Abstract | ||
---|---|---|
Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present a new abstraction-refinement technique for automatically finding errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. Underlying our approach is a change in mindset: we propose that error finding complements verification, can be more scalable, and allows for the use of a wider variety of techniques. In our approach, we use an abstraction-refinement technique to first identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step), and then restore such abstracted roles incrementally (the refinement steps). Errors are one-sided: if there is an error in the abstracted policy, then there is an error in the original policy. If there is an error in a policy whose role-dependency graph diameter is smaller than a certain bound, then we find the error. Our abstraction-refinement technique complements conventional state-space exploration techniques such as model checking. We have implemented our technique in an access-control policy analysis tool. We show empirically that our tool scales well to realistic policies, and is orders of magnitude faster than prior tools. |
Year | DOI | Venue |
---|---|---|
2011 | 10.1145/2046707.2046727 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
original policy,error finding,new abstraction-refinement technique,realistic policy,security policy,abstracted policy,conventional state-space exploration technique,access-control policy analysis tool,abstraction-refinement technique,automatic error finding,access-control system,model checking,access control | Mindset,Model checking,Computer security,Computer science,Policy analysis,Role-based access control,Distance,Theoretical computer science,Access control,Security policy,Scalability | Conference |
Citations | PageRank | References |
34 | 0.98 | 44 |
Authors | ||
5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Karthick Jayaraman | 1 | 282 | 13.84 |
Vijay Ganesh | 2 | 1563 | 94.66 |
Mahesh V. Tripunitara | 3 | 558 | 33.06 |
Martin C. Rinard | 4 | 4739 | 277.55 |
Steve Chapin | 5 | 45 | 1.86 |