Ferrara, Anna Lisa, Madhusudan, P. and Parlato, Gennaro
Policy analysis for self-administrated role-based access control
At TACAS 2013: 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Italy.
16 - 24 Mar 2013.
Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the security analysis of ARBAC policies without separate administration, and the state space explosion that this results in precludes building e?ective tools. In contrast, the separate administration assumption greatly simpli?es the analysis since it makes it su?cient to track only one user at a time. However, separation limits the expressiveness of the models and restricts modeling distributed administrative control. In this paper, we undertake a fundamental study of analysis of ARBAC policies without the separate administration restriction, and show that analysis algorithms can be built that track only a bounded number of users, where the bound depends only on the number of administrative roles in the system. Using this fundamental insight paves the way for us to design an involved heuristic to further tame the state space explosion in practical systems. Our results are also very e?ective when applied on policies designed under the separate administration restriction. We implement our techniques and report on experiments conducted on several realistic case studies.
Actions (login required)