research-article

Towards formal security analysis of GTRBAC using timed automata

Authors:

Vijayalakshmi AtluriAuthors Info & Claims

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

Pages 33 - 42

https://doi.org/10.1145/1542207.1542214

Published: 03 June 2009 Publication History

Abstract

An access control system is often viewed as a state transition system. Given a set of access control policies, a general safety requirement in such a system is to determine whether a desirable property is satisfied in all the reachable states. Such an analysis calls for formal verification. While formal analysis on traditional RBAC has been done to some extent, the extensions of RBAC lack such an analysis. In this paper, we propose a formal technique to perform security analysis on the Generalized Temporal RBAC (GTRBAC) model which can be used to express a wide range of temporal constraints on different RBAC components like role, user and permission. In the proposed approach, at first the GTRBAC system is mapped to a state transition system built using timed automata. Characteristics of each role, user and permission are captured with the help of timed automata. A single global clock is used to express the various temporal constraints supported in a GTRBAC model. Next, a set of safety and liveness properties is specified using computation tree logic (CTL). Model checking based formal verification is then done to verify the properties against the model to determine if the system is secure with respect to a given set of access control policies. Both time and space analysis has been done for studying the performance of the approach under different configurations.

References

[1]

E. Bertino, P.A. Bonatti, and E. Ferrari. TRBAC: A temporal role based access control model. ACM Transactions on Information and System Security, 4(3):191--233, August 2001.

Digital Library

[2]

V. Atluri and A. Gal. An authorization model for Temporal and derived data: Securing information portals. ACM Transactions on Information and System Security, 5(1):62--94, February 2002.

Digital Library

[3]

I. Ray and M. Toahchoodee. A spatio temporal role based access control model. In 21st Annual IFIP WG 11.3 Working Conference on Data and Applications Security, pages 211--226, Jul 2007.

Digital Library

[4]

S. Aich, S. Sural, and A. K. Majumdar. STARBAC: Spatiotemporal role based access control. In Information Security Conference, LNCS, Springer-Verlag, pages 1567--1582, November 2007.

Digital Library

[5]

J.B.D. Joshi, E. Bertino, U. Latif, and A. Ghafoor. A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering, 17(1):4--23, January 2005.

Digital Library

[6]

M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461--471, August 1976.

Digital Library

[7]

A. K. Jones, R. J. Lipton, and L. Snyder. A linear time algorithm for deciding security. In Proceedings of the 17th Annual IEEE Symposium on Foundations of Computer Science, pages 33--41, October 1976.

Digital Library

[8]

R. S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating systems. Journal of the ACM, 35(2):404--432, 1988.

Digital Library

[9]

M. Koch, L. V. Mancini, and F. Parisi-Presicce. Decidability of safety in graph-based models for access control. In 7th European Symposium on Research in Computer Security, pages 229--243, 2002.

Digital Library

[10]

T. Ahmed and A.R. Tripathi. Static verification of security requirements in role based CSCW systems. In 8th ACM Symposium on Access Control Models and Technologies, pages 196--203, June 2003.

Digital Library

[11]

N. Li and M.V. Tripunitara. Security analysis in role based access control. ACM Transactions on Information and System Security, 9(4):391--420, 2006.

Digital Library

[12]

S. D. Stoller, P. Yang, C. R. Ramakrishnan, and M. I. Gofman. Efficient policy analysis for administrative role based access control. In 14th ACM Conference on Computer and Communications Security, pages 445--455. ACM, October 2007.

Digital Library

[13]

Y. Zhang and J. B. D. Joshi. UAQ: A framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints. In 13th ACM Symposium on Access Control Models and Technologies, pages 83--92. ACM, June 2008.

Digital Library

[14]

S. Jha, N. Li, M. Tripunitara, Q. Wang, and W. Winsborough. Towards formal verification of role based access control policies. IEEE Transactions on Dependable and Secure Computing, 5(4):242--255, 2008.

Digital Library

[15]

J. B. D. Joshi, E. Bertino, and A. Ghafoor. An analysis of expressiveness and design issues for the generalized temporal role-based access control model. IEEE Transactions on Dependable and Secure Computing, 2(2):157--175, April 2005.

Digital Library

[16]

B. Shafiq, A. Masood, J. Joshi, and A. Ghafoor. A role based access control policy verification framework for real time systems. In 10th IEEE International Workshop on Object Oriented Real Time Dependable Systems, pages 13--20, 2005.

Digital Library

[17]

R. Alur, C. Courcoubetis, and D. L. Dill. Model checking for real time systems. In 5th Symposium on Logic in Computer Science, pages 414--425, 1990.

[18]

A. Furfaro and L. Nigro. Temporal verification of communicating real time state machines using Uppaal. In IEEE International Conference on Industrial Technology, pages 399--404, 2003.

[19]

S. Mondal and S. Sural. Security analysis of Temporal RBAC using timed automata. In 4th International Conference on Information Assurance and Security, pages 37--40, September 2008.

Digital Library

[20]

S. Mondal and S. Sural. A verification framework for temporal RBAC with Role Hierarchy (Short Paper). In 4th International Conference on Information and Systems Security, pages 140--147, December 2008.

Digital Library

[21]

R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183--235, 1994.

Digital Library

[22]

C. Baier and J. P. Katoen. Principles of Model Checking. MIT Press, Cambridge, MA, 2008.

Digital Library

[23]

F. Laroussinie, N. Markey, and Ph. Schnoebelen. Model checking timed automata with one or two clocks. In 15th International Conference on Concurrency Theory, pages 387--401, 2004.

[24]

G. Behrmann, A. David, and K. G. Larsen. A tutorial on UPPAAL. In 4th International School on Formal Methods for the Design of Computer, Communication and Software Systems, pages 200--236, 2004.

Cited By

Truong A(2023)Efficient Analysis of Sequences of Security Problems in Access Control SystemsMobile Computing and Sustainable Informatics10.1007/978-981-99-0835-6_5(67-80)Online publication date: 27-May-2023
https://doi.org/10.1007/978-981-99-0835-6_5
Parkinson SKhan S(2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533703
Du YWang YYang BHu H(2020)Analyzing Security Requirements in Timed Workflow ProcessesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2975163(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2975163
Show More Cited By

Index Terms

Towards formal security analysis of GTRBAC using timed automata
1. Security and privacy
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

Security analysis of GTRBAC and its variants using model checking

Security analysis is a formal verification technique to ascertain certain desirable guarantees on the access control policy specification. Given a set of access control policies, a general safety requirement in such a system is to determine whether a ...
A Verification Framework for Temporal RBAC with Role Hierarchy (Short Paper)
ICISS '08: Proceedings of the 4th International Conference on Information Systems Security

In this paper a Timed Automata (TA) based verification framework is proposed for Temporal RBAC. Roles, users, permissions - three basic components of RBAC are modeled using TA. These components interact with each other through channel synchronization. A ...
Automated Analysis of Access Control Policies Based on Model Checking
Abstract
Access control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is a task ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

June 2009

258 pages

ISBN:9781605585376

DOI:10.1145/1542207

General Chair:
Barbara Carminati
University of Insubria, Italy
,
Program Chair:
James Joshi
University of Pittsburgh, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '09

Sponsor:

SACMAT '09: 14th ACM Symposium on Access Control Models and Technologies

June 3 - 5, 2009

Stresa, Italy

Acceptance Rates

SACMAT '09 Paper Acceptance Rate 24 of 75 submissions, 32%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
412
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Truong A(2023)Efficient Analysis of Sequences of Security Problems in Access Control SystemsMobile Computing and Sustainable Informatics10.1007/978-981-99-0835-6_5(67-80)Online publication date: 27-May-2023
https://doi.org/10.1007/978-981-99-0835-6_5
Parkinson SKhan S(2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533703
Du YWang YYang BHu H(2020)Analyzing Security Requirements in Timed Workflow ProcessesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2975163(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2975163
Singh MSural SAtluri VVaidya J(2020)Security Analysis of Unified Access Control PoliciesSecure Knowledge Management In Artificial Intelligence Era10.1007/978-981-15-3817-9_8(126-146)Online publication date: 6-Mar-2020
https://doi.org/10.1007/978-981-15-3817-9_8
Jha SSural SAtluri VVaidya J(2018)Security analysis of ABAC under an administrative modelIET Information Security10.1049/iet-ifs.2018.5010Online publication date: 23-Oct-2018
https://doi.org/10.1049/iet-ifs.2018.5010
Hu JKhan KZhang YBai YLi R(2017)Role updating in information systems using model checkingKnowledge and Information Systems10.1007/s10115-016-0974-451:1(187-234)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.1007/s10115-016-0974-4
Jha SSural SAtluri VVaidya J(2016)An Administrative Model for Collaborative Management of ABAC Systems and Its Security Analysis2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC.2016.022(64-73)Online publication date: Nov-2016
https://doi.org/10.1109/CIC.2016.022
Tverdyshev SBlasum HRudina EKulagin DDyakin PMoiseev S(2016)Security Architecture and Specification Framework for Safe and Secure Industrial AutomationCritical Information Infrastructures Security10.1007/978-3-319-33331-1_1(3-14)Online publication date: 18-May-2016
https://doi.org/10.1007/978-3-319-33331-1_1
Uzun EAtluri VVaidya JSural SFerrara AParlato GMadhusudan P(2014)Security analysis for temporal role based access controlJournal of Computer Security10.5555/2699777.269978022:6(961-996)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.5555/2699777.2699780
Geepalla E(2014)Comparison between Alloy and Timed Automata for modelling and analysing of access control specifications2014 Third International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec)10.1109/CyberSec.2014.6913965(16-21)Online publication date: Apr-2014
https://doi.org/10.1109/CyberSec.2014.6913965
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents