The University of Southampton
University of Southampton Institutional Repository

Policy analysis for self-administrated role-based access control

Policy analysis for self-administrated role-based access control
Policy analysis for self-administrated role-based access control
Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the security analysis of ARBAC policies without separate administration, and the state space explosion that this results in precludes building effective tools. In contrast, the separate administration assumption greatly simplifies the analysis since it makes it sufficient to track only one user at a time. However, separation limits the expressiveness of the models and restricts modeling distributed administrative control. In this paper, we undertake a fundamental study of analysis of ARBAC policies without the separate administration restriction, and show that analysis algorithms can be built that track only a bounded number of users, where the bound depends only on the number of administrative roles in the system. Using this fundamental insight paves the way for us to design an involved heuristic to further tame the state space explosion in practical systems. Our results are also very effective when applied on policies designed under the separate administration restriction. We implement our techniques and report on experiments conducted on several realistic case studies.
Ferrara, Anna Lisa
adbca2ba-5d6e-4888-975c-69b8f8fa461e
Madhusudan, P.
8af89366-038f-4a30-9588-61d3f4477b49
Parlato, Gennaro
c28428a0-d3f3-4551-a4b5-b79e410f4923
Ferrara, Anna Lisa
adbca2ba-5d6e-4888-975c-69b8f8fa461e
Madhusudan, P.
8af89366-038f-4a30-9588-61d3f4477b49
Parlato, Gennaro
c28428a0-d3f3-4551-a4b5-b79e410f4923

Ferrara, Anna Lisa, Madhusudan, P. and Parlato, Gennaro (2013) Policy analysis for self-administrated role-based access control. TACAS 2013: 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Rome, Italy. 16 - 24 Mar 2013. 15 pp .

Record type: Conference or Workshop Item (Paper)

Abstract

Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the security analysis of ARBAC policies without separate administration, and the state space explosion that this results in precludes building effective tools. In contrast, the separate administration assumption greatly simplifies the analysis since it makes it sufficient to track only one user at a time. However, separation limits the expressiveness of the models and restricts modeling distributed administrative control. In this paper, we undertake a fundamental study of analysis of ARBAC policies without the separate administration restriction, and show that analysis algorithms can be built that track only a bounded number of users, where the bound depends only on the number of administrative roles in the system. Using this fundamental insight paves the way for us to design an involved heuristic to further tame the state space explosion in practical systems. Our results are also very effective when applied on policies designed under the separate administration restriction. We implement our techniques and report on experiments conducted on several realistic case studies.

Text
ARBACpruning (2).pdf - Other
Download (216kB)

More information

Published date: 16 March 2013
Venue - Dates: TACAS 2013: 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Rome, Italy, 2013-03-16 - 2013-03-24
Organisations: Electronic & Software Systems

Identifiers

Local EPrints ID: 344391
URI: http://eprints.soton.ac.uk/id/eprint/344391
PURE UUID: ad207299-9e6d-463c-ab2c-82c5cc86e843

Catalogue record

Date deposited: 21 Jan 2013 15:02
Last modified: 14 Mar 2024 12:12

Export record

Contributors

Author: Anna Lisa Ferrara
Author: P. Madhusudan
Author: Gennaro Parlato

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×