-ABACm,n

9 Expressive Power Equivalence
Framework used: Tripunitara et al, A theory for comparing the expressive power of access control models, JCS 2007.

10 Auth Specification in LAP-ABAC
Multiple ways to set up a policy (Authread allows manager to read TS objects from home or office).

11 Auth Update in LAP-ABAC
Update Authread so that manager can no longer read TS objects from home

12 Auth Update in EAP-ABAC

13 Canonicalization of EAP-ABAC
Suppose Authwrite = {({mgr},{TS}), ({mgr,Dir},{TS})} This can be reduced to Authwrite = {({mgr},{TS})} EAP-ABAC auth policies can be efficiently canonicalized as per policy semantics

14 Comparison Easy to setup Rich & flexible Concise Homogeneous
Micro policy Easy to update Pros LAP-ABAC EAP-ABAC Difficult to update Monolithic Heterogeneous Large in size Difficult to setup Cons

15 Conclusion ABAC should be designed with objectives that go beyond expressive power E.g.: Administration of authorization policy Setting up new policies, update existing policies, etc ABAC Auth Design Scale LAP-ABAC EAP-ABAC ??

16 Q&A Thank you! Consider submitting your work to ACM CODASPY ’16
Submission deadline: Sept 15, 2016 Thank you!

Download ppt "Prosunjit Biswas, Ravi Sandhu and Ram Krishnan"

Similar presentations

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.

Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
Institute for Cyber Security

Institute for Cyber Security
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.

Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
On Comparing the Expressing Power of Access Control Model Frameworks Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI) A.

On Comparing the Expressing Power of Access Control Model Frameworks Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI) A.
Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,

Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

Similar presentations

Ads by Google