1 / 20

World-Leading Research with Real-World Impact!

Institute for Cyber Security. Attribute Transformation for Attribute-Based Access Control. Prosunjit Biswas, Ravi Sandhu and Ram Krishnan Department of Computer Science Department of Electrical and Computer Engineering University of Texas, San Antonio.

matty
Download Presentation

World-Leading Research with Real-World Impact!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Institute for Cyber Security Attribute Transformation for Attribute-Based Access Control Prosunjit Biswas, Ravi Sandhu and Ram Krishnan Department of Computer Science Department of Electrical and Computer Engineering University of Texas, San Antonio ABAC’17, March 24, 2017, Scottsdale, AZ, USA 1 1 World-Leading Research with Real-World Impact!

  2. Outline Summary Motivation Attribute Transformation Attribute Reduction Attribute Expansion Conclusion Q/A 2 2 World-Leading Research with Real-World Impact!

  3. Summary We have presented a concept of attribute transformation and specify two types of transformation---attribute reduction and attribute expansion. 3 3 World-Leading Research with Real-World Impact!

  4. Motivation Attribute explosion! Figure 1: Attributes defined for OpenStack Virtual Machines 4 4 World-Leading Research with Real-World Impact!

  5. Motivation (continuing) Attribute Explosion incurs difficulties in managing authorization policies attribute-value assignments 5 5 World-Leading Research with Real-World Impact!

  6. Motivation (continuing) We cannot get rid of attributes we need. But we can manage with Attribute Transformation 6 6 World-Leading Research with Real-World Impact!

  7. Attribute Transformation (assumptions) Attribute types Non-policy Attributes Policy Attributes Examples: Object attributes (Non-policy): size, created_by, shared, location Object attributes (Policy): sensitivity, security-label Assumptions: Non-policy Attributes ∩ Policy Attributes = φ Non-policy Attributes >> Policy Attributes 7 7 World-Leading Research with Real-World Impact!

  8. Attribute Transformation Attribute Transformation is the process of transforming one set of attribute-value assignments into another set of assignments. Types of attribute transformation Reduction (Non-policy Attr → Policy Attr) Expansion (Policy Attr → Policy Attr) 8 8 World-Leading Research with Real-World Impact!

  9. Attribute Reduction The process of transforming non-policy attribute-value assignments into policy attributes-value assignments. Non-policy attributes size(f1)=100MB Policy attributes created-by(f1) = system-d Attribute reduction security-label(f) = sensitive security-label(f) = sensitive shared(f1)= false location(f1)= /log/system-log Effective assignments Derived assignments Deriving assignments 9

  10. Attribute Reduction (motivation) Motivation from literature: 2. Concepts of Dynamic roles by Kuhn, Coyne and Weil [2] 1. Attribute-Based User-Role Assignment [1] 10 10 World-Leading Research with Real-World Impact!

  11. Attribute Reduction (usefulness) Useful for Abstraction Modular design Hierarchical policy 11

  12. Attribute Reduction (usefulness) Authorization policy with Policy attributes: Can-read ≡ security-label(o) = sensitive ʌ role(u)=manager Mapping rules with Non-policy Attributes: VM-mapping≡ resource-type(o) = VM ʌ image-type(o) = corporate → security-label(o) = sensitive Firewall-mapping ≡resource-type(o) = firewall ʌ protocol(o) = UDP ʌ network(o) = internal → security-label(o) = sensitive 12

  13. Attribute Reduction (mapping rules) Example of mapping rule: file-length(f) = 100 MB ʌ created-by(f) = system-d ʌ is-shared(f) = false → security-label(f) = sensitive 13

  14. Attribute Reduction (issues) Conflicts resulting from multiple mappings resource-type(o) = VM resource-type(o) = VM security-label(o) = regular mapping1 encryption(o) = plain image-type(o) = corporate security-label(o) = sensitive mapping2 14

  15. Attribute Reduction (issues) Conflicts resulting from assigned and derived values security-label(o) = regular resource-type(o) = VM mapping1 Derived value encryption(o) = plain security-label(o) = sensitive Explicitly assigned value 15

  16. Attribute Expansion The process of transforming policy-attribute-value assignments into a different set of policy-attributes-value assignments. Policy attributes Policy attributes is-a-veteran(u) = True benefits(u) = {b1,b2} Policy attributes benefits(u) = {b1,b2} is-a-veteran(u) = True Expansion skills(u) = {skill1, skill2} skills(u) = {skill1, skill2} Deriving assignments Resulting assignments Derived assignments 16

  17. Attribute Expansion (motivation) Motivation from literature: 1. Hierarchical Group and Attribute-Based Access Control (HGABAC) [3] 17

  18. Conclusion What next? - Other forms of Attribute Transformation - Chain of Attribute Transformation - Fitting Attribute Transformation in ABAC models 18

  19. References 1. Servos, Daniel, and Sylvia L. Osborn. "HGABAC: Towards a formal model of hierarchical attribute-based access control." International Symposium on Foundations and Practice of Security. Springer International Publishing, 2014. 2. Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes to role-based access control." Computer 43.6 (2010): 79-81. 3. Servos, Daniel, and Sylvia L. Osborn. "HGABAC: Towards a formal model of hierarchical attribute-based access control." International Symposium on Foundations and Practice of Security. Springer International Publishing, 2014. 19

  20. 20

More Related