1 / 11

A Survey of Graph-Based RBAC Efficiency

Introduction. RBAC has gained a lot of popularity in the access control research world.Most papers discuss the power of various versions of RBAC in terms of security capabilities.What are the complexity and performance issues?. Overview. Basic OperationsConflicting PrivilegesMultidomain Policy

marcus
Download Presentation

A Survey of Graph-Based RBAC Efficiency

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. A Survey of Graph-Based RBAC Efficiency Barry Wittman CS526 Research Project

    2. Introduction RBAC has gained a lot of popularity in the access control research world. Most papers discuss the power of various versions of RBAC in terms of security capabilities. What are the complexity and performance issues?

    3. Overview Basic Operations Conflicting Privileges Multidomain Policy Integration Safety Information Flow Conclusions

    4. Basic Operations We examine the hierarchical framework discussed by Koch et al. in [5] and [9]. We look at all the basic operations and try to find the minimum time for an operation, based on an adjacency list implementation. R is the set of roles U is the set of all users S is the set of active sessions t(p) is the upper bound on the number of operations it takes to determine if a role has permission p

    5. Conflicting Privileges We examine the algorithms introduced by Nyanchama and Osborn [13] which take into account conflicting privileges. R is the set of roles P is the set of all permissions

    6. Multidomain Policy Integration Shafiq et al. [1] introduce a framework in which different domains with different RBAC policies can integrate their policies to allow for secure interoperation. To find the optimum assignment of roles to users, an integer programming problem must be solved. Unfortunately, this problem is NP-hard but can be approximated. There is no generic approximation bound on IP problems.

    7. Safety Koch et al. [8] describe a graph-based RBAC formulation whose safety can be checked. The model has very similar expressive power to the Take-Grant model. The decidability algorithm is exponential.

    8. Information Flow MAC models are heavily concerned with the flow of information. Some work has been done to analyze information flow in RBAC as well, particularly by [14]. Analysis is based on two algorithms: FlowStart: O(|R||P|2) CanFlow: O(n3)

    9. Conclusions Basic Operations At least a simple implementation of graph-based RBAC can be quite efficient. Conflicting Permissions: The algorithms provided by [13] have serious performance problems, since most operations require checking every permission in the entire system. Multidomain Policy Integration The approximation of the IP problem warrants further study. Although it is beyond the scope of this work, an approximation bound (hopefully constant) for the IP should be found. Safety The time taken to determine safety with the current algorithm is exponential. Work should be done to see if a more efficient algorithm is possible or if the problem is NP-complete. Information Flow The information flow algorithms have a |P|2 term in them. However, this is a worst case value that will seldom actually be seen. Likewise, information flow analysis does not necessarily need to be done in real time.

    10. References [1] Secure interoperation in a multidomain environment employing RBAC policies. IEEE Transactions on Knowledge and Data Engineering, 17(11):15571577, 2005. Student Member-Basit Shafiq and Member-James B. D. Joshi and Fellow-Elisa Bertino and Fellow-Arif Ghafoor. [2] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4(3):224274, 2001. [3] L. Giuri and P. Iglio. A formal model for role-based access control with constraints. In CSFW 96: Proceedings of the Ninth IEEE Computer Security Foundations Workshop, page 136, Washington, DC, USA, 1996. IEEE Computer Society. [4] F. Glover and M. Laguna. Tabu Search. Kluwer Academic Publishers, Dordrecht, The Netherlands, 1998. [5] M. Koch, L. V. Mancini, and F. Parisi-Presicce. A formal model for role-based access control using graph transformation. In ESORICS 00: Proceedings of the 6th European Symposium on Research in Computer Security, pages 122139, London, UK, 2000. Springer-Verlag. [6] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Foundations for a graph-based approach to the specification of access control policies. In FoSSaCS 01: Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures, pages 287302, London, UK, 2001. Springer-Verlag. [7] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Conflict detection and resolution in access control policy specifications. In FoSSaCS 02: Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures, pages 223237, London, UK, 2002. Springer-Verlag. [8] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Decidability of safety in graph-based models for access control. In ESORICS 02: Proceedings of the 7th European Symposium on Research in Computer Security, pages 229243, London, UK, 2002. Springer-Verlag.

    11. References (cont.) [9] M. Koch, L. V. Mancini, and F. Parisi-Presicce. A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur., 5(3):332365, 2002. [10] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Administrative scope in the graph-based framework. In SACMAT 04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 97104, New York, NY, USA, 2004. ACM Press. [11] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Graph-based specification of access control policies. J. Comput. Syst. Sci., 71(1):133, 2005. [12] G. L. Nemhauser and L. A. Wolsey. Integer and Combinatorial Optimization. Wiley-Interscience Series in Discrete Mathematics and Optimization. Wiley, 1988. NEM g 88:1 P-Ex. [13] M. Nyanchama and S. Osborn. The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur., 2(1):333, 1999. [14] S. L. Osborn. Information flow analysis of an RBAC system. In SACMAT 02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 163168, New York, NY, USA, 2002. ACM Press. [15] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Rolebased access control models. Computer, 29(2):3847, 1996.

More Related