There any many different access-control systems, yet a commonality is that they provide flexible mechanisms to enforce different access levels. Their importance in organisations to adequately restrict resources, coupled with their use in a dynamic environment, mandates the need to routinely perform policy analysis. The aim of performing analysis is often to identify potential problematic permissions, which have the potential to be exploited and could result in data theft and unintended modification. There is a vast body of published literature on analysing access-control systems, yet as performing analysis has a strong end-user motivation and is grounded in security challenges faced in real-world systems, it is important to understand how research is developing, what are the common themes of interest, and to identify key challenges that should be addressed in future work. To the best of the authors’ knowledge, no survey has been performed to gain an understanding of empirical access-control analysis, focussing on how techniques are evaluated and how they align to the needs of real-world analysis tasks. This article provides a systematic literature review, identifying and summarising key works. Key findings are identified and discussed as areas of future work.
1 Introduction
Access controls are integral to information technology systems, whereby access is restricted to interacting subjects (users, processes, etc.) to grant them with a level of access necessary for them to perform their required tasks [87]. Access control systems are essential in multi-user and multi-device infrastructure, as there is inevitably sensitive resource that needs to be protected, and relying purely on subject trust would present unnecessarily high risk. Digital access controls operate in the same way as physical access controls (i.e., a door lock) where a person can only gain access to the restricted resource with the necessary item to unlock the resource, which in digital systems is a series of permission attributes. Access control systems mediate access to system resources. A common component is that the restriction is expressed as a policy, which are high-level rules defined to enforce access levels. Best practice guides generally dictate a principle of least privilege where subjects should be granted the lowest level of permission to perform their necessary activity. In addition to providing mechanisms to enforce levels of access, policies can be used to achieve strategic security considerations. For example, ensuring separation of duties means that a single subject is prohibited from accessing multiple resources that together hold high damage potential, should they be abused. Policies are often implemented taking consideration as to the types of activity a subject would be undertaking and the critically of the managed resource [98].
There are many different access-control systems, both in terms of abstract model and implementation. In terms of the model, they range from rigid models to enforce strict policies in safety-critical environments to highly flexible models that are capable of accounting for a wide range of access restrictions in dynamic business environments. In terms of implementation, they range from those securing Windows [50] and *nix infrastructure [63], to those operating in distributed and decentralised environments such as the Internet-of-Things [62]. Although there are key differences in how access-control systems are implemented and used, key differences are often found in access-control models and include variations in:
•
Policy Model and Application: The way that policies are implemented and managed differs. For example, some systems operate a role-based model whereby policies are managed and enforced by a business role, and some systems operate a discretionary access model where a customised policy can be created for each resource, providing the owner with modification capability [98].
•
Policy Granularity: A common element of all systems is that they provide a finite list of available permission attributes. However, granularity and extensibility in available permissions differ between different systems [25].
Access controls are utilised in most multi-user and multi-device infrastructures. However, as the number of devices and subjects increases, so does the access-control policy in terms of size and complexity. As access controls are very important for preventing incorrect access to sensitive resources, there is a need to analyse the policy to identify potential problems that can be mitigated [2, 28]. The tightening of legal frameworks to protect personal data within digital systems is also motivating the requirement to have legally compliant access-control systems [41]. For example, in Europe, the introduction of the General Data Protection Regulation (GDPR) has tightened how organisations implement and review their security procedures [102], including access controls.
Policy analysis is largely a manual process seeking to identify problematic permissions, which could be of security concern. The analysis comes in two forms: before the fact and after the fact. The primary difference between the two is that one is performed before a change is made to the access-control policy to assess the potential impact, whereas the other is performed after a change has been made to a policy. In terms of analysis, the different types, which can be performed both before and after, involves analysing the policy seeking to identify potential security concerns and can be generalised into the two following categories:
•
Known: Where the access-control policy is systematically analysed manually or through using software tools to identify permissions through a procedural approach that meets the criteria of a rule specified by a knowledge base of potential problems [48]. An example here could be that no subject should have delete rights on essential resources.
•
Unknown: Is where the policy is examined to determine individual permissions that appear to be problematic, i.e., they appear unusual when considering all other permissions. An example here could be that all users except one have read access to a restricted resource.
The limitation with both these mechanisms is they either require a predetermined definition of what a problematic permission would look like, or the problematic permissions are identified subjectively based on the use of intelligent analysis techniques. Furthermore, there are also no guarantees that any potentially problematic permission would be discovered. It is also possible that the policy is never analysed, leaving permissions active that could be exposing a potential vulnerability. For example, considering that permissions can be linked to an employee’s job role, it might be that they are accumulated as that person changes their job role within the organisation. The user will gain access to the necessary resources as their role changes, but unless someone removes previous allocations that are no longer required, there is the danger that they accrue a high level of permissions. This phenomenon is often referred to as permissions creep [75].
Research into the analysis of access controls has existed alongside the creation of new access-control technologies. This is because the requirement to analyse and preserve access is important. A recent study presents a comprehensive survey of methods and tools that are used for analysing policies [49]. The article presented by Jabal et al. [49] has many merits in understanding key works in the area and to taxonomies their scientific approaches to works in the area and categorises their scientific approaches; however, one shortcoming and yet essential piece of information necessary to understand the merits of the different approaches is that of what empirical results and observations have been made about each approach. As access-control analysis is a practical task with significant impact for many organisations, it is surprising that no work has yet examined how researchers are presenting and evaluating empirical security analysis, going beyond proposing new processes. This includes considering how the techniques are validated in terms of using real-world or synthetic datasets.
In this article, a systematic survey of analysing access-control policies is provided. The article first motivates this work, followed by a methodology of how this survey was performed. A discussion of different access-control systems and vulnerability analysis mechanisms is provided, followed by a discussion of key findings and common challenges within the discipline. Finally, a conclusion is provided suggesting how this acquired knowledge can be used as a basis for future research and development.
2 Motivation
In this section, motivation is provided for the reader to understand the purpose why this survey has been performed. The survey is motivated by practical and empirical research requirements into access-control analysis, predominantly that of file system access control, whereby there is a need to determine if users have incorrect permissions allocated. It is important to note that this work is motivated from an empirical viewpoint, considering the technique’s ability to identify problems in implemented access-control policies. The motivation for this work is to go beyond the academic viewpoint and help gain an understanding of how well analysis techniques can work in the real world, which requires considering the difficulty of comparability where techniques are often tested against different policies. However, policy size and processing time are considered suitable criteria, as they indicate how suitable the technique is for analysing real-world policies. If the analysis technique requires too long, then it would be problematic for the end-user. If the analysis technique has only been evaluated on small policies, then it may not yet be ready to scale to handle real-world policies. The survey presented in this article is of benefit, as it is specifically investigating these aspects. Although related access-control surveys do exist, this is the first time works are grouped to look at how they are assessed and to identify key knowledge gaps for future work.
Through empirical observations and those made based on published literature, the following list of open challenges and motivating factors have been determined. It is also worth noting that inspiration for these motivating factors can be observed in the literature on security analysis and access control [59].
•
Policy size: Access control implementations in large multi-user and multi-device systems can result in large, unwieldy policies. For example, a directory structure containing user home drives and network shares for a system will grow proportional to the number of subjects and objects. In one research paper, the authors discuss the use of a network directory share containing 11,654,870 access-control lists, with 15 different permission levels [75]. This is significant, as it is for a single network share, and it is a reasonable assumption that many organisations will have multiple. Manually reviewing these policies to identify potential problems is going to be resource-intensive.
•
What to look for: As previously mentioned, when analysing access-control policies, either a supervised (knowledge-based) or unsupervised approach is adopted. However, both approaches are problematic, as they either require pre-established knowledge or a reliable unsupervised algorithm capable of adequately discovering problematic permissions. This is time-consuming, and in one study, the authors report spending 10–30 minutes analysing grsecurity against each policy for vulnerabilities [15]. This signifies the volume of information that needs to be processed, and as the analysis process should be a frequent task, it demonstrates how much time must be spent purely on each analysis task.
•
Processing requirements: It is often the case that not only will finite resources be available to perform the analysis, but it will be necessary to discover and rectify problems as quickly as possible. If a live system is analysed, then the technique will need to have a minimal impact on the system. This is even true when the analysis is performed offline, as it is necessary to have techniques available to quickly extract the policy.
•
Testing and empirical evaluation: Adequately testing any developed technique is challenging. This is because developing and configuring a simulation to adequately represent the diverse nature of different implementations is time-consuming and requires careful consideration. Furthermore, gaining access to live, industrial systems can be challenging. As access-control analysis is strongly motivated by end-user challenges, each researcher will be approaching the problem from a slightly different perspective, depending on either their research collaborators or their understanding of the problem. It is for this reason that differences in evaluation techniques are likely, whether they are using a different live system for empirical testing or the development of a synthetic environment aligned to the end-user challenge and their experience with the problem. A recent survey into role mining demonstrated the vast array of different real and synthetic datasets [65].
3 Methodology
As this survey is seeking to identify only works that include an empirical analysis component, a guided literature survey is undertaken as opposed to collecting all works relating to a series of keywords. The rationale for undertaking this approach is so we can discover and assess the core body of related empirical access-control analysis research. In this survey, we systematically search the literature to identify key works in access-control analysis following a three-stage process of (1) identification and selection, (2) screening and refinement, and (3) citation following.
In the (1) identification and selection stage, we used general keywords, publication year, and the Google Scholar platform to search for papers of relevance. The keywords used to seed the literature survey are: access-control analysis, auditing, and evaluation. We set the criteria for identifying works within the past 20 years (2001–2021). However, as underlying principles in access-control systems are based on earlier fundamental developments, older works are cited to provide background knowledge and problem motivation. Key works specifically relating to analysis are identified in the past 20 years. In the (2) screening and refinement stage, aprima facie assessment is first undertaken to establish whether the paper is of sufficient quality and aligning to the focus of this study. In terms quality, a subjective assessment is made to the rigour of the outlet and its peer-review process. For example, publishing organisations with established journals and conference series are assumed to have high standards of academic rigour. These include, for example, articles published with ACM, IEEE, Springer, and Elsevier. In terms of aligning to the focus, articles are only included in the study if they present some form of empirical analysis beyond theoretical proof. This includes the application of the author’s research to real-world and synthetic access-control datasets. Furthermore, a paper’s relevance is determined based on its content in relating to the challenge areas defined in Section 2. Finally, and once a relevant article has been discovered, (3) citation following will take place where works cited in the article will be examined, as will those that have cited the article and have been identified by Google Scholar. Excluding duplicates, each article will be investigated by following the process. By following this process, we will perform a comprehensive survey of works including empirical access controls. There is a chance that works not citing key literature in the area will not be discovered; however, an assumption is made that work in this area of sufficient quality and rigour would cite related work, enabling it to be discovered during this survey.
4 Types of Access Controls
The purpose of this section is to provide an overview of the four main different types of access-control model for the reader. It is important to recap their differences, highlighting properties regarding the review and types of problematic permissions presented in Section 2. The three main types of access-control systems discussed in this section are: (1) Role-based, (2) Discretionary, (3) Mandatory, and (4) Attribute-based Access Control [12]. The section is divided based on the model being discussed, as is the main literature review presented in Section 5.
This section provides an overview of the main variants of access-control models. Although there are many variants to consider, all access-control systems contain some common and primary components. As illustrated in Figure 1, they all have interacting subjects, access restricted objects, and a security policy. Furthermore, they all have a reference monitor, which is the security-controlling component granting or revoking access. An example considering these components could be that a subject Alice is requiring access to the object AliceHomeDrive. Alice is wanting to Write data to the location and therefore needs to acquire appropriate permission. Upon making the request, the reference monitor is consulting alongside the policy extracted for Alice on AliceHomeDrive. The reference monitor will grant or deny access upon considering the policy. The access-control systems discussed in this section follow this same process, with key differences around how the policy is expressed, managed, and enforced regarding the subject and object.
Fig. 1.
Fig. 1. Primitive access-control abstract model.
4.1 Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) systems enable the restriction of access based on subject role [34, 86]. A common example is that users can be granted access based on their role under the assumption that users utilising the system for the same purpose will require access to the same resources. An example here is that within a typical organisation, employees can be categorised into roles such as management, sales, finance, and so on, and each requires different access levels to resources. For example, sales staff should not be able to access management resources, which may include sensitive personal data.
RBAC is well-defined, and there is a series of accepted models. The RBAC96 family of models is widely adopted and cited as being the first formalised RBAC model [84]. The model implements the necessary security principles of RBAC systems (least privilege and separation of duties), but it also included constraints to handle mutual exclusion and cardinality on user-role and permission-role assignment. ARBAC97 is the extension of RBAC96 to account for the formalisation of administrating in RBAC models [85]. The formalisation of an administration model is necessary, as RBAC models are not administered by a single central authority, and it is necessary to distribute administrative control to sub-areas of activity.
Extensions of RBAC models have been explored to account for the multitude of dynamic requirements of granting and restricting access. For example, the development of Temporal Role-Based Access Control (TRBAC) extends RBAC to include the notation of time. More specifically, the specification that policies are enforceable for predetermined time periods [11].
Researchers have identified that there are many reasons to analyse the security configuration of RBAC systems. One author motivates the need to analyse RBAC systems, as although in practice can be easier to administer over discretionary systems, the size and complexity of implemented systems create a high administration overhead [61].
4.2 Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an approach that restricts access to resources on a per-subject basis. The reason that this approach is called discretionary is that the subject can pass on their permission to others at their discretion. In other words, a user owning a resource can grant or deny access to other subjects. Researchers have studied the safety and complexity of DAC systems and developed algorithms for determining safety [29, 60]. Traditional Unix permissions are a good example of DAC, with users, groups, and read-write-execute permissions [103]. More recent developments introduce flexibility, e.g., positive/negative and strong/weak permissions [57]; however, these developments often result in the potential for conflicts to occur and suitable resolution strategies are often needed to handle whether negative or positive permissions should take precedence.
Researchers have noted in the past that although discretionary access-control systems are used, it is often the case that organisations configure them in such a way as to implement role-based access controls; more specifically, the administration of user to role (or group) permissions to configure a standard set of permissions for all those within a role. In early works, authors discuss the flexibility of DAC and how it can be used to implement both role-based and mandatory access-control systems [72]. The challenges related to deployment, administration, and analysis of DAC systems are also well known [28]. The authors also place emphasis on the requirement of both analysis and verifying DAC mechanisms.
4.3 Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a variation of access-control model whereby a central authority enforces a security policy, constraining a subject’s ability to access resources. A key difference here with other access-control mechanisms, such as DAC, is that in MAC the operating system enforces the policy set by the administrator, whereas in DAC the owner can control access. MAC has a history of being used in highly sensitive environments, such as those in military systems [82]. MAC systems are generally controlled by a central authority and the system configuration (roles, permission levels, etc.) is often static and cannot be changed to prevent the introduction of vulnerabilities.
A typical representation of MAC is the Bell-LaPadula model [64], which uses a lattice model to govern access. More specifically, the lattice can be seen as a hierarchy of access levels where information can only flow up the lattice (from least restrictive to most). Researchers have presented the translation from RBAC systems to MAC so DAC systems can be used in military or government systems [111]. MAC systems are also used in systems whereby it is necessary to have a deterministic security policy, such as in the Android operating system [14].
Although MAC is regarded as one of the best access-control systems for enforcing strict levels of access due to its predictability and strict restrictions over who can implement policy modifications, its use within an organisation can be problematic due to its lack of flexibility. More specifically, its finite permissions levels can be regarded as antiquated to an organisation’s needs [26]. During the early stages of this review, it quickly became apparent that analysis challenges that existed in more flexible access-control models are not as significant for MAC systems. More specifically, due to the rigidity and predictability of MAC systems, the necessity and challenges of performing analysis are significantly reduced.
Early work has been undertaken on the formal security analysis of MAC systems using coloured Petri Nets [54]. However, no empirical analysis has been performed, and after reviewing related and citing literature, this avenue of research has received little attention. This is to be expected, as MAC systems are rigid and are not suitable for organisations with dynamic technology requirements. Furthermore, they are unlikely to be reconfigured without a high degree of care.
4.4 Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) is an access-control paradigm whereby policies are defined in terms of attributed types (e.g., users, resource, object, environment). ABAC allows for a greater degree of flexibility by enabling a greater number of discrete inputs into access-control decisions [45, 110]. In ABAC systems, subjects have a series of attributes, as do objects, which are subsequently utilised in rules created by the administrator or owner to govern the set of allowable capabilities. Furthermore, ABAC can account for risk-intelligent access control by considering subject risk and resource sensitivity [55]. Figure 2 provides a graphical overview of how ABAC is different from those more traditional access-control models, which have previously been discussed (DAC, MAC, and RBAC). ABAC systems introduce the additional components of Subject Attributes and Object Attributes, which are essential axioms that are used in the access-control policies. This significantly increases the flexibility of access-control systems, which were previously centred on granting permissions to subjects based on rules tying the subject and object together. The use of attributes for the subject and object allows the administrator to implement an ever-increasing variety of access controls, which using more RBAC, MAC, and DAC systems would be exhaustive and cumbersome to manage. Furthermore, ABAC removes the need to modify the central policy rule set, as changing the subject and object attributes alone will enable the application, or revoking, of policies that are currently implemented.
Fig. 2.
Fig. 2. Primitive access-control abstract model.
ABAC systems have recently been one of the most active research areas in access control, which is largely driven by the demand to have access-control systems capable of controlling larger, interoperable systems. There are many different interpretations and uses of ABAC. In one work, the authors extend the NIST definition of RBAC to cater for ABAC [55]. Their motivation is such that although RBAC might be the commercially dominant model, issues around scalability are resulting in implementation challenges.
In terms of implementing ABAC systems, the eXtensible Access Control Markup Language (XACML) is used to express fine-grained, access-control policies [3, 45]. The development of the language is largely motivated to deliver standardisation across the implementation of different ABAC systems. XACML provides a standard architecture and process model to describe the flow of information through the access-control system. The standard goes beyond the abstraction provided in Figure 2 and introduces standardised notation and information flow process. Figure 3 presents the standardised information flow and system architecture. The components of the XACML standard are as follows:
Policy Enforcement Point (PEP): intercepts the requests from the user and converts into a XACML authorisation request.
(2)
Policy Decision Point (PDP): receives and evaluates the XACML request based on its policies.
(3)
Policy Administration Point (PAP): policies are managed through the PAP.
(4)
Policy Information Points (PIP): are where attribute values are stored and retrieved.
Auditing of ABAC has been established as an open challenge by one recent study. The authors note that it would be resource-intensive to perform analysis due to the distributed nature of ABAC, and its fundamental principle of the access-control policies are identityless and are based solely on attributes [90].
5 Literature Review
In this section, we present the results of our literature review in terms of first identifying and presenting types of problematic permissions, followed by a review of analysis works, grouped on the types of access-control systems being reviewed and presented. The following section first summarises the identified types of problematic permission, before presenting and discussing key works in (1) Role-based, (2) Discretionary, and (3) Attribute-based Access Control systems. Note that there is no section dedicated to mandatory access-control systems. This is because their rigid policy implementation and administration mechanisms reduce the potential for misconfigurations to occur. It is also evident by the absence of literature that mandatory access-control systems have not received the same research interest as others, and the likely reason for this is because they are seldom used in commercial and domestic IT infrastructure.
5.1 Types of Problematic Permissions
The process of analysing access-control policies is by no means a simplistic activity. There are many different reasons as to why the security system is being analysed, as well as many types of problematic permissions to detect [46]. The administrative/security tasks identified from performing this survey are specified in the following list. A reference is also provided to where each has been defined in literature.
•
Simple Safety [61]: denotes that there are no presumably untrusted users in a reachable secure state.
•
Liveness [61]: is used to establish that in all reachable states, there is at least one user present.
•
Administrative Reachability [88, 97]: determines that it is possible to assign a user to a role by an administrative group.
•
Administrative Availability [88, 97]: determines that it is possible to remove a user from a role by an administrative group.
•
Redundancies [97]: contains rules that are redundant and do not affect the overall effective permission (i.e., set of attributes remains that same).
•
Conflicts [97]: contains policies that provide contradictory decisions.
•
Privilege leakage [15]: contains policies that grant the subject unnecessary permissions.
•
Privilege blocking [7]: contains policies that prevent the subject from acquiring necessary permissions.
•
Weakest precondition [51]: identifying the minimal set of roles that allows the user to acquire the desired goal.
•
Dead roles [51]: discovering roles that are not usable by any user.
•
Information flows [51]: establishing whether information flows from between two separate objects.
In addition to the above list, in other research, authors state different analysis tasks; however, the above list was compiled during the exploration of empirical research in policy analysis, and therefore research without empirical evaluation is not considered and their analysis tasks are not included. Readers are directed to References [51, 61] to find a more exhaustive list.
In the following sections, details of the survey are presented, discussing key works with empirical evidence. A summary of the key aspects of each published piece of work is included in Table 1.
Synthetic (Maximum of 4,000 rules and 480 conflicts)
Manual discussion of results
Table 1. Summary of Key Works
5.2 Role-Based Access Control (RBAC)
There has been a significant amount of research undertaken in RBAC systems, primarily focussing on the development of new models and implementations. However, as with all decentralised access-control models, performing administration and analysis tasks can be challenging [93]. In one paper, the formal security analysis of RBAC systems is presented, specifically focusing on the impact of delegation on the strength and enforcement of access-control policies [61]. In the paper, the authors specifically focus on determining the following five characteristics: Safety, Availability, Bounded Safety, Liveness, and Containment. The authors use the role-based trust management framework as an assessment tool. In addition to the previous list where safety and liveness are presented, availability refers to the fact that an untrusted user has access to a secure state. Bounded safety refers to the fact that in all reachable states, the set of users is bounded by the total set of system users. This may include mutual exclusion in that every reachable state has no user who is a member of two user sets. Containment is used to denote that in every reachable state, two user sets are the same. The main result of their work is that it is determined that instances involving assignment and trusted users can be answered efficiently in polynomial time, proportional to the problem instance size.
Analysis and consideration of RBAC have received a lot of attention due to its applicability and wide-scale implementation. In addition to analysing RBAC systems for weaknesses, researchers have developed techniques for helping users in performing role-mining and engineering, releasing tools such as visualisation techniques to help users understand how roles are implemented in the organisation, which can help minimise any problematic consequences should the administrator need to make changes and would previously be unaware of the entire organisation’s role structure [39]. There is a wealth of research focussing on the formal analysis of RBAC systems [52]; however, as previously stated, only research presenting empirical observations is considered in this review article.
In other key works, the authors present the gran system to perform model checking of policies in the grsecurity framework. The authors identify grsecurity as the standard DAC mechanism provided in Linux distributions with an additional form of RBAC. In their work, they focus on the RBAC element of grsecurity. They perform empirical analysis on policies acquired from the grsecurity community, which specifically includes the analysis of five different policies. Their approach is seeking to identify weaknesses that are known to exist in the grsecurity system or result from the incorrect setup (e.g., incorrect understanding of inheritance) and can be classified as being procedural.
Another technique has been developed to identify redundancy and inconsistencies in RBAC systems [47]. Their approach is graph-based, which they use to evaluate separation of duty as well as identify policy inconsistencies (such as safety). The authors perform empirical analysis based on a synthetic RBAC with varying role numbers from 100 to 1,000 with varying numbers of randomly generated problematic permissions to identify. Their technique requires at worst 1,447 seconds to process the largest of their synthetic policies.
5.2.1 Administrative Role-Based Access Control (ARBAC).
It has been identified that there is a wealth of research in analysing Administrative Role-Based Access Control (ARBAC) systems. In one work, the authors utilise Artificial Intelligence Automated Planning for reachability analysis [88]. The research is focused on developing algorithms to perform reachability, bounded reachability, and availability analysis. In their work, they are focusing on ARBAC, which allows for the formalisation of decentralised administration. Their work is based on an adaptation (named miniARBAC) of the ARBAC97, omitting role-role administration. The authors identify that analysis for ARBAC is PSPACE-complete and provide an implementation in SAS+ encoding to exploit automated planning [8]. In another key work from the same author group, they discuss how policy analysis in ARBAC is complex to analyse and they propose different classes of policies, as well as developing algorithms for each [97]. In their paper, the authors focus on analysing the presented algorithm’s parameterised complexity when performing hierarchical role assignment; however, unlike their previous related research, the authors this time present a case study empirical evaluation based on a synthetic university RBAC system. In their analysis, they use both forward and backward reachability algorithms with a goal size of between 1–4. Their technique has a maximum search time of 128 seconds for 13 roles (forward search) and 98 seconds when searching for solutions for all 5 goal states (backward search).
In other more recent works utilising automated planning, a technique has been developed for suggesting new allocations, minimising privilege leakage and maintaining separation of duty [76]. In their experimental analysis, they considered the two administrative challenges of (1) assigning a new permission utilising a well-developed role-based structure and (2) introducing a new role-based structure to maintain separation of duty and prevent permission leakage. Their analysis was based on synthetic data and was found to be 85% accurate in terms of suggesting the correct permission without leakage.
In another work, the authors develop and present a tool named RBAC-PAT for performing policy analysis on RBAC implementations. Their tool has capabilities to perform analysis of many different security proprieties, such as reachability, and weakest precondition [40]. The authors focus on the ARBAC97 model. The process of their technique involves the conversion of hierarchical policies into non-hierarchical variants and uses forward and backwards search algorithms (same as in Reference [97]). A brief case study is presented whereby policies for both a synthetic university and a hospital are utilised. In the instance of a large policy with 13 reachable mixed roles (both positive and negative conditions) and 32 roles, their tool generates and considers 232,320 states and 2,900 transitions before terminating in 8.6 hours. The other result is that with 5 mixed and 500 roles, their tool generated a maximum of 510 states, 2,550 transitions, and requires 2.6 hours to complete.
A tool named MOHAWK has been developed for automatic verification of changes an administrator wants to make to an ARBAC policy [51]. The authors present an abstraction-refinement technique to reduce the complexity of error finding as it is performed on an abstract policy. This work is focused on discovering errors in access-control policies when reviewing policy implementation to determine fitness-for-purpose. Their approach is different from previous work, as they focus on error discovery rather than verification. Their approach converts the abstract policy into a finite-state machine and the query into linear temporal logic. In their analysis, they use two datasets: one based on role mining [89] and the other based on the verification of ARBAC policies [67]. They introduced three different test suites of different complexity (polynomial, NP-Complete, and PSPACE-Complete). The difference between the three test cases is down to variation in can_assign and can_revoke rules, regarding them being empty or containing positive or mixed preconditions. They demonstrated performance improvements beyond the RBAC-PAT technique [40]. They tested their system on eight RBAC policies with an increasing number of roles (3 to 20,000). In terms of results, problems of polynomial complexity are solved 50% quicker than RBAC-PAT. For example, 110 seconds for RBAC-PAT to 53 seconds for MOHAWK with 20,000 roles. Problems that are NP-Complete and PSPACE-Complete can be solved by MOHAWK, whereas RBAC-PAT cannot. Furthermore, for the second-largest policy (4,000 roles), RBAC-PAT took 311 and 511 seconds for NP-Complete and PSPACE-Complete, respectively, whereas MOHAWK required 2.7 and 2.4 seconds, respectively. This demonstrates the suitability of abstraction.
In other works, authors present a fundamental analysis of ARBAC policies, specifically focussing on the potential to reduce the analysis state-space through pruning, and therefore decreasing the size of the user set that is to be considered [36]. The authors provide empirical analysis using a subset of the bank dataset presented in Reference [51]. Most of their experimental analysis is around the impact of their pruning on the same three suites as previously presented. They demonstrate a significant reduction in policy size through pruning, which does however, come at the cost of time, where 3 minutes 24 seconds are required to process a policy of 20,000 rules. The authors also provide experimental analysis, demonstrating how well their technique works on performing security analysis tasks. The analysis identifies that queries can be answered on an RBAC system with 612 roles in at most 3 seconds. The authors build further on this research to develop the Verifier of Administrative Role-based Access-control Policies (VAC) system [35]. The authors provide analysis of the datasets utilised in two previous studies, including policies structured for a university and hospital [51] and policies from a bank [51]. The results make progress over previous work, demonstrating that policy sizes of 200,000 can be verified in 1.6 seconds.
Researchers have also developed an abstract model-checking technique for the Liferay opensource RBAC system [16]. They present a technique and provide empirical analysis on a synthetic Liferay RBAC implementation following a typical university faculty structure. Their analysis focuses on reachability asking three specific queries. Their results demonstrate that in the worst instance it requires 2 minutes 63 seconds for query 1, 1 minute 59 seconds for q2, and 2 minutes 37 seconds for query 2 in fast analysis. Timings are significantly worse in precise analysis, increasing to 182 minutes 21 seconds, 56 minutes 2 seconds and 54 minutes 46 seconds. The difference between fast and precise analysis is down to the difference in the preservation of either the queried user (fast) or all users (precise).
Researchers have also focused on performing policy analysis in ARBAC, without the separation of administrative duties. More specifically, they consider the potential for each administrative role member to modify the RBAC policy without assuming a separation of administration restriction [108]. Analysing ARBAC without separate administration is challenging, as it requires the consideration of actions that change the role membership of all users, not only the target user. The authors justify their research against a previous technique that did not find a solution when analysing an ARBAC policy of 150 users with 10 randomly generated queries within a 12-hour duration [97]. Their technique is based on a combination of static reduction to decrease the quantity of ARBAC rules, as well as set reduction techniques to decrease the number of users. Furthermore, they also utilise parallel algorithms to speed up the process. They perform experimental analysis on an ARBAC with 845 users, 32 different roles, 329 can_assign, and 78 can_revoke rules. They demonstrate the potential of their technique by showing performance enhancements when using their reduction technique with different numbers of users that are not required in the goal. The reduction in time is significantly decreasing from 2,363 seconds with significant reduction to 0.1 seconds with all their reduction techniques applied.
Another recent work focuses on model checking of ARBAC policies to overcome the limitation with previous techniques in that the users and roles are bounded and known in advance [5]. Their system utilises model-checking techniques for infinite-state systems. They evaluate the performance of their system by using randomly generated benchmarks and by performing a comparative analysis with previous research [97]. The comparative analysis demonstrates that their technique can solve problems with a greater goal size (maximum of 4), but there is a lack of detail on the results in terms of performance and accuracy.
An alternative approach for the same purpose of user-permission reachability uses abductive analysis [42]. The use of abductive reasoning enables the analysis of a policy even if policy details (i.e., user information) are not yet available. Their approach consists of four stages. In summary, the different stages handle simulating adding and removing rules and facts, performing tabled policy evaluation, and ordering constraints. The authors gain insight into using their technique on an RBAC policy for a healthcare network, comprising 22 rules. The paper analyses the correctness of performing some queries. Computation time is reported to take a maximum of 2.4 seconds.
One tool implemented by researchers is named Generalized User-Role Assignment model and is developed to solve reachability problems [56]. Their techniques are based on the formal analysis of a state-transition system. Experimental analysis is performed on 16 synthetic datasets with varying characteristics such as the number of attributes, scope of the attribute, and positive and negative preconditions. The authors demonstrate in their results that a solution can be identified in polynomial time.
In other words, researchers have refined the use of model-checking techniques by exploiting observations that realistic security policies often have simplistic proofs [17]. The authors follow on by presenting a technique to solve a specific role reachability problem by using static analysis. In follow-on work, they extend their technique to detect collusion in ARBAC workflow systems and develop the WARBAC system [18]. Their approach extends ARBAC to contain stable event structures, which model both sequential and parallel tasks to form workflows. Their work focuses on identifying collusion in workflows, whereby administrators can grant permission to collude with an individual to undermine workflow restrictions in terms of ensuring authorised individuals perform specific tasks in part of the workflow. The authors present a model of workflow ARBCAC and produce a security-checking technique for collusion to a role reachability problem.
5.2.2 Extensions of RBAC.
There have been many extensions to RBACs to account for secondary restrictions, such as temporal [11, 20] and geospatial [23]. These extensions provide extra flexibility in the access-control models to account for temporal and geo-spatial restrictions; however, in accounting for a wider range of restrictions, it is necessary to analyse their security, as the increased complexity of the access-control system could become prone to vulnerabilities if not correctly administered and analysed. This section reviews analysis techniques that have been developed as extensions to the RBAC family of access-control systems.
In one paper, the authors present a technique to analyse Temporal Role-Based Access Control (TRBAC) models [100]. The authors discuss both the potential of using TRBAC for restricting the time when a user can assume a given role, as well as the temporal restriction on when administrators can perform administrative tasks on the system. The research focuses on the administration of TRBAC and the reachability analysis of TRBAC. They develop an algorithm to perform research ability analysis and test it on systems with varying specification levels, from 100 to 900 roles, rules, and timeslots. Furthermore, the system has varying user numbers from 50–200. They perform reachability analysis for three cases. The first is with role schedules, the second is with role schedules and a single target user, and the third is with multiple target users. The authors define time intervals as role schedules and administrative time intervals as rule schedules. Their results demonstrate good performance, requiring around (exactly values not provided) sub 1 second for rule and role scheduling with a single user, and around 4 seconds for role schedule with multiple users.
Researchers have also focused on the Administration of Temporal Role-Based Access Control (ATRBAC) [80]. Interestingly, their approach is to decompose the ATRBAC policies into ARBAC systems so previous tools to establish reachability can be reused, for example, VAC [36]. In their paper, they translate ATRBAC to a Bernays-Schönfinkel-Ramsey (BSR) transition system, which is a symbolic backward reachability system with propositional logic. They also propose a heuristic to identify useful actions by considering dependencies on roles mentioned in a security goal. They perform analysis on synthetic policy datasets in terms of establishing reachability. The authors use three datasets, which are used from previous research [100] and also in adding random temporal assignments to available ARBAC policies, previously published in References [97] and [36], respectively. Not all results are published in the paper; however, when considering reachibility on their largest dataset, which has a maximum of 1,000 roles, 1,000 administrative actions, and 1,000 timeslots, their system was able to perform reachability analysis in 0.32 second with 1,000 roles, 1.8 seconds with 1,000 rules, and 2 seconds with 1,000 timeslots. However, their results from the second dataset [97] consider the increase of the three parameters (roles, rules, timeslots) together and in the worst case, requires just over 90 seconds with 32 roles, 1,075 rules, and 100 timeslots.
In terms of variations of TRBAC, the generalised TRBAC (GTRBAC) can represent wide variation in temporal constraints. Authors have developed techniques to study GTRBAC implementations, specifically focussing on analysing both safety and liveness properties [69, 70]. The authors present a technique of modelling the system as a state-transition system using timed automata. The authors are then able to identify both favourable and unfavourable conditions. Experimental analysis was performed on a synthetic system with 3 roles, 12 users, 5 permission levels, and roles 1 and 2 have time constraints and permission levels 1 to 4. The authors acknowledge the undesirable time complexity of their approach due to the number of states explored, which in the worst case with 15 users, 7 roles, and 9 permissions takes over 190 minutes and explores over 17 million states.
In recent works, authors have focused their attention on performing automated analyses of ATRBAC policies with role hierarchies [81]. They formalise a model of ATRBAC including role hierarchies and implement it within a symbolic model checker. They use the synthetic problems published in earlier works [80]. In terms of their results, when considering the largest temporal role hierarchy problem instance with 34 roles, 994 rules, 40 timeslots, and 600 temporal role hierarchies, the worst-case performance was 300 seconds (explicit effects of inherited membership) and the best approximately 95 seconds (multi-target mapping).
In other work, the authors focus on the use of modelling ATRBAC in first-order logic (formalised in the Allow language) [53]. The authors also focus their attention on the safety and liveness security properties. The authors perform an empirical evaluation of their techniques on synthetic data. Like other researchers, they develop their data generation that is parameterised on roles, users, permissions, and timeslots and performs an allocation with uniform distribution. In terms of data size, they consider the impact on the varying role and user size, requiring at most 600 seconds with 60 roles and 550 seconds with 3,200 users within a policy with 5 administrative roles and timeslots.
Interesting work has also been completed by authors in providing better visualisation mechanisms for administrators to view ATRBAC policies [6]. Their approach is to use hierarchical coloured Petri nets for the formal analysis of access-control properties. Their research presents the formal properties of the system but no empirical analysis is performed.
The use of model checking has also been explored for identifying conflicts in an extension to RBAC that contains spatial and location-based information, which they named GEO-RBAC [23]. The authors propose a Multi-granularity Spatial Access Control (MSAC) model and utilise a Matrix Model-checking technique to detect conflicts [109]. The authors create synthetic datasets based on a map of China and set up three different granularities and four different classes. Their experimental analysis focuses on the performance of the technique and identified that policies with the greatest number of rules (320) required 10 seconds.
5.2.3 Rare Role Mining.
In RBAC systems there is a need to perform role engineering tasks, which is essentially the creation and allocation of users, roles, and permissions [67]. The phrase role mining is the use of automated techniques applied to role engineering, which could be performed based on business processes to translate them into RBAC policies, or the conversion of already-implemented permissions (access-control lists), into RBAC policies [13, 22, 37, 58, 65, 68, 104]. In this survey, we are less interested in the use of role-mining techniques in the formation of new RBAC policies, rather, we are interested in the use of role-mining techniques to discover potentially problematic permissions, which could be defined as rare, irregular, or infrequent roles [78]. We do, however, acknowledge the significant research efforts into mining roles from different data sources, such as access-control matrices and access logs [21].
In one recent piece of work, researchers have developed a technique to mine rare roles from web applications using usage pattern [38]. Their primary objective is to identify an optimal set of roles from existing permissions, as over the lifetime of an RBAC policy, there is potential for it to become unwieldy in terms of user-permission assignments. This work utilised secondary data sources on permission usage acquired from HTTP sessions, which is something other researchers seeking to identify rare roles in access-control systems do not attempt. For example, work in identifying rare allocations using statistical inference [75]. As the authors acknowledge, this dependency in available secondary information could be problematic if the information is complete. In principle, the presented work can identify meaningful and rare roles through increased amounts of noise (irrelevant user-permissions). In their experimental analysis, the authors use a policy with 10 roles, 1,000 users, and 8 profiles. They utilise synthetic data to with varying degrees of noise (0 to 50%) and identify that with up 40% noise, their technique can identify all the roles. The F-score measure is used and demonstrates a good accuracy above 0.85 with 40% noise.
The use of role mining in identifying policy misconfigurations has been explored in previous works [9]. The authors utilise Association Rule Mining (ARM) to identify policy misconfigurations that have been reported to have the potential to increase costs due to not being able to access by 43%. However, it is worth noting that rectifying potential access problems to prevent user inconvenience is their main motivation and not the detection of security concerns. It is important to distinguish that their approach is based on observed access to resources as a secondary information source. A similar approach is adopted by Reference [24]; however, in their work they are seeking security concerns and in the empirical analysis they identify 10 serious concerns that impact 1,639 directories. Their approach is based on performing matrix reduction, group mapping, and object-clustering techniques. Due to the difficulty in evaluating the accuracy of their technique on real-world datasets, the authors perform an evaluation of directories with permissions different from their parent (276) and identified that it missed 3 misconfigurations and correctly identified 18 configurations; however, this is just a small subset of the entire directory structure, and the overall accuracy is not provided.
In one paper, the authors present an approach for performing profile analysis on RBACs to detect instances of insider threats [73]. The authors present a technique to detect an anomaly (indicative of an insider threat) based on analysing user activity in role-based activity patterns and trying to identify file system interactions that do not align with the role. In their work, they perform experimental analysis to demonstrate how their technique works using synthetic systems with over 100 users, and 600 documents, over a 24-week duration.
5.3 Discretionary Access Control (DAC)
The challenges associated with Discretionary Access Control (DAC) systems have long since been well-understood [28]. DAC systems provide great flexibility, enabling users to take control of the security properties. However, from the organisational perspective, implementing a central policy through DAC requires the addition of a layer of Role-Based Access Control (RBAC) to enforce standardised roles of access within the organisation. A common example of an implementation of this type is that of Microsoft’s New Technology File System (NTFS), which combines both DAC and RBAC mechanisms through group membership allocations.
Access control logs have also been used for detecting and resolving conflicts in access-control systems [32]. The authors present an iterative approach for processing logs, which when evaluated on a Cisco firewall policy and logs achieved 95% average recall, reflecting how many conflicts are identified. The authors do not explicitly state the type of access-control model; however, as it can be established to not be RBAC or ABAC, it is assumed to be a form of discretionary access control. Other authors have also focused on identifying anomalies in firewalls by developing and applying a procedural approach [101]. In their validation, they demonstrate how the approach can identify 33 anomalies in a synthetic data set of unknown size.
Researchers have used statistical techniques for identifying overprescribed permissions (privilege leakage) in DAC systems. The work involves the use of \(\chi {}^2\) analysis to detect permissions that have weak co-occurrence; more specifically, those that appear out of keeping with a subject’s distribution of permissions on a resource and another subject’s permission on a resource. The empirical analysis was performed and demonstrated an overall 91% accuracy in detecting over-prescribed permissions. Their experimental methodology involved both analysing real-world systems with ground-truth knowledge; however, to test accuracy against an increasing number of over-prescribed permissions, the authors iteratively increase the number of over-prescribed (named irregular in their paper) to explore the problematic nature of performing statistical analysis on permissions and determining how to perform linear separation between those that are normal and irregular. In their work, they use Jenks analysis as a way to find the optimal division of \(\chi {}^2\) scored in a one-dimensional array. Their technique has quadratic time complexity. In implementing rectification and implementing new permissions, an instance-based clustering technique (\(k\)NN) is used to find those closest matches, aiming to provide uniformity. In the empirical analysis, also performed on Microsoft NTFS systems, they demonstrated an accuracy of 80% when allocating new permissions [74].
The authors also provided follow-up work, whereby their original technique has been subsequently modified to identify instances of permissions creep [75]. This is specifically focusing on the identification of permissions that are indicative of a subject accumulating permissions through subsequent elevation of privileges due to job role changes that are not revoked once no longer needed. The difference was how permissions were modelled, taking into consideration all those inherited through group membership and directory propagation. The authors gained empirical observations from five real-world access-control systems, as well as devised an iterative test methodology with an increasing directory size (from 4 to 256), number of users (100 to 500), and an increasing number of users with instances of permissions creep (0 to 10%). The authors achieved an accuracy of 96% on real-world and 98% on synthetic datasets. The use of Fuzzy Logic techniques has also been investigated to help the end-user identify problematic permissions, classified as “high risk” [77].
In another piece of work, researchers explored the use of information retrieval techniques, namely, Association Rule Mining (ARM), to find infrequent patterns among subjects, resources, and permission attributes [78]. Their approach builds on the same modelling technique presented in References [74, 75]; however, a key difference is that in this work, the authors use Association Rule Mining to identify potential anomalies in the access-control policy. Their application of ARM is the opposite of the common implementation where items with strong co-occurrence are identified. The authors identify rules with weak co-occurrence, thus identifying those that are statistically infrequent. The authors use both real-world and synthetic datasets (same process as in Reference [74]) and achieve an accuracy of 91% and 95%, respectively.
5.4 Attribute-Based Access Control (ABAC)
Attribute-based Access Control (ABAC) systems are increasing in popularity due to the necessity of having decentralised, scalable, and flexible solutions to handle a rapidly increasing number of devices, resources, and restrictions [27, 71]. However, the flexibility of ABAC presents new challenges for security analysis. A recent survey identifies that ABAC models that have a degree of analysability by restricting subjects to a predefined access matrix are doing so at the cost of no longer being identity-less [90]. The authors continue to state that without being able to perform before the fact analysis, it is highly unlikely that ABAC systems can be used in cases where legal regulations do not allow systems to be used that require after-the-fact analysis.
In one recent work, the authors discuss the requirement to identify and resolve anomalies in ABAC policies [31]. The types of anomalies considered are redundancies and conflicts. The authors develop a mechanism to model and represent ABAC rules as an un-directed graph, which is processed for anomalies. In summary, their work comprises three distinct stages: rule extraction, rule clusters, and anomaly detection and resolution. This work presents a proven technique, and empirical analysis is performed on a synthetic ABAC policy containing 15,000 rules to gain an understanding of the time complexity. Execution time for a policy size of 15,000 is around 340 seconds, and they note the time complexity of their entire technique as having a polynomial time-complexity.
In other recent research, a clustering-based approach to anomaly detection in ABAC is presented [30]. The paper is centred on the ABAC policies implemented in eXtensible Access Control Markup Language (XACML) [3, 33, 95]. The approach presented by the authors implements a three-stage approach: extract rules, compute similarity scores, and regroup into similar clusters using k-nearest neighbours (\(k\)NN). The technique then detects anomalies (redundancies and conflicts) using an arbitrary threshold on the similarity measure of 0.8, based on experimental work performed earlier by the same authors [10]. The authors performed experimental analysis on synthetic ABAC policies (implemented in XACML). The dataset consisted of 8 subjects, 4 resources, and 2 environment attributes, taken from a medical environment. The authors expand their synthetic datasets to a policy size of 7,000, although it is unclear how this is done. The authors state that the computation complexity of their approach is \(O(n^2\)), where \(n\) is the policy size. Empirical analysis demonstrates around 2,000 seconds of processing time for a policy size of 7,000. Their anomaly-detection technique identified 30 redundancies and around 24 conflicts (exact numbers not stated). However, the authors do not discuss the accuracy of their technique in detecting anomalies, despite the dataset being synthetically generated and ground-truth knowledge should be known.
Researchers have presented a policy-based degradation technique to identify policy anomalies and identify mitigation activities [43, 44]. They are addressing ABAC policies implemented in XACML and are considering both conflicts and redundancy, which are regarded as anomalies. Their approach utilises Binary Decision Diagrams as a representation of the policy enabling set operations, enabling them to perform anomaly detection on a set-based representation. In their empirical evaluation, they use 10 different policies, of which 4 are synthetic and 6 come from real-world systems. The largest policy (policy 10, synthetic) contains 685 rules. From their analysis, they observe that on average across all 10 datasets, 5.6% of rules are redundant. In terms of required computation time, the largest policy size required 1.1 seconds for conflict detection and 0.8 for redundancy detection and removal.
Answer Set Programming techniques have also been utilised in detecting incompleteness, conflicts, and unreachability on XACML policies [79]. In this research, the authors map XACML into logic program (LP) syntax, which is then subsequently used for analytical purposes. They prove the capability of their logic approach; however, no empirical analysis is performed. More recent work undertaken by different authors goes one step further in implementing the technique and performing experimental analysis [83]. They demonstrate that less than 3 seconds are required for a policy containing 1,000 rules based on synthetic analysis. The authors also demonstrate the number of anomalies detected for 6 available datasets, which are manually evaluated. However, as ground-truth knowledge is not available, it is challenging to establish a true measure of accuracy.
In other works, the authors have proposed the use of binary search techniques to discover conflicts [92]. In this publication, the authors use synthetic policies and state that the computational requirements are 160 seconds for a policy containing 20,000 rules; however, there is a lack of analysis of how effective their technique is. In another logic-based approach, the authors focus on developing a technique to detect conflicts [94]; however, they do not present any empirical evaluation and it is, therefore, difficult to determine its capabilities. Another logic-based approach, implemented in first-order logic, has been developed to detect conflicts [96]. They account for policies with single, multiple, or disjunctive predicates. After performing experimental analysis on a synthetic directory structure of a maximum of 12,544 rules and 6,272 conflicts, the execution time is 8,774, 30,667, and 1,310 for policies with single, multiple, or disjunctive predicates, respectively. Liu et al. [1] have also applied a procedural technique to detect conflicts in ABAC, performing empirical analysis on synthetic data containing up to 4,000 roles and 480 conflicts, which are detected by their technique. However, despite using synthetic data, there is an absence of direct comparison with other approaches through ground-truth analysis.
The application of Satisfiability Modulo Theories (SMT) has been applied to the analysis of XACML policies, as well as for performing empirical evaluation on 4 real-world policies [99]. The authors focus their attention on enabling queries to be performed against the XACML policy, which is centred on administrative actions. The policy sizes range from 4 to 266 and 11 to 298 rules. The authors note that the evaluation is quick, taking a maximum 3 seconds for the largest policy. Although the time requirement when performing queries is important, there is no discussion over how significant the findings of their analysis technique are. More specifically, comparison against ground-truth knowledge is non-existent.
The use of unsupervised machine learning has also recently been explored as a mechanism for detecting anomalies in XACML policies [4, 91]. The authors convert XACML policies into a representation suitable for the C4.5 decision tree algorithm. The term anomaly is defined as an inconsistency or incomplete aspect of the policy. The authors also state that the identification and detection of policy anomalies can be described as policy validating. Inconsistency can be thought of as the weakest precondition and privilege leakage where the policy is resulting in unnecessary access. Furthermore, incompleteness can be thought of as privilege blocking by not considering all possibilities. The authors convert the policy into an information gain score for each attribute, which is subsequently used alongside subject and object information to generate a decision tree. The authors validate their approach using synthetic policies, demonstrating a total computation time of 1.2 seconds for a policy containing 18,471 policy rules. A further case study is performed to demonstrate the detection of inconsistencies, incompleteness, and redundancies against known problems in the synthetically generated data.
In another recent article, the authors undertook analysis and verification of CACML access controls for a hospital system [7]. They focus on the detection of anomalies as in other works [4, 91], but in their work, they also consider conflicts and redundancies. The authors perform empirical analysis on synthetically generated policies based on a medical example. They present the computation requirements of their approach, which requires 1.6 seconds for a policy with 1,000 rules.
Research into the mining of ABAC policies from available system information sources has also been undertaken. The aim of performing policy mining has the same abstract ambition as with performing role-mining in that the researchers want to convert usage information into a well-defined policy, which restrict users from performing their activities, and more significantly, removes any unnecessary and potentially dangerous access [19]. In early work, researchers undertake mining of ABAC policies. Their research is motivated by the challenges around manually creating ABAC policies [105, 106, 107]. In their work, the authors develop algorithms capable of generating potential candidate rules based on access logs, considering the impact on noise. Noise is defined as permissions in the access-control policy that should not be present and permissions that should not have been exercised. They perform empirical analysis on university, health care, and project management scenarios. They tested their algorithms with three policy datasets (University, Health Care, Project Management) and for the most challenging policy (University), around 300 seconds of processing time is required. However, these research works are solving the challenge of role mining and do not pay attention to rare role mining, which is an open and unsolved challenge and is acknowledged as a future area of research in key works [38].
6 Discussion and Formation of Key Findings
Table 1 provides a comparative summary showing all identified key works where empirical observations are demonstrated. Where possible, key information has been extracted and included in the table. In some instances, quantified facts are not reported in the reviewed article and therefore the phrase “manual discussion of results” is mentioned. In many instances, papers included quantified information and therefore the summary table tried to state the key summary fact of their research; however, in some instances, this was not possible and multiple summary points have been reported. In this next section, we present and discuss key findings that can be drawn from the literature survey.
Key Finding 1.
A wide array of techniques has been applied to analysing access-control systems, with the largest volume of work being forRole-Based Access Control (RBAC)systems. However, recent trends suggest ABAC is the major focus of the research community.
As demonstrated in Figure 4, a large variety of techniques has been used in the analysis of access-control systems. It is evident from the figure that most of the works have been performed on RBAC systems and their close relatives (ARBAC, etc.). More specifically, 6% are targeting DAC, 53% RBAC, and 31% ABAC. The wide range of applied techniques is interesting, as it is evident that researchers have attacked the challenge from a different perspective and with different technical skill sets. Figure 4 also demonstrates that multiple authors have utilised the same techniques, such as Procedural, Model Checking, and so on. Techniques implementing a Procedural approach are most common for DAC and RBAC systems, whereas for ABAC no technique has been applied the greatest number of times. However, it is evident that for ABAC systems the techniques involve the use of Machine Learning techniques (Statistical, Clustering, Decision Trees, and Deep Learning). This is most likely because the size and structure of ABAC are a lot larger and the policy is identity-less; searching for security problems is more akin with identifying rare roles than performing procedural analysis.
Fig. 4.
Fig. 4. Summary of applied techniques.
The range and diverse nature of different techniques applied to all different access-control systems demonstrate the wide-ranging variety of technical backgrounds working on this challenge, as well as demonstrating that the challenges are well understood within Computer Security and associated disciplines. Although this is positive for the access-control community, there is also the potential to widen the skill set of researchers working to address the challenges, especially in leveraging expertise from the ever-increasing research activity in Artificial Intelligence. A potential way to overcome this is to introduce a common set of benchmarking problems that was easily accessible to researchers, and as seen in other research disciplines, introduce a series of challenge problem instances as part of a competition that could be hosted by leading conferences in the area, such as “ACM Symposium on Access Control Models and Technologies.”1 This could involve gaining support from both industry and academics by allowing them to submit policies that need to be analysed. The allure of working on a well-defined problem and the potential to progress the state-of-the-art would attract researchers from outside of the access-control research discipline.
Furthermore, as identified in Table 1, a general observation is that the largest amount of work has been undertaken in ARBAC and ABAC. Another general observation is that ARBAC has been a longstanding challenge within the research community, whereas ABAC is a more recent development. The fact that the majority of ABAC works have originated from 2010 onwards is a positive sign that researchers are seeing this as an important problem to focus their efforts.
Key Finding 2.
There is wide variation in the specific analysis challenges addressed in each approach.
As identified in Table 1, the specific challenges that each work addresses can be seen. The fact that many key works have originated from 2010 onwards is a positive sign that researchers are seeing this as an important problem to focus their attention. In terms of RBAC and ARBAC and their variants, most works are performed in administrative reachability and availability, whereas in ABAC most of the work is in identifying redundancies and conflicts. This is because of the magnitude of these problems in implemented Access Control systems. Interestingly, the works focused on DAC and RBAC systems distributed over all of the different types of problematic permissions, whereas ABAC works focus heavily on identifying redundancies and conflicts. This demonstrates the focus of current research activities.
Few works are focused on DAC systems and those that operate DAC with the use of MAC to enforce group-based policies. The combination in the larger organisation effectively results in the implementation of an RBAC system for shared organisation resources and DAC for individually created, personal resources. Interestingly, several works concentrate on role and policy mining, which is the process of taking resource usage and/or implemented permissions and establishing a role-based approach to identifying rare roles. It is suspected that the focus of this work is heavily influenced by end-user requirements, and the inclusion of real-world datasets in a couple of instances evidences the strong real-world motivation.
Key Finding 3.
Although the research area of analysing access controls is active, only the research articles identified and included in Table 1 constitute empirical analysis.
A key finding identified through this literature survey is that although the research discipline is active with a wealth of beneficial content being published, only those 38 bodies of work identified and included in this survey are performing empirical analysis. This is problematic, as it prevents a systematic understanding of how well techniques published without comparable empirical analysis might work and how applicable they are to the types of problems faced by those operating access-control systems. A factor contributing to this lack of empirical testing could be down to the fact that there is an absence of standardisation in datasets used in empirical testing, and there is no de facto location as to where benchmark datasets can be identified. This leads to the next observation:
Key Finding 4.
It is not clear as to how implemented techniques and datasets can be acquired.
In many of the reviewed articles, the techniques presented and tested in research articles are discussed in terms of their implementation detail; however, obtaining a copy of their code and testing dataset is not always possible. This makes it challenging to benchmark techniques against each other, and even more significant is that it prevents potential end-users from accessing the research outputs. The lack of availability will have a negative consequence on the research discipline, slowing progress, as performing systematic benchmarking is either not possible or is time-consuming. A way to encourage the availability of code is through creating a repository of state-of-the-art techniques alongside benchmarking problem instances. This leads to the next finding:
Key Finding 5.
A lack of systematic benchmarking hinders understanding state-of-the-art progress.
If researchers cannot easily benchmark their technique against previous research, then it is difficult for them to assess the significance of their technique and its capabilities. There are reasons why benchmarking might not be performed, and one potential reason could be that researchers are not being able to acquire copies of previous techniques and datasets used for benchmarking purposes. In other research disciplines, a central authority is often responsible for establishing and hosting a set of benchmarking problem instances; however, this has yet to occur within the access-control analysis community. Furthermore, even if researchers do share their datasets, the suitability of those presented in previous research may not be truly representative of the scale and magnitude of the problems. As previously mentioned, agreeing on a set of benchmarking instances within the access-control community, which are representative of challenges faced by end-users, would help progress state-of-the-art research.
Key Finding 6.
The suitability of empirical datasets suitable for testing.
As demonstrated in Figure 5, a large portion of current research works are utilising synthetic directory structures that are created based on a known and relatable organisation structure, for example, a university. Furthermore, the methods by which researchers introduce security concerns for testing are randomly produced, which has the potential to introduce bias by ensuring that they deliberately introduce security concerns that are detectable by the technique. As evident in Figure 5, most works are utilising synthetically generated data. More specifically, 26 used synthetic and 21 use real-world. Interestingly, of the generating synthetic datasets, 16 are based on parameterised approaches, where the number of users, roles, and permissions are iteratively or randomly assigned. Furthermore, security concerns that are introduced to be discovered are either added based on some predefined approach or by random generation. A positive aspect here is the diversity of the real-world problems being analysed, with a university system being the most common, which is likely because the researchers are working within a university environment and have access to the access-control policies from within their organisation. In terms of synthetic datasets, it is apparent that a large portion of researchers are not using a standardised scenario (i.e., a hospital system) and are utilising random generation techniques.
Fig. 5.
Fig. 5. Summary of empirical test data.
The size and complexity of the datasets are also problematic. Each survey adopts a different synthetic or, in some cases, real access-control model with different user and role requirements. Real-world datasets are in most instances larger than synthetic datasets, despite it being quite straightforward to create larger synthetic datasets. This indicates that techniques are lagging behind those required to analyse real-world policies, and researchers are creating synthetic policies to a size and complexity within the limits of their technique. This is, however, a generalisation, and there are techniques utilising large policy sizes. Each technique is using a different test dataset, making direct comparisons between them very challenging. However, it is evident in Table 1 that many of the techniques are developing techniques for different purposes and there would be little benefit to comparing techniques with different objectives, even if they are testing on comparable datasets.
Key Finding 7.
Where real-world access-control policies have been used in empirical analysis, ground-truth knowledge over what problematic permissions exist is often unknown.
In the few surveyed works that did perform empirical analysis, the majority were unable to state the true accuracy of their technique, as ground-truth knowledge as to what issues exist is not known. As evident in Table 1, only a few works utilise real-world datasets and provide accuracy values. This is a significant limitation, as it prevents the researchers from calculating and reporting accurate statistics on how well their proposed technique works. This is a motivating factor as to why most works are utilising synthetically generated data where ground-truth knowledge is available. This is a significant challenge for researchers processing ABAC policies, as they are often much larger and, as evident in Figure 4, they are using unsupervised learning mechanisms to detect security concerns. Without ground truth knowledge of what concerns exist to be detected, it will be difficult to meaningfully assess how well the technique works. The identification of the previous limiting factors motivates the next finding:
Key Finding 8.
Uncertainty over whether research works are motivated by academic curiosity or real-world challenges.
The accumulation of the previous findings raises questions over whether research works are motivated by academic or real-world challenges. The majority of previous research is performed by mostly academic authors with little end-user or collaboration from other stakeholders. Although this is typical of most academic research disciplines, the applied nature of performing security analysis raises questions over whether a more integral involvement of stakeholders is to be expected in research activities, especially in motivating and providing the analysis aims as well as access to real-world access-control systems for testing and evaluation purposes. It is evident that in Table 1, as well as discussed in this literature review, the evaluation criteria used in each work are different, but it is not known if the criteria have been motivated and dictated by academic curiosity or real-world challenges. Some works are focused on processing time, while some are focused on the identification of valid outputs.
7 Conclusion
This review article presents a systematic exploration of empirically evaluated research into the analysis of access-control systems. Through analysing available literature and forming patterns of common work, it has been identified that although significant works have been performed, there are still areas of potential improvement within the research community, which could have a significant impact on potential end-users. To the best of the authors’ knowledge, this is the first literature survey focussing on empirically evaluated access-control analysis mechanisms, providing a much-needed assessment of the research discipline and identifying key findings that could help accelerate progress in the discipline. A total of eight key findings have been identified, ranging from issues with benchmarking to the large variation in applied techniques and analysis aims. In future work, we hope to reduce some of these knowledge gaps and progress the state-of-the-art within the research community.
Footnote
1
ACM Symposium on Access Control Models and Technologies: http://sacmat.org/.
References
[1]
2021. A novel conflict detection method for ABAC security policies. J. Industr. Inf. Integrat. 22 (2021), 100200. DOI:
Alessandro Armando and Silvio Ranise. 2010. Automated symbolic analysis of ARBAC-policies. In Proceedings of the International Workshop on Security and Trust Management. Springer, 17–34.
Hasiba Attia, Laid Kahloul, Saber Benhazrallah, and Samir Bourekkache. 2019. Using hierarchical timed coloured Petri nets in the formal study of TRBAC security policies. Int. J. Inf. Secur. 19, 2020 (2019), 163–187. DOI:
Meryeme Ayache, Mohammed Erradi, Ahmed Khoumsi, and Bernd Freisleben. 2016. Analysis and verification of XACML policies in a medical cloud environment. Scalable Comput.: Pract. Exper. 17, 3 (2016), 189–206.
Lujo Bauer, Scott Garriss, and Michael K. Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Trans. Inf. Syst. Secur. 14, 1 (2011), 2.
Yahya Benkaouz, Mohammed Erradi, and Bernd Freisleben. 2016. Work in progress: K-nearest neighbors techniques for ABAC policies clustering. In Proceedings of the ACM International Workshop on Attribute Based Access Control. ACM, 72–75.
Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. 2001. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 3 (2001), 191–233.
Sven Bugiel, Stephen Heuser, and Ahmad-Reza Sadeghi. 2013. Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security’13). 131–146.
Michele Bugliesi, Stefano Calzavara, Riccardo Focardi, and Marco Squarcina. 2012. Gran: Model checking grsecurity RBAC policies. In Proceedings of the 25th Computer Security Foundations Symposium. IEEE, 126–138.
Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2015. Formal verification of Liferay RBAC. In Proceedings of the International Symposium on Engineering Secure Software and Systems. Springer, 1–16.
Shuvra Chakraborty, Ravi Sandhu, and Ram Krishnan. 2019. On the feasibility of attribute-based access control policy mining. In Proceedings of the IEEE 20th International Conference on Information Reuse and Integration for Data Science (IRI). IEEE, 245–252.
Carlo Combi, Luca Viganò, and Matteo Zavatteri. 2016. Security constraints in temporal role-based access-controlled workflows. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 207–218.
Carlos Cotrini, Luca Corinzia, Thilo Weghorn, and David Basin. 2019. The next 700 policy miners: A universal method for building policy miners. arXiv preprint arXiv:1908.05994 (2019).
Anour F. Dafa-Alla, Eun Hee Kim, Keun Ho Ryu, and Yong Jun Heo. 2005. PRBAC: An extended role based access control for privacy preserving data mining. In Proceedings of the 4th Annual ACIS International Conference on Computer and Information Science (ICIS’05). IEEE, 68–73.
Maria Luisa Damiani, Elisa Bertino, Barbara Catania, and Paolo Perlasca. 2007. GEO-RBAC: A spatially aware RBAC. ACM Trans. Inf. Syst. Secur. 10, 1 (2007), 2.
Tathagata Das, Ranjita Bhagwan, and Prasad Naldurg. 2010. Baaz: A system for detecting access control misconfigurations. In Proceedings of the USENIX Security Symposium. 161–176.
Sheng Ding, Jin Cao, Chen Li, Kai Fan, and Hui Li. 2019. A novel attribute-based access control scheme using blockchain for IoT. IEEE Access 7 (2019), 38431–38441.
Deborah D. Downs, Jerzy R. Rub, Kenneth C. Kung, and Carole S. Jordan. 1985. Issues in discretionary access control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 208–208.
Stephen Dranger, Robert H. Sloan, and Jon A. Solworth. 2006. The complexity of discretionary access control. In Proceedings of the International Workshop on Security. Springer, 405–420.
Maryem Ait El Hadj, Meryeme Ayache, Yahya Benkaouz, Ahmed Khoumsi, and Mohammed Erradi. 2017. Clustering-based approach for anomaly detection in XACML policies. In Proceedings of the Clustering-based Approach for Anomaly Detection in XACML Policies. 548–553.
Maryem Ait El Hadj, Ahmed Khoumsi, Yahya Benkaouz, and Mohammed Erradi. 2018. Formal approach to detect and resolve anomalies while clustering ABAC policies. ICST Trans. Secur. Safet. 5, 16 (2018), e3.
Maryem Ait El Hadj, Ahmed Khoumsi, Yahya Benkaouz, and Mohammed Erradi. 2020. A log-based method to detect and resolve efficiently conflicts in access control policies. In Proceedings of the International Conference on Soft Computing and Pattern Recognition. 836–846.
David Ferraiolo, Ramaswamy Chandramouli, Rick Kuhn, and Vincent Hu. 2016. Extensible access control markup language (XACML) and next generation access control (NGAC). In Proceedings of the ACM International Workshop on Attribute Based Access Control. ACM, 13–24.
Anna Lisa Ferrara, P. Madhusudan, Truc L. Nguyen, and Gennaro Parlato. 2014. Vac-verifier of administrative role-based access control policies. In Proceedings of the International Conference on Computer Aided Verification. Springer, 184–191.
Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2013. Policy analysis for self-administrated role-based access control. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 432–447.
Mario Frank, Joachim M. Buhmann, and David Basin. 2010. On the definition of role mining. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, 35–44.
Chris Giblin, Marcel Graf, Günter Karjoth, Andreas Wespi, Ian Molloy, Jorge Lobo, and Seraphin Calo. 2010. Towards an integrated approach to role engineering. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 63–70.
Mikhail I. Gofman, Ruiqi Luo, Ayla C. Solomon, Yingbin Zhang, Ping Yang, and Scott D. Stoller. 2009. RBAC-PAT: A policy analysis tool for role based access control. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 46–49.
Paolo Guarda, Silvio Ranise, and Hari Siswantoro. 2017. Security analysis and legal compliance checking for the design of privacy-friendly information systems. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 247–254.
Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2011. Anomaly discovery and resolution in web access control policies. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies. ACM, 165–174.
Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2013. Discovery and resolution of anomalies in web access control policies. IEEE Trans. Depend. Secure Comput. 10, 6 (2013), 341–354.
Chao Huang, Jianling Sun, Xinyu Wang, and Yuanjie Si. 2009. Security policy management for systems employing role based access control model. Inf. Technol. J. 8, 5 (2009), 726–734.
Karthick Jayaraman, Vijay Ganesh, Mahesh Tripunitara, Martin Rinard, and Steve Chapin. 2011. Automatic error finding in access-control policies. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 163–174.
Yixin Jiang, Chuang Lin, Hao Yin, and Zhangxi Tan. 2004. Security analysis of mandatory access control model. In Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. IEEE, 5013–5018.
Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012. A unified attribute-based access control model covering DAC, MAC and RBAC. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 41–55.
Xin Jin, Ram Krishnan, and Ravi Sandhu. 2013. Reachability analysis for role-based administration of attributes. In Proceedings of the ACM Workshop on Digital Identity Management. ACM, 73–84.
Felix Klaedtke, Ghassan O. Karame, Roberto Bifulco, and Heng Cui. 2014. Access control for SDN controllers. In Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. 219–220.
Martin Kuhlmann, Dalia Shohat, and Gerhard Schimpf. 2003. Role mining-revealing business roles for security administration using data mining technology. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies. ACM, 179–186.
Ninghui Li and Mahesh V. Tripunitara. 2005. On safety in discretionary access control. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’05). IEEE, 96–109.
Jing Liu, Yang Xiao, and C. L. Philip Chen. 2012. Authentication and access control in the internet of things. In Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops. IEEE, 588–592.
Nikita Yu Lovyagin, George A. Chernishev, Kirill K. Smirnov, and Roman Yu Dayneko. 2020. FGACFS: A fine-grained access control for *nix userspace file system. Computers Security, 88 (2020), 101632.
Decebal Mocanu, Fatih Turkmen, Antonio Liotta, et al. 2015. Towards ABAC policy mining from logs with deep learning. In Proceedings of the 18th International Multiconference. 124–128.
Ian Molloy, Ninghui Li, Tiancheng Li, Ziqing Mao, Qihua Wang, and Jorge Lobo. 2009. Evaluating role mining algorithms. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM, 95–104.
Ian Molloy, Youngja Park, and Suresh Chari. 2012. Generative models for access control policies: Applications to role mining over logs with attribution. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 45–56.
Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2009. Towards formal security analysis of GTRBAC using timed automata. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM, 33–42.
Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2011. Security analysis of GTRBAC and its variants using model checking. Comput. Secur. 30, 2–3 (2011), 128–147.
Bruce Ndibanje, Hoon-Jae Lee, and Sang-Gon Lee. 2014. Security analysis and improvements of authentication and access control in the internet of things. Sensors 14, 8 (2014), 14786–14805.
Sylvia Osborn, Ravi Sandhu, and Qamar Munawer. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3, 2 (2000), 85–106.
Joon S. Park and Joseph Giordano. 2006. Role-based profile analysis for scalable and accurate insider-anomaly detection. In Proceedings of the IEEE International Performance Computing and Communications Conference. IEEE, 7–pp.
Simon Parkinson and Andrew Crampton. 2016. Identification of irregularities and allocation suggestion of relative file system permissions. J. Inf. Secur. Applic. 30 (2016), 27–39.
Simon Parkinson, Saad Khan, James Bray, and Daiyaan Shreef. 2019. Creeper: A tool for detecting permission creep in file system access controls. Cybersecurity 2, 1 (2019), 14.
Simon Parkinson and Saad Khana. 2022. Identifying high-risk over-entitlement in access control policies using fuzzy logic. Cybersecurity 5, 1 (2022), 1–17.
Simon Parkinson, Vassiliki Somaraki, and Rupert Ward. 2016. Auditing file system permissions using association rule mining. Exp. Syst. Applic. 55 (2016), 274–283.
Silvio Ranise, Anh Truong, and Alessandro Armando. 2014. Scalable and precise automated analysis of administrative temporal role-based access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. ACM, 103–114.
Silvio Ranise, Anh Truong, and Luca Viganò. 2018. Automated and efficient analysis of administrative temporal RBAC policies with role hierarchies. J. Comput. Secur. 26, 4 (2018), 423–458.
Mohsen Rezvani, David Rajaratnam, Aleksandar Ignjatovic, Maurice Pagnucco, and Sanjay Jha. 2019. Analyzing XACML policies using answer set programming. Int. J. Inf. Secur. 18, 4 (2019), 465–479.
Ravi S. Sandhu. 1995. Rationale for the RBAC96 family of access control models. In Proceedings of the First ACM Workshop on Role-Based Access Control (RBAC’95), C. E. Youman, R. S. Sandhu, and E. J. Coyne (Eds.). ACM Press, New York, NY.
Ravi Sandhu, Venkata Bhamidipati, and Qamar Munawer. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 105–135.
Amit Sasturkar, Ping Yang, Scott D. Stoller, and C. R. Ramakrishnan. 2006. Policy analysis for administrative role based access control. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW’06).
Andreas Schaad, Jonathan Moffett, and Jeremy Jacob. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies. ACM, 3–9.
Riaz Ahmed Shaikh, Kamel Adi, and Luigi Logrippo. 2017. A data classification method for inconsistency and incompleteness detection in access control policy sets. Int. J. Inf. Secur. 16, 1 (2017), 91–113.
Cheng-chun Shu, Erica Y. Yang, and Alvaro E. Arenas. 2009. Detecting conflicts in ABAC policies with rule-reduction and binary-search techniques. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks. IEEE, 182–185.
Mahendra Pratap Singh, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2021. A role-based administrative model for administration of heterogeneous access control policies and its security analysis. Inf. Syst. Front. (2021), 1–18.
Michel St.-Martin and Amy P. Felty. 2016. A verified algorithm for detecting conflicts in XACML access control rules. In Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs. ACM, 166–175.
Bernard Stepien and Amy Felty. 2016. Using expert systems to statically detect “dynamic” conflicts in XACML. In Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES). IEEE, 127–136.
Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, and Mikhail I. Gofman. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 445–455.
Fatih Turkmen, Jerry den Hartog, Silvio Ranise, and Nicola Zannone. 2015. Analysis of XACML policies with SMT. In Proceedings of the International Conference on Principles of Security and Trust. Springer, 115–134.
Emre Uzun, Vijayalakshmi Atluri, Shamik Sural, Jaideep Vaidya, Gennaro Parlato, Anna Lisa Ferrara, and Madhusudan Parthasarathy. 2012. Analyzing temporal role based access control models. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 177–186.
Paul Voigt and Axel Von dem Bussche. 2017. The EU General Data Protection Regulation (GDPR). A Practical Guide,1st ed. Springer International Publishing, Cham.
Man Wang, Jean Mayo, Ching-Kuang Shene, Steve Carr, and Chaoli Wang. 2017. UNIXvisual: A visualization tool for teaching UNIX permissions. In Proceedings of the ACM Conference on Innovation and Technology in Computer Science Education. 194–199.
Zhongyuan Xu and Scott D. Stoller. 2012. Algorithms for mining meaningful roles. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 57–66.
Zhongyuan Xu and Scott D. Stoller. 2013. Mining attribute-based access control policies from RBAC policies. In Proceedings of the 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT). IEEE, 1–6.
Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 276–291.
Ping Yang, Mikhail I. Gofman, Scott D. Stoller, and Zijiang Yang. 2015. Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1 (2015), 1–29.
Aijuan Zhang, Cheng Ji, Yu Bao, and Xin Li. 2017. Conflict analysis and detection based on model checking for spatial access control policy. Tsinghua Sci. Technol. 22, 5 (2017), 478–488.
Yinghui Zhang, Dong Zheng, and Robert H. Deng. 2018. Security and privacy in smart health: Efficient policy-hiding attribute-based access control. IEEE Internet Things J. 5, 3 (2018), 2130–2145.
Gansen Zhao and David W. Chadwick. 2008. On the modeling of Bell-Lapadula security policies using RBAC. In Proceedings of the IEEE 17th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 257–262.
Yan CRen RMeng MWan LOoi TBai GFilkov VRay BZhou M(2024)Exploring ChatGPT App Ecosystem: Distribution, Deployment and SecurityProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695510(1370-1382)Online publication date: 27-Oct-2024
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems
Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Security-sensitive environments protect their information resources against unauthorized use by enforcing access control mechanisms driven by access control policies. Due to the need to compare, contrast, and compose such protected information resources,...
Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. ...
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Yan CRen RMeng MWan LOoi TBai GFilkov VRay BZhou M(2024)Exploring ChatGPT App Ecosystem: Distribution, Deployment and SecurityProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695510(1370-1382)Online publication date: 27-Oct-2024
Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
Wilcox CWelsh KDjahel SCosten NGiagos V(2024)Towards a Zero Trust Based Hybrid Access Control Model for Medical Data2024 International Conference on Information and Communication Technologies for Disaster Management (ICT-DM)10.1109/ICT-DM62768.2024.10798961(1-7)Online publication date: 19-Nov-2024
Ayyash MAlsboui TAlshaikh OInuwa-Dutse IKhan SParkinson S(2024)Cybersecurity Education and Awareness Among Parents and Teachers: A Survey of BahrainIEEE Access10.1109/ACCESS.2024.341604512(86596-86617)Online publication date: 2024
Bamberger AFernández M(2024)Towards Automated Access Control Policy Mining via Structured Attribute-Based Access ControlProceedings of the Third International Conference on Innovations in Computing Research (ICR’24)10.1007/978-3-031-65522-7_38(431-440)Online publication date: 1-Aug-2024
Bamberger AFernández M(2024)Towards Automated Policy Predictions via Structured Attribute-Based Access ControlProceedings of the Third International Conference on Innovations in Computing Research (ICR’24)10.1007/978-3-031-65522-7_2(13-22)Online publication date: 1-Aug-2024
