Efficient policy analysis for administrative role based access control

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 445-455

  Stoller, Scott D ^a   Yang, Ping ^a   Ramakrishnan, C R ^b   Gofman, Mikhail I ^a  

^a BINGHAMTON UNIVERSITY   (United States)

^b Stony Brook University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ANALYSIS ALGORITHMS; INPUT SIZE; PARAMETERIZED COMPLEXITY; POLICY ANALYSIS; POLYNOMIAL COMPLEXITY; REACHABILITY; ROLE-BASED ACCESS CONTROL;

ALGORITHMS; SECURITY SYSTEMS;

ACCESS CONTROL;

EID: 77952403780     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315300     Document Type: Conference Paper

References (31)

1. American National Standards Institute (ANSI), International Committee for Information Technology Standards (INCITS). Role-based access control. ANSI INCITS Standard 359-2004, Feb. 2004.
2. A. K. Bandara, E. C. Lupu, and A. Russo. Using event calculus to formalise policy specification and analysis. In Proc. 4th IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2003), 2003.
3. M. Y. Becker. Cassandra: Flexible Trust Management and its Application to Electronic Health Records. PhD thesis, University of Cambridge, Oct. 2005.
4. E. M. Clarke, Jr., O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 1999.
5. J. Crampton. Understanding and developing role-based administrative models. In Proc. 12th ACM Conference on Computer and Communications Security (CCS), pages 158-167. ACM Press, 2005.
6. R. G. Downey and M. R. Fellows. Fixed-parameter tractability and completeness I: Basic results. SIAM Journal on Computing, 24 (4):873-921, 1995.
7. M. Evered and S. Bögeholz. A case study in access control requirements for a health information system. In Proc. Australasian Information Security Workshop 2004 (AISW), volume 32 of Conferences in Research and Practice in Information Technology, 2004.
8. K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In International Conference on Software Engineering (ICSE), pages 196-205, 2005.
9. P. Godefroid. Partial-Order Methods for the Verification of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.
10. J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka. Verifying information flow goals in Security-Enhanced Linux. Journal of Computer Security, 13 (1):115-134, 2005.
11. J. Y. Halpern and V. Weissman. Using first-order logic to reason about policies. In Proc. 16th IEEE Computer Security Foundations Workshop (CSFW), pages 187-201. IEEE Computer Society Press, 2003.
12. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19 (8):461-471, 1976.
13. K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In In Proc. 13th ACM Conference on Computer and Communications Security (CCS), pages 134-143, Nov. 2006.
14. D. Jackson, I. Schechter, and I. Shlyakhter. Alcoa: the alloy constraint analyzer. In Proc. 22nd International Conference on Software Engineering (ICSE), pages 730-733, June 2000.
15. S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In Proc. 1997 IEEE Symposium on Security and Privacy, pages 31-42, 1997.
16. S. Jha and T. Reps. Model-checking SPKI-SDSI. Journal of Computer Security, 12:317-353, 2004.
17. A. Kern, A. Schaad, and J. Moffett. An administration concept for the enterprise role-based access control model. In Proc. 8th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 2003.
18. N. Li and Z. Mao. Administration in role based access control. In Proc. ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS), Mar. 2007.
19. N. Li, J. C. Mitchell, and W. H. Winsborough. Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM, 52 (3):474-514, 2005.
20. N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM Transactions on Information and System Security, 9 (4):391-420, Nov. 2006.
21. R. J. Lipton. Reduction: A method of proving properties of parallel programs. Communications of the ACM, 18 (12):717-721, 1975.
22. R. J. Lipton and L. Snyder. A linear time algorithm for deciding subject security. J. ACM, 24 (3):455-464, July 1977.
23. S. Oh and R. S. Sandhu. A model for role administration using organization structure. In Proc. 7th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 2002.
24. R. Sandhu. The typed access matrix model. In Proc. IEEE Symposium on Security and Privacy, pages 122-136, 1992.
25. R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security (TISSEC), 2 (1):105-135, Feb. 1999.
26. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29 (2):38-47, Feb. 1996.
27. A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Proc. 19th IEEE Computer Security Foundations Workshop (CSFW), July 2006.
28. A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a European bank: A case study and discussion. In Proc. 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 3-9. ACM Press, 2001.
29. A. Schaad and J. D. Moffett. A lightweight approach to specification and analysis of role-based access control extensions. In Proc. 7th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 13-22. ACM Press, 2002.
30. A. P. Sistla and M. Zhou. Analysis of dynamic policies. In Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCS-ARSPA), Aug. 2006. Full version to appear in Information & Computation.
31. www.cs.stonybrook.edu/~stoller/ccs2007/.