Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 20071 Efficient Policy Analysis for Administrative Role-Based Access Control Scott D. Stoller Ping Yang C.R. Ramakrishnan Mikhail I. Gofman.

Published byElfreda Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "October 20071 Efficient Policy Analysis for Administrative Role-Based Access Control Scott D. Stoller Ping Yang C.R. Ramakrishnan Mikhail I. Gofman."— Presentation transcript:

1 October 20071 Efficient Policy Analysis for Administrative Role-Based Access Control Scott D. Stoller Ping Yang C.R. Ramakrishnan Mikhail I. Gofman

2 October 20072 Motivation for Security Policy Analysis Problem: Security policies are often enforced by Humans (slow, subject to social engineering, etc.) Application code in Java, C++, etc. (hard to understand, analyze, and maintain) Goal: Express security policies in policy languages. Easier to read, analyze (validate), and maintain Enforced efficiently and automatically (except for occasional manual override) Examples: Medical records, financial info, course grades Research: policy languages, policy analysis algorithms, policy IDEs, distributed enforcement, …

3 October 20073 Administrative Policy Analysis Large organizations have large and complex policies. A single administrator can’t manage the entire policy. A trusted senior administrator delegates partial control over the policy to other administrators by establishing an administrative policy. Example: president, department chair, dean, faculty, … Administrative policy: controls changes to the policy. Analysis goal: Understand the power of groups of administrators. Changes by different admins may interact. Example: Reachability: Can administrators X and Y together modify the policy so user U has permission P?

4 October 20074 Overview We study analysis for ARBAC97, an administrative policy framework for Role-Based Access Control (RBAC). Reachability analysis for ARBAC is intractable in general. Efficient algorithms were known only for significantly restricted cases. We present more practical analysis algorithms that: Exploit typical characteristics of realistic policies Are fixed-parameter tractable (FPT), i.e., have high complexity W.R.T. a (small) parameter k low complexity W.R.T. overall problem size, when value of k is fixed.

5 October 20075 Outline Background Case Studies Algorithms (Forward and Backward), and Fixed-Parameter Tractability Results Experimental Results

6 October 20076 Role-Based Access Control (RBAC) Users are assigned to roles, e.g., doctor, nurse, patient. Permissions are associated with roles. A user has a permission if he is a member of some role with that permission. RBAC is relatively simple and widely used. UserRolePermission UA PA User Assignment Permission Assignment

7 October 20077 Role Hierarchy r1 ≥ r2 (r1 is senior to r2) means every member of r1 is also an implicit member of r2. Thus, members of r1 have all the permissions that members of r2 have. Permission flows up. Membership flows down. Role hierarchy reduces redundancy, eases administration. New supervisor is added to one role, instead of four. Project Supervisor Project Member Tester Programmer

8 October 20078 Administrative RBAC (ARBAC) ARBAC is a generic name for administrative policy models for RBAC. Our model is based on ARBAC97 [Sandhu+ 1997]. Our ideas are also relevant to other models, such as ARBAC02 [Oh+ 2002], RHA [Crampton+ 2005], UARBAC [Li+ 2007], A-ERBAC [Kern+ 2003]. ARBAC97 has three components: User-Role Administration: controls user assignment Permission-Role Administration: controls permission assignment Role-Role Administration: controls role hierarchy

9 October 20079 ARBAC97 can_assign(ar, c, r): an administrator in role ar can assign a user satisfying precondition c to role r. Precondition: true or c 1  …  c n, where c i is a role r or a negated role  r. Ex.: can_assign(Provost, Professor   DeptChair, Dean). can_revoke(ar, r): an administrator in role ar can remove any user from role r. Don’t bother allowing pre-conditions for revocation. Separate Administration Restriction: Administrative roles and regular roles are disjoint. Assume it now, relax later.

10 October 200710 Analysis Problems for ARBAC97 User-Role Reachability: Can administrators u 1,…,u n, using operations allowed by ARBAC policy ψ, transform initial RBAC policy γ 0 to an RBAC policy in which the target user u t is a member of all roles in goal={r 1,…, r n }? Weakest Preconditions: Similar, except the target user’s initial roles are unspecified, and the analysis finds the minimal sets of initial roles for him such that the administrators can achieve the goal. Containment [Li+ 2006]: Similar to reachability, except the administrators’ goal is to produce an RBAC policy in which members(r 1 )  members(r 2 ).

11 October 200711 Outline Background Case Studies Algorithms (Forward and Backward), and Fixed-Parameter Tractability Results Experimental Results

12 October 200712 Observations from Case Studies ARBAC policies for a university and a health-care facility. University roles: admissions officer, professor, department chair, dean, provost, president, … Health-care facility roles: manager, doctor, patient, … Observations: Every can_assign rule has 0 or 1 positive preconditions. Most roles are non-negative. |goal| ≤ 2. An admin can assign and revoke nearly the same roles. Separate administration is not satisfied, but a related condition (defined later) is satisfied for most queries. A role is negative if it appears negated in a precondition.

13 October 200713 Outline Background Case Studies Algorithms (Forward and Backward), and Fixed-Parameter Tractability Results Experimental Results

14 October 200714 Forward Algorithm for Reachability Forward algorithm: Standard reachability computation optimized with a reduction, similar to [Lipton 1975]. With the separate administration assumption, it suffices to consider the role assignment of the target user u only. A state is the set of roles that the target user u is in. Transitions that add non-negative roles are invisible and get combined with a preceding visible transition to form a composite transition. This is safe because invisible transitions never disable other transitions. Theorem: Reachability is fixed-parameter tractable with respect to the number of negative roles, denoted |NR|.

15 October 200715 Backward Algorithm: Stage 1 Exploit the observation: Each can_assign rule has 0 or 1 positive preconditions. Make this a requirement. Stage 1. Use backwards search (with reduction) from goal to construct a graph (V, E). Nodes are user assignments (sets of roles). Edges are labeled with can_assign rules. Every state contains at most |goal| roles. UA UA \ {r}  {p} can_assign(ar, p   N, r) search direction role set of roles r  UA

16 October 200716 Backward Algorithm: Stage 2 The goal is not reachable, because r1 is irrevocable and disables the last transition. To detect such situations, Stage 2 performs a forward analysis, labeling each node R with sets I 1,I 2,… of irrevocable roles. represents states R  I 1, R  I 2,… cana(ar, true, r1) r2r3 cana(ar, r2   r1, r3) r1 cana(ar, r1, r2) Ø Example: initial state = {}, goal = {r3}, can_assign rules are as shown, and can_revoke(ar, r2). Result of Stage 1: {Ø}{Ø}{{r1}}{}{Ø}{Ø} R {I 1,I 2,…}

17 October 200717 Backward Alg.: Fixed-Parameter Tractability irrev (“irrevocable roles”): set of roles that administrators in the query can assign users to and cannot revoke users from. In our case studies, |goal| <= 2 and |irrev| ≤ 2. Theorem: For policies with 0 or 1 positive preconditions per rule, reachability is fixed-parameter tractable with respect to {|goal|, |irrev|}. Proof sketch: Stage 1: Every state contains at most |goal| roles, so |V| is O(|R| 2|goal| ), where R is the set of roles. Stage 2: The complexity is O(|V| 2 2 |irrev | ). This is a weaker notion of fixed-parameter tractability, because the complexity is |R| 2|goal| instead of |R| c.

18 October 200718 Beyond Separate Administration A role can have regular and administrative permissions. Administrators may assign themselves to new roles. Example: DeptChair assigns himself to HonorsPgmDir and then assigns students to HonorsStudent. Need to track roles of multiple users. Reachability is fixed param. tractable with respect to # neg roles and # admins. A query satisfies hierarchical role assignment if can_assign(ar i, c, r) implies ar i ≥ r for each ar i. Each administrator is already an implicit member of roles to which he can be assigned, so such assignments can be ignored. Algorithms that assume separate administration apply. In our case studies, most queries satisfy this.

19 October 200719 Outline Background Case Studies Algorithms (Forward and Backward), and Fixed-Parameter Tractability Results Experimental Results

20 October 200720 Experiments: Case Studies Evaluate algorithms on case studies and random policies. Slicing eliminates parts of the policy irrelevant to the given reachability query. Typical static slicing, enhanced to consider positive/negative. Use with forward algorithm. University policy case study: 11 administrative roles, 21 other roles 28 can_assign rules (106 after eliminate role hierarchy) Health care case study: 11 roles, 13 can_assign rules, … Results: Forward alg: at most 0.01 sec per query. Backward alg: at most 0.2 sec per query.

21 October 200721 Experiments: Random Policies Randomly generate policies: vary the size parameters, while maintaining similar characteristics as case studies (distribution of can_assign rules per role, positive and negative preconditions per rule, …) Measurements confirm polynomial behavior predicted by fixed-parameter tractability results – see next slide. Forward algorithm with slicing is faster when goal is large, e.g., with |goal|=4, forward alg is 91× faster than backward Backward algorithm is faster when goal is small and NR is large, e.g., with |goal|=1, |IR|=2, and 0.6 < |NR/R| < 0.9, backward alg is 11× to 30× faster than forward alg.

22 October 200722

23 October 200723 Related Work [Harrison+ 1976] shows that safety analysis is undecidable for an access matrix model that allows creation of subjects and objects. URA97 (User-Role Assignment) does not include creation of users or roles. [Sistla+ 2006] gives algorithms and complexity results for checking temporal properties of role-based trust management policies controlled by role restrictions. Role restrictions are a simpler form of administrative policy. Temporal properties are more complex than reachability.

24 October 200724 Related Work [Li+ 2004] gives polynomial analysis algorithms for two restricted versions of ARBAC97 without negative preconditions. We allow negative preconditions. [Sasturkar+ 2006] and [Jha+ 2007] both Prove reachability analysis for URA97 is PSPACE- complete. Identify some restrictions that make the problem NP- complete or polynomial-time. Contain no fixed-parameter tractability results, and no algorithms with same fixed-parameter tractability properties as our algorithms. Assume separate administration.

25 October 200725 Contributions and Future Work With separate administration: Reachability is fixed-parameter tractable (FPT) with respect to |negativeRoles|. For policies with 0 or 1 positive precondition per rule, reachability is FPT w.r.t. {|goal|, |irrevocableRoles|}. Without separate administration: Above results hold with hierarchical role assignment. Reachability is fixed-parameter tractable with respect to {|negativeRoles|, |administrators|}. Future Work: Role hierarchy changes. Roles with params. Info flow.

26 October 200726 Thank You!

27 October 200727 Fixed-Parameter Tractability of Reachability Theorem: Reachability is fixed-parameter tractable W.R.T. the number of negative roles, denoted |NR|. Proof sketch: We show the forward algorithm runs in time O( f(|NR|) |I| c ) for some f and c. |I| is overall input size. G: reduced state graph constructed by the algorithm GN: projection of G onto NR, the set of negative roles. Map each state {r 1,…, r n } to {r 1,…, r n }∩ NR. Each state in G is reachable by a simple path in G, which corresponds to a path in GN that goes around each cycle at most once (going around again would not add any more roles, because non-negative roles are added eagerly). There are at most O(f(|NR|)) such paths, for some f.

28 October 200728 Example: Forward Algorithm and FPT Proof can_assign = {(true, r1), (r1, r2), (¬r1  r2, r3)}. Initial state γ 0 ={}. goal = {r3}. Reduced state graph G: {} → {r1, r2} → {r2, r3} Projection GN of G onto NR={r1}: {} → {r1} For each state γ in G, there is a path to γ that, when projected onto GN, goes around each cycle at most once. This implies |G| is O(g(|GN|)) hence is O(f(|NR|)). ←

29 October 200729 Backward Alg.: Fixed-Parameter Tractability Theorem: For policies with 0 or 1 positive preconditions per rule, reachability is fixed-parameter tractable with respect to {|goal|, |irrev|}. Proof sketch: Stage 1: The restriction on positive preconditions implies that every state contains at most |goal| roles, so |V| is O(|R| 2|goal| ), where R is the set of roles. Stage 2: The complexity is O(|V| 2 2 |irrev | ).

30 October 200730

Download ppt "October 20071 Efficient Policy Analysis for Administrative Role-Based Access Control Scott D. Stoller Ping Yang C.R. Ramakrishnan Mikhail I. Gofman."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Department of Computer Science & Engineering

Department of Computer Science & Engineering
Dynamic Bayesian Networks (DBNs)

Dynamic Bayesian Networks (DBNs)
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Administrative Scope and Role-Based Administration Jason Crampton Information Security Group Royal Holloway, University of London.

Administrative Scope and Role-Based Administration Jason Crampton Information Security Group Royal Holloway, University of London.
Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.

Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.
The Theory of NP-Completeness

The Theory of NP-Completeness
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.

Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
Computational Complexity, Physical Mapping III + Perl CIS 667 March 4, 2004.

Computational Complexity, Physical Mapping III + Perl CIS 667 March 4, 2004.
Near-Optimal Network Design with Selfish Agents By Elliot Anshelevich, Anirban Dasgupta, Eva Tardos, Tom Wexler STOC’03 Presented by Mustafa Suleyman CIFTCI.

Near-Optimal Network Design with Selfish Agents By Elliot Anshelevich, Anirban Dasgupta, Eva Tardos, Tom Wexler STOC’03 Presented by Mustafa Suleyman CIFTCI.
Describing Syntax and Semantics

Describing Syntax and Semantics
1 Refined Search Tree Technique for Dominating Set on Planar Graphs Jochen Alber, Hongbing Fan, Michael R. Fellows, Henning Fernau, Rolf Niedermeier, Fran.

1 Refined Search Tree Technique for Dominating Set on Planar Graphs Jochen Alber, Hongbing Fan, Michael R. Fellows, Henning Fernau, Rolf Niedermeier, Fran.
Penn ESE535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 8: February 13, 2008 Retiming.

Penn ESE535 Spring DeHon 1 ESE535: Electronic Design Automation Day 8: February 13, 2008 Retiming.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing ------------------------------------------------------------------

Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing

Similar presentations

Ads by Google