Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security

Similar presentations


Presentation on theme: "Institute for Cyber Security"— Presentation transcript:

1 Institute for Cyber Security
Towards An Attribute Based Constraints Specification Language Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September 11, 2013 2013 ASE/IEEE International Conference on Privacy, Security, Risk and Trust World-Leading Research with Real-World Impact! 1

2 Attribute Based Access Control (ABAC)
Emerging as a dominant next generation access control model Policy flexibility and dynamic decision making capability ABAC can express Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role Based Access Control (RBAC) Overcome limitations of DAC, MAC and RBAC NIST already released their draft towards a Standard ABAC system ( Before describing my work, I will explain what is attribute based access control (ABAC). ABAC is emerging as a dominant access control model for its policy flexibility and dynamic decision making capability. In literature, already ABAC models have been proposed that shows that it can configure conventional access control models including popular DAC, MAC and RBAC. Hence, ABAC can overcome limitation of these models. Recently, NIST released their draft towards an Standard ABAC models. World-Leading Research with Real-World Impact! 2

3 Overview of an ABAC Model
User (U), Subject (S) and Object (O) are associate with a set of attributes UA, SA and OA respectively. An attribute is a key:value pair. For example, role is an attribute and the value of role could be {‘president’, ‘vice-president’, ‘manager’, etc. } An attribute can be set-valued or atomic. Clearance vs. Role A User needs to create a subject to exercise privileges in the system. Each permission is associated with an authorization policy that verifies necessary subject and object attributes for authorization. This is an overview of ABAC model. Here, user are the human being, subjects are the representation of specific users and objects are the system resources that need to be protected. In ABAC, users, subjects and objects are associated with attributes. Attributes are represented as key:value pair. For instance, an attribute key could be clearance and the value of the attribute are top-secret, secret, etc. Again, an attribute value could be set-valued and atomic valued where a set-value attribute could get more than one values where an atomic valued attribute only gets one value. For instance, the role attribute of a user can get multiple values, however, clearance can have only one value. In ABAC, user need to create subject to access privileges in system. Each permission is associated with an authorization policy that decides whether a subject can access that permission on a specific object by comparing there attributes. World-Leading Research with Real-World Impact! 3

4 World-Leading Research with Real-World Impact!
Motivation ABAC is famous for its policy neutral and dynamic decision making capability Authorization decision of each permission are made by comparing respective attributes of the involved subjects and objects A subject with required attribute can access to an object Security policies are necessary to assign attributes to right entities (user, subject, etc.) for avoiding unauthorized access Similar to correct role assignment to users in RBAC Proper constraints specification process can configure required security policies of an organization ABAC dynamically makes an access decision by comparing attributes of relative entities. Hence, any subject with required attributes can get access to an object. Hence an organization implementing ABAC need to have proper mechanism to specify and enforce its required security policies to assign attributes to appropriate entites such as user, subject and object. This is similar to assigning roles to correct user in RBAC. Therefore, a constraint specification and enforcement process is necessary in ABAC to configure required security policies of an organization. World-Leading Research with Real-World Impact! 4

5 Conducted Research in ABAC
Attribute Based Access Control Models Focus on ABAC authorization in general, not constraints specification on attribute assignment Lack of proper guideline or process to attribute assignment to entities Attribute Based Encryption Focus on improving encryption process using attributes Constraints Specification in Access Control Systems Mainly in RBAC Role Based Constraints Specification Language (RCL-2000) Static and Dynamic Separation of Duty World-Leading Research with Real-World Impact! 5

6 × Develop an attribute based constraints specification language (ABCL)
Identify that attributes preserve different types of conflict-relationship with each other such as mutual exclusion, precondition, etc. A particular conflict-relation restricts an entity to get certain values of an attribute. Benefit attribute represents customers’ assigned benefits in a Bank A customer cannot get both benefits ‘bf1’ and ‘bf2’ (mutual exclusion) Cannot get more than 3 benefits from ‘bf1’, ‘bf3’ and ‘bf6’ (cardinality on mutual exclusion) benefit bf1 bf2 × bf3 bf6 User felony fl1 benefit bf3 × User Towards this end, we develop an attribute based constraint specification language (ABCL) that can specify constraints for configuring various security policies by restricting . Basically, we identify that attributes of the entities preserve different types of conflict-relationship, such as mutual exclusion, precondition, etc. with each other that actually restricts them to be assigned. For instance, suppose a banking organization exercising ABAC defines an attribute `beneift’ that represents the benefits a user can get. Now, the bank might want to enforce a policy that restricts both customer from getting both benefits ‘bf1’ and ‘bf2’ or a customer cannot get more than 3 benefit from bf1, bf2 and bf3. Note that, in first policy, bf1 and bf2 has mutual exclusion relation with each other where in second one it is cardinality on mutual exclusion. Similarly, a bank might define another attribute called felony that represents any felony the customer has ever committed. The bank also might want certain policies that says that if a customer has felony fl1 then he cannot get benefit bf3. Note that this a mutual exclusive relationship between an attribute value of the felony and benefit attribute. So there can be specific relationships among the values of a single attribute or cross attribute. World-Leading Research with Real-World Impact! 6

7 Attribute Conflict-Relationship Hierarchy
A constraint can be applied to each entity (one user) separately or across entities (multiple users) Benefits ‘bf1’ cannot be assigned to more than 10 users. Hierarchical classification of the attribute conflict-relationships Number of attributes and number of entities are allowed in a conflict relations A constraints can also be applied to each entity individually or to multiple users. For instance, a constraints can be generated that says that benefit bf1 cannot be assigned to more than 10 users. We develop an attribute relationship hierarchy based on number of attributes and number of entities are allowed in a conflict relation. In relationship-level 0, a constraint is concerned with conflicts among values of a single attribute and it applies to each user independently. Where in relationship level 1, a constraint is concerned with conflicts among values across attributes and it also applies to each entity individually. In level 2, a constraint is concerned with the values of World-Leading Research with Real-World Impact! 7

8 Attribute Based Constraints Specification Language (ABCL) (cont.)
A mechanism to represent different types of such relationships as a set 1. Mutual-Exclusive relation of the benefit attribute values (single attribute conflict) Attribute_SetU,benefit UMEBenefit UMEBenefit={avset1, avset2} where avset1=({‘bf1’,‘bf2’}, 1) and avset2=({‘bf1’,‘bf3’,‘bf4’}, 2) 2. Mutual-Exclusive relation of the benefit and felony (cross attribute conflict) Cross_Attribute_SetU,Aattset,Rattset UMECFB Here, Aattset= {felony} and Rattset= {benefit} UMECFB={attfun1} where attfun1(felony)=(attval, limit) where attval={‘fl1’, ‘fl2’} and limit=1 attfun1(benefit)=( attval, limit) where attval={‘bf1’} and limit=0 We develop a process to represents different types of attribute relationship as a set. First one shows, that mutual exclusive relation values of benefit attribute. UMEBenefit World-Leading Research with Real-World Impact! 8

9 World-Leading Research with Real-World Impact!
ABCL Syntax A grammar in Backus Normal Form (BNF) Declaration of the Attribute_Set and Cross_Attribute_Set Constraint Expression Difference between syntax and semantics World-Leading Research with Real-World Impact! 9

10 Attribute Based Constraints Specification Language (ABCL) (cont.)
Examples 1. A customer cannot get both benefits ‘bf1’ and ‘bf2’ Expression: |OE(UMEBenefit).attset ∩ benefit(OE(U))| ≤ OE(UMEBenefit).limit 2. If a customer committed felony ‘fl1’, She can not get more than one benefit from ‘bf1’, ‘bf2’ and ‘bf3’ Expression: OE(UMECFB)(felony).attset ∩ felony(OE(U))| ≥ OE(UMECFB)(felony).limit ⇒ |OE(UMECFB)(benefit).attset ∩ benefit(OE(U))| ≤ OE(UMECFB)(benefit).limit Here is examples of the ABCL expressions. In the first one it says that a customer can not get both benefits bf1 and bf2. In previous slide, I showed that UMEBenefit contains the conflicting values of the benefit attribute and the cardinality World-Leading Research with Real-World Impact! 10

11 World-Leading Research with Real-World Impact!
Use Cases ABCL can configure well-known RBAC constraints Role can be considered as a single attribute Can express SSOD and DSOD constraints Just need to declare conflict-relation sets for conflicting roles It can configure several security requirements of traditional organization (e.g. banking organization) E.g. Constraints on benefit attribute assignment World-Leading Research with Real-World Impact! 11

12 ABCL can be implemented as value added service
Use Cases (cont.) Security policies for an multi-tenant cloud IaaS Virtual machine (VM) resources management Restricts co-location of VMs from competing tenants (clients) Restrict conflicting workloads from sharing the same memory Other several constraints on resource management Administrative user’s privilege management Restricts same admin to gain access on all resources of a client (tenant) Other constraints ABCL can be implemented as value added service Provides better service level agreement (SLA) by reducing trust barrier World-Leading Research with Real-World Impact! 12

13 World-Leading Research with Real-World Impact!
ABCL Enforcement Analyzed Constraints Enforcement complexity Complexity increases in higher level of the relationship hierarchy Developed a user attribute assignment algorithm that checks if relevant constraints are satisfied. Evaluated the performance of the attribute assignment algorithm World-Leading Research with Real-World Impact! 13

14 World-Leading Research with Real-World Impact!
Evaluation Simulation Scenario: Constraint #1: each user separately (level 0) , Constraint #2: across users (level 2) Experiment 1: Varying users from , 2 constraints, 10 elements in relation-set Experiment 2: 500 users, 5 to 30 different constraints (level 0) Experiment 3: 500 users, increasing number of set elements (5-30) World-Leading Research with Real-World Impact! 14

15 Conclusion A very first investigation on how attributes themselves could be managed based on their intrinsic relationships Develop a process to represent different attribute relationships Constraint specification language (ABCL) Enforcement process Ongoing and Future work Developing a customized ABCL specification for cloud IaaS in OpenStack Constraint enhanced virtual machine scheduler In future, a customized ABCL specification could be developed for resource management in Android Devices World-Leading Research with Real-World Impact! 15

16 Thank You  World-Leading Research with Real-World Impact!

17 Enforcement Complexity
Level 0 : O(N×M×P) where N is the number of users, M is the number of elements in respective Attribute_Set and P is number of predicates in the expression and their retrieval cost which depends on what data structure has been used. Level 1 : O(N×(M+O)×P) where N is the number of users, M and O size of Attribute_Set and Cross_Attribute_Set respectively, and P is number of predicates and their retrieval cost Level 2 : O(N2×M×P) Level 3 : O(N2×(M+O)×P) World-Leading Research with Real-World Impact!


Download ppt "Institute for Cyber Security"

Similar presentations


Ads by Google