survey

Open access

A Survey on Empirical Security Analysis of Access-control Systems: A Real-world Perspective

Authors:

Simon Parkinson,

Saad KhanAuthors Info & Claims

ACM Computing Surveys, Volume 55, Issue 6

Article No.: 123, Pages 1 - 28

https://doi.org/10.1145/3533703

Published: 07 December 2022 Publication History

All formats PDF Full text

Abstract

There any many different access-control systems, yet a commonality is that they provide flexible mechanisms to enforce different access levels. Their importance in organisations to adequately restrict resources, coupled with their use in a dynamic environment, mandates the need to routinely perform policy analysis. The aim of performing analysis is often to identify potential problematic permissions, which have the potential to be exploited and could result in data theft and unintended modification. There is a vast body of published literature on analysing access-control systems, yet as performing analysis has a strong end-user motivation and is grounded in security challenges faced in real-world systems, it is important to understand how research is developing, what are the common themes of interest, and to identify key challenges that should be addressed in future work. To the best of the authors’ knowledge, no survey has been performed to gain an understanding of empirical access-control analysis, focussing on how techniques are evaluated and how they align to the needs of real-world analysis tasks. This article provides a systematic literature review, identifying and summarising key works. Key findings are identified and discussed as areas of future work.

References

[1]

2021. A novel conflict detection method for ABAC security policies. J. Industr. Inf. Integrat. 22 (2021), 100200. DOI:

[2]

Peter Amthor, Winfried E. Kühnhauser, and Anja Pölck. 2014. WorSE: A workbench for model-based security engineering. Comput. Secur. 42 (2014), 40–55.

[3]

Anne Anderson, Anthony Nadalin, B. Parducci, D. Engovatov, H. Lockhart, M. Kudo, P. Humenn, S. Godik, S. Anderson, S. Crocker, et al. 2003. Extensible access control markup language (XACML) version 1.0. OASIS (2003). http://docs.oasis-open.org/xacml/access_control-xacml-2.0-core-spec-cd-02.pdf.

[4]

Muhammad Aqmocanuib and Riaz Ahmed Shaikh. 2018. A tool for access control policy validation. J. Internet Technol. 19, 1 (2018), 157–166.

[5]

Alessandro Armando and Silvio Ranise. 2010. Automated symbolic analysis of ARBAC-policies. In Proceedings of the International Workshop on Security and Trust Management. Springer, 17–34.

[6]

Hasiba Attia, Laid Kahloul, Saber Benhazrallah, and Samir Bourekkache. 2019. Using hierarchical timed coloured Petri nets in the formal study of TRBAC security policies. Int. J. Inf. Secur. 19, 2020 (2019), 163–187. DOI:

[7]

Meryeme Ayache, Mohammed Erradi, Ahmed Khoumsi, and Bernd Freisleben. 2016. Analysis and verification of XACML policies in a medical cloud environment. Scalable Comput.: Pract. Exper. 17, 3 (2016), 189–206.

[8]

Christer Bäckström and Bernhard Nebel. 1995. Complexity results for SAS+ planning. Computat. Intell. 11, 4 (1995), 625–655.

[9]

Lujo Bauer, Scott Garriss, and Michael K. Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Trans. Inf. Syst. Secur. 14, 1 (2011), 2.

Digital Library

[10]

Yahya Benkaouz, Mohammed Erradi, and Bernd Freisleben. 2016. Work in progress: K-nearest neighbors techniques for ABAC policies clustering. In Proceedings of the ACM International Workshop on Attribute Based Access Control. ACM, 72–75.

Digital Library

[11]

Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. 2001. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 3 (2001), 191–233.

Digital Library

[12]

Matt Bishop. 2005. Introduction to Computer Security (1st ed.). Addison-Wesley, Boston.

[13]

Carlo Blundo and Stelvio Cimato. 2010. A simple role mining algorithm. In Proceedings of the ACM Symposium on Applied Computing. ACM, 1958–1962.

Digital Library

[14]

Sven Bugiel, Stephen Heuser, and Ahmad-Reza Sadeghi. 2013. Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security’13). 131–146.

[15]

Michele Bugliesi, Stefano Calzavara, Riccardo Focardi, and Marco Squarcina. 2012. Gran: Model checking grsecurity RBAC policies. In Proceedings of the 25th Computer Security Foundations Symposium. IEEE, 126–138.

Digital Library

[16]

Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2015. Compositional typed analysis of ARBAC policies. In Proceedings of the IEEE 28th Computer Security Foundations Symposium. IEEE, 33–45.

Digital Library

[17]

Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2015. Formal verification of Liferay RBAC. In Proceedings of the International Symposium on Engineering Secure Software and Systems. Springer, 1–16.

[18]

Stefano Calzavara, Alvise Rabitti, Enrico Steffinlongo, and Michele Bugliesi. 2016. Static detection of collusion attacks in ARBAC-based workflow systems. In Proceedings of the IEEE 29th Computer Security Foundations Symposium (CSF’16). IEEE, 458–470.

[19]

Shuvra Chakraborty, Ravi Sandhu, and Ram Krishnan. 2019. On the feasibility of attribute-based access control policy mining. In Proceedings of the IEEE 20th International Conference on Information Reuse and Integration for Data Science (IRI). IEEE, 245–252.

Digital Library

[20]

Carlo Combi, Luca Viganò, and Matteo Zavatteri. 2016. Security constraints in temporal role-based access-controlled workflows. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 207–218.

Digital Library

[21]

Carlos Cotrini, Luca Corinzia, Thilo Weghorn, and David Basin. 2019. The next 700 policy miners: A universal method for building policy miners. arXiv preprint arXiv:1908.05994 (2019).

[22]

Anour F. Dafa-Alla, Eun Hee Kim, Keun Ho Ryu, and Yong Jun Heo. 2005. PRBAC: An extended role based access control for privacy preserving data mining. In Proceedings of the 4th Annual ACIS International Conference on Computer and Information Science (ICIS’05). IEEE, 68–73.

Digital Library

[23]

Maria Luisa Damiani, Elisa Bertino, Barbara Catania, and Paolo Perlasca. 2007. GEO-RBAC: A spatially aware RBAC. ACM Trans. Inf. Syst. Secur. 10, 1 (2007), 2.

Digital Library

[24]

Tathagata Das, Ranjita Bhagwan, and Prasad Naldurg. 2010. Baaz: A system for detecting access control misconfigurations. In Proceedings of the USENIX Security Symposium. 161–176.

[25]

Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2003. Access control: Principles and solutions. Softw.: Pract. Exper. 33, 5 (2003), 397–421.

Digital Library

[26]

Yash Dholakia. 2017. Mandatory access control—Problems in it and propose a model which overcomes them. Int. Res. J. Eng. Technol. 4 (2017), 2031.

[27]

Sheng Ding, Jin Cao, Chen Li, Kai Fan, and Hui Li. 2019. A novel attribute-based access control scheme using blockchain for IoT. IEEE Access 7 (2019), 38431–38441.

[28]

Deborah D. Downs, Jerzy R. Rub, Kenneth C. Kung, and Carole S. Jordan. 1985. Issues in discretionary access control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 208–208.

[29]

Stephen Dranger, Robert H. Sloan, and Jon A. Solworth. 2006. The complexity of discretionary access control. In Proceedings of the International Workshop on Security. Springer, 405–420.

Digital Library

[30]

Maryem Ait El Hadj, Meryeme Ayache, Yahya Benkaouz, Ahmed Khoumsi, and Mohammed Erradi. 2017. Clustering-based approach for anomaly detection in XACML policies. In Proceedings of the Clustering-based Approach for Anomaly Detection in XACML Policies. 548–553.

[31]

Maryem Ait El Hadj, Ahmed Khoumsi, Yahya Benkaouz, and Mohammed Erradi. 2018. Formal approach to detect and resolve anomalies while clustering ABAC policies. ICST Trans. Secur. Safet. 5, 16 (2018), e3.

[32]

Maryem Ait El Hadj, Ahmed Khoumsi, Yahya Benkaouz, and Mohammed Erradi. 2020. A log-based method to detect and resolve efficiently conflicts in access control policies. In Proceedings of the International Conference on Soft Computing and Pattern Recognition. 836–846.

[33]

David Ferraiolo, Ramaswamy Chandramouli, Rick Kuhn, and Vincent Hu. 2016. Extensible access control markup language (XACML) and next generation access control (NGAC). In Proceedings of the ACM International Workshop on Attribute Based Access Control. ACM, 13–24.

Digital Library

[34]

David Ferraiolo, D. Richard Kuhn, and Ramaswamy Chandramouli. 2003. Role-based Access Control. Artech House.

[35]

Anna Lisa Ferrara, P. Madhusudan, Truc L. Nguyen, and Gennaro Parlato. 2014. Vac-verifier of administrative role-based access control policies. In Proceedings of the International Conference on Computer Aided Verification. Springer, 184–191.

Digital Library

[36]

Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2013. Policy analysis for self-administrated role-based access control. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 432–447.

Digital Library

[37]

Mario Frank, Joachim M. Buhmann, and David Basin. 2010. On the definition of role mining. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, 35–44.

Digital Library

[38]

Nurit Gal-Oz, Yaron Gonen, and Ehud Gudes. 2019. Mining meaningful and rare roles from web application usage patterns. Comput. Secur. 82 (2019), 296–313.

Digital Library

[39]

Chris Giblin, Marcel Graf, Günter Karjoth, Andreas Wespi, Ian Molloy, Jorge Lobo, and Seraphin Calo. 2010. Towards an integrated approach to role engineering. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 63–70.

Digital Library

[40]

Mikhail I. Gofman, Ruiqi Luo, Ayla C. Solomon, Yingbin Zhang, Ping Yang, and Scott D. Stoller. 2009. RBAC-PAT: A policy analysis tool for role based access control. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 46–49.

Digital Library

[41]

Paolo Guarda, Silvio Ranise, and Hari Siswantoro. 2017. Security analysis and legal compliance checking for the design of privacy-friendly information systems. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 247–254.

Digital Library

[42]

Puneet Gupta, Scott D. Stoller, and Zhongyuan Xu. 2013. Abductive analysis of administrative policies in rule-based access control. IEEE Trans. Depend. Secure Comput. 11, 5 (2013), 412–424.

[43]

Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2011. Anomaly discovery and resolution in web access control policies. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies. ACM, 165–174.

Digital Library

[44]

Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2013. Discovery and resolution of anomalies in web access control policies. IEEE Trans. Depend. Secure Comput. 10, 6 (2013), 341–354.

Digital Library

[45]

Vincent C. Hu, D. Richard Kuhn, David F. Ferraiolo, and Jeffrey Voas. 2015. Attribute-based access control. Computer 48, 2 (2015), 85–88.

Digital Library

[46]

Vincent C. Hu, Rick Kuhn, and Dylan Yaga. 2017. Verification and test methods for access control policies/models. NIST Spec. Public. 800 (2017), 192.

[47]

Chao Huang, Jianling Sun, Xinyu Wang, and Yuanjie Si. 2009. Security policy management for systems employing role based access control model. Inf. Technol. J. 8, 5 (2009), 726–734.

[48]

Michael Huth and Flemming Nielson. 2019. Static Analysis for Proactive Security. Springer International Publishing, Cham, 374–392. DOI:

Digital Library

[49]

Amani Abu Jabal, Maryam Davari, Elisa Bertino, Christian Makaya, Seraphin Calo, Dinesh Verma, Alessandra Russo, and Christopher Williams. 2019. Methods and tools for policy analysis. ACM Comput. Surv. 51, 6 (2019), 121.

Digital Library

[50]

Trent Jaeger. 2008. Operating system security. Synth. Lect. Inf. Secur., Privac. Trust 1, 1 (2008), 1–218.

[51]

Karthick Jayaraman, Vijay Ganesh, Mahesh Tripunitara, Martin Rinard, and Steve Chapin. 2011. Automatic error finding in access-control policies. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 163–174.

Digital Library

[52]

Somesh Jha, Ninghui Li, Mahesh Tripunitara, Qihua Wang, and William Winsborough. 2008. Towards formal verification of role-based access control policies. IEEE Trans. Depend. Secure Comput. 5, 4 (2008), 242–255.

Digital Library

[53]

Sadhana Jha, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2014. Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46 (2014), 154–172.

[54]

Yixin Jiang, Chuang Lin, Hao Yin, and Zhangxi Tan. 2004. Security analysis of mandatory access control model. In Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. IEEE, 5013–5018.

[55]

Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012. A unified attribute-based access control model covering DAC, MAC and RBAC. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 41–55.

Digital Library

[56]

Xin Jin, Ram Krishnan, and Ravi Sandhu. 2013. Reachability analysis for role-based administration of attributes. In Proceedings of the ACM Workshop on Digital Identity Management. ACM, 73–84.

Digital Library

[57]

Felix Klaedtke, Ghassan O. Karame, Roberto Bifulco, and Heng Cui. 2014. Access control for SDN controllers. In Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. 219–220.

Digital Library

[58]

Martin Kuhlmann, Dalia Shohat, and Gerhard Schimpf. 2003. Role mining-revealing business roles for security administration using data mining technology. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies. ACM, 179–186.

Digital Library

[59]

Aliaksandr Lazouski, Fabio Martinelli, and Paolo Mori. 2010. Usage control in computer security: A survey. Comput. Sci. Rev. 4, 2 (2010), 81–99.

Digital Library

[60]

Ninghui Li and Mahesh V. Tripunitara. 2005. On safety in discretionary access control. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’05). IEEE, 96–109.

[61]

Ninghui Li and Mahesh V. Tripunitara. 2006. Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 4 (2006), 391–420.

Digital Library

[62]

Jing Liu, Yang Xiao, and C. L. Philip Chen. 2012. Authentication and access control in the internet of things. In Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops. IEEE, 588–592.

Digital Library

[63]

Nikita Yu Lovyagin, George A. Chernishev, Kirill K. Smirnov, and Roman Yu Dayneko. 2020. FGACFS: A fine-grained access control for *nix userspace file system. Computers Security, 88 (2020), 101632.

Digital Library

[64]

John McLean. 1985. A comment on the “basic security theorem” of Bell and LaPadula. Inform. Process. Lett. 20, 2 (1985), 67–70.

Digital Library

[65]

Barsha Mitra, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2016. A survey of role mining. ACM Comput. Surv. 48, 4 (2016), 1–37.

Digital Library

[66]

Decebal Mocanu, Fatih Turkmen, Antonio Liotta, et al. 2015. Towards ABAC policy mining from logs with deep learning. In Proceedings of the 18th International Multiconference. 124–128.

[67]

Ian Molloy, Ninghui Li, Tiancheng Li, Ziqing Mao, Qihua Wang, and Jorge Lobo. 2009. Evaluating role mining algorithms. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM, 95–104.

Digital Library

[68]

Ian Molloy, Youngja Park, and Suresh Chari. 2012. Generative models for access control policies: Applications to role mining over logs with attribution. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 45–56.

Digital Library

[69]

Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2009. Towards formal security analysis of GTRBAC using timed automata. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM, 33–42.

Digital Library

[70]

Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2011. Security analysis of GTRBAC and its variants using model checking. Comput. Secur. 30, 2–3 (2011), 128–147.

Digital Library

[71]

Bruce Ndibanje, Hoon-Jae Lee, and Sang-Gon Lee. 2014. Security analysis and improvements of authentication and access control in the internet of things. Sensors 14, 8 (2014), 14786–14805.

[72]

Sylvia Osborn, Ravi Sandhu, and Qamar Munawer. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3, 2 (2000), 85–106.

Digital Library

[73]

Joon S. Park and Joseph Giordano. 2006. Role-based profile analysis for scalable and accurate insider-anomaly detection. In Proceedings of the IEEE International Performance Computing and Communications Conference. IEEE, 7–pp.

[74]

Simon Parkinson and Andrew Crampton. 2016. Identification of irregularities and allocation suggestion of relative file system permissions. J. Inf. Secur. Applic. 30 (2016), 27–39.

Digital Library

[75]

Simon Parkinson, Saad Khan, James Bray, and Daiyaan Shreef. 2019. Creeper: A tool for detecting permission creep in file system access controls. Cybersecurity 2, 1 (2019), 14.

[76]

Simon Parkinson, Saad Khan, and Luká Chrpa. 2020. Automated planning for administrating role-based access control. (2020). https://icaps20subpages.icaps-conference.org/wp-content/uploads/2020/10/SPARK-2020_paper_6.pdf.

[77]

Simon Parkinson and Saad Khana. 2022. Identifying high-risk over-entitlement in access control policies using fuzzy logic. Cybersecurity 5, 1 (2022), 1–17.

[78]

Simon Parkinson, Vassiliki Somaraki, and Rupert Ward. 2016. Auditing file system permissions using association rule mining. Exp. Syst. Applic. 55 (2016), 274–283.

Digital Library

[79]

Carroline Dewi Puspa Kencana Ramli. 2015. Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming. arXiv preprint arXiv:1503.02732 (2015).

[80]

Silvio Ranise, Anh Truong, and Alessandro Armando. 2014. Scalable and precise automated analysis of administrative temporal role-based access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. ACM, 103–114.

Digital Library

[81]

Silvio Ranise, Anh Truong, and Luca Viganò. 2018. Automated and efficient analysis of administrative temporal RBAC policies with role hierarchies. J. Comput. Secur. 26, 4 (2018), 423–458.

Digital Library

[82]

Indrakshi Ray and Mahendra Kumar. 2006. Towards a location-based mandatory access control model. Comput. Secur. 25, 1 (2006), 36–44.

Digital Library

[83]

Mohsen Rezvani, David Rajaratnam, Aleksandar Ignjatovic, Maurice Pagnucco, and Sanjay Jha. 2019. Analyzing XACML policies using answer set programming. Int. J. Inf. Secur. 18, 4 (2019), 465–479.

Digital Library

[84]

Ravi S. Sandhu. 1995. Rationale for the RBAC96 family of access control models. In Proceedings of the First ACM Workshop on Role-Based Access Control (RBAC’95), C. E. Youman, R. S. Sandhu, and E. J. Coyne (Eds.). ACM Press, New York, NY.

[85]

Ravi Sandhu, Venkata Bhamidipati, and Qamar Munawer. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 105–135.

Digital Library

[86]

Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. 1996. Role-based access control models. Computer 29, 2 (1996), 38–47.

Digital Library

[87]

Ravi S. Sandhu and Pierangela Samarati. 1994. Access control: Principle and practice. IEEE Commun. Mag. 32, 9 (1994), 40–48.

Digital Library

[88]

Amit Sasturkar, Ping Yang, Scott D. Stoller, and C. R. Ramakrishnan. 2006. Policy analysis for administrative role based access control. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW’06).

Digital Library

[89]

Andreas Schaad, Jonathan Moffett, and Jeremy Jacob. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies. ACM, 3–9.

Digital Library

[90]

Daniel Servos and Sylvia L. Osborn. 2017. Current research and open problems in attribute-based access control. ACM Comput. Surv. 49, 4 (2017), 65.

Digital Library

[91]

Riaz Ahmed Shaikh, Kamel Adi, and Luigi Logrippo. 2017. A data classification method for inconsistency and incompleteness detection in access control policy sets. Int. J. Inf. Secur. 16, 1 (2017), 91–113.

Digital Library

[92]

Cheng-chun Shu, Erica Y. Yang, and Alvaro E. Arenas. 2009. Detecting conflicts in ABAC policies with rule-reduction and binary-search techniques. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks. IEEE, 182–185.

Digital Library

[93]

Mahendra Pratap Singh, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2021. A role-based administrative model for administration of heterogeneous access control policies and its security analysis. Inf. Syst. Front. (2021), 1–18.

[94]

Michel St.-Martin and Amy P. Felty. 2016. A verified algorithm for detecting conflicts in XACML access control rules. In Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs. ACM, 166–175.

Digital Library

[95]

OASIS Standard. 2005. Extensible access control markup language (XACML) version 2.0.

[96]

Bernard Stepien and Amy Felty. 2016. Using expert systems to statically detect “dynamic” conflicts in XACML. In Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES). IEEE, 127–136.

[97]

Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, and Mikhail I. Gofman. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 445–455.

Digital Library

[98]

Vivy Suhendra. 2011. A survey on access control deployment. In Proceedings of the International Conference on Security Technology. Springer, 11–20.

[99]

Fatih Turkmen, Jerry den Hartog, Silvio Ranise, and Nicola Zannone. 2015. Analysis of XACML policies with SMT. In Proceedings of the International Conference on Principles of Security and Trust. Springer, 115–134.

Digital Library

[100]

Emre Uzun, Vijayalakshmi Atluri, Shamik Sural, Jaideep Vaidya, Gennaro Parlato, Anna Lisa Ferrara, and Madhusudan Parthasarathy. 2012. Analyzing temporal role based access control models. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 177–186.

Digital Library

[101]

Fulvio Valenza and Manuel Cheminod. 2020. An optimized firewall anomaly resolution.J. Internet Serv. Inf. Secur. 10, 1 (2020), 22–37.

[102]

Paul Voigt and Axel Von dem Bussche. 2017. The EU General Data Protection Regulation (GDPR). A Practical Guide,1st ed. Springer International Publishing, Cham.

[103]

Man Wang, Jean Mayo, Ching-Kuang Shene, Steve Carr, and Chaoli Wang. 2017. UNIXvisual: A visualization tool for teaching UNIX permissions. In Proceedings of the ACM Conference on Innovation and Technology in Computer Science Education. 194–199.

Digital Library

[104]

Zhongyuan Xu and Scott D. Stoller. 2012. Algorithms for mining meaningful roles. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 57–66.

Digital Library

[105]

Zhongyuan Xu and Scott D. Stoller. 2013. Mining attribute-based access control policies from RBAC policies. In Proceedings of the 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT). IEEE, 1–6.

[106]

Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies. IEEE Trans. Depend. Secure Comput. 12, 5 (2014), 533–545.

Digital Library

[107]

Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 276–291.

Digital Library

[108]

Ping Yang, Mikhail I. Gofman, Scott D. Stoller, and Zijiang Yang. 2015. Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1 (2015), 1–29.

Digital Library

[109]

Aijuan Zhang, Cheng Ji, Yu Bao, and Xin Li. 2017. Conflict analysis and detection based on model checking for spatial access control policy. Tsinghua Sci. Technol. 22, 5 (2017), 478–488.

[110]

Yinghui Zhang, Dong Zheng, and Robert H. Deng. 2018. Security and privacy in smart health: Efficient policy-hiding attribute-based access control. IEEE Internet Things J. 5, 3 (2018), 2130–2145.

[111]

Gansen Zhao and David W. Chadwick. 2008. On the modeling of Bell-Lapadula security policies using RBAC. In Proceedings of the IEEE 17th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 257–262.

Digital Library

Cited By

Mukta RPal SHitchens MPaik HKanhere SSekar VYu MSeneviratne AVeitch D(2024)Poster: Zero Trust Driven Architecture for Blockchain-Based Access Control DelegationProceedings of the ACM SIGCOMM 2024 Conference: Posters and Demos10.1145/3672202.3673737(48-50)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672202.3673737
Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Ayyash MAlsboui TAlshaikh OInuwa-Dutse IKhan SParkinson S(2024)Cybersecurity Education and Awareness Among Parents and Teachers: A Survey of BahrainIEEE Access10.1109/ACCESS.2024.341604512(86596-86617)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3416045
Show More Cited By

Index Terms

A Survey on Empirical Security Analysis of Access-control Systems: A Real-world Perspective
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. File system security
    2. Operating systems security

Recommendations

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
A propositional policy algebra for access control

Security-sensitive environments protect their information resources against unauthorized use by enforcing access control mechanisms driven by access control policies. Due to the need to compare, contrast, and compose such protected information resources,...
Security analysis for temporal role based access control

Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 55, Issue 6

June 2023

781 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3567471

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2022

Online AM: 27 April 2022

Accepted: 25 April 2022

Revised: 07 April 2022

Received: 23 November 2019

Published in CSUR Volume 55, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
3,512
Total Downloads

Downloads (Last 12 months)2,247
Downloads (Last 6 weeks)236

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mukta RPal SHitchens MPaik HKanhere SSekar VYu MSeneviratne AVeitch D(2024)Poster: Zero Trust Driven Architecture for Blockchain-Based Access Control DelegationProceedings of the ACM SIGCOMM 2024 Conference: Posters and Demos10.1145/3672202.3673737(48-50)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672202.3673737
Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Ayyash MAlsboui TAlshaikh OInuwa-Dutse IKhan SParkinson S(2024)Cybersecurity Education and Awareness Among Parents and Teachers: A Survey of BahrainIEEE Access10.1109/ACCESS.2024.341604512(86596-86617)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3416045
Bamberger AFernández M(2024)Towards Automated Access Control Policy Mining via Structured Attribute-Based Access ControlProceedings of the Third International Conference on Innovations in Computing Research (ICR’24)10.1007/978-3-031-65522-7_38(431-440)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-3-031-65522-7_38
Bamberger AFernández M(2024)Towards Automated Policy Predictions via Structured Attribute-Based Access ControlProceedings of the Third International Conference on Innovations in Computing Research (ICR’24)10.1007/978-3-031-65522-7_2(13-22)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-3-031-65522-7_2
Puchta ABaumer TMüller MPernul G(2024)IAM Meets CTI: Make Identity and Access Management Ready for Cyber Threat IntelligenceData and Applications Security and Privacy XXXVIII10.1007/978-3-031-65172-4_3(44-52)Online publication date: 14-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65172-4_3
Basin DGuarnizo JKrstic SNguyen HOchoa MMeng WJensen CCremers CKirda E(2023)Is Modeling Access Control Worth It?Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623196(2830-2844)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623196
Ruan OHu Y(2023)CP-ABE access control scheme supporting data permission management in IOTSixth International Conference on Computer Information Science and Application Technology (CISAT 2023)10.1117/12.3003847(55)Online publication date: 11-Oct-2023
https://doi.org/10.1117/12.3003847
Zaidi TUsman MAftab MAljuaid HGhadi Y(2023)Fabrication of Flexible Role-Based Access Control Based on Blockchain for Internet of Things Use CasesIEEE Access10.1109/ACCESS.2023.331848711(106315-106333)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3318487
Baumer TMüller MPernul G(2023)System for Cross-Domain Identity Management (SCIM): Survey and Enhancement With RBACIEEE Access10.1109/ACCESS.2023.330427011(86872-86894)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3304270
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents