incorporating off line attribute
play

Incorporating Off-Line Attribute Delegation into Hierarchical Group - PowerPoint PPT Presentation

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November


  1. Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November 5th FPS 2019 1

  2. Outline • Outline • Background • Attribute Delegation Model • Attribute Delegation Framework • Conclusions Outline 2

  3. Background: The HGABAC Project

  4. HGABAC Project HGABAC Hierarchical group based formal model HGABAC Administrative of ABAC Model Model governing the Servos et al., 2014 administration of attributes, users, etc. in HGABAC GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies Set of potential strategies for incorporating delegation into ABAC models and architectures Time HGAA Servos et al., 2016 System architecture and protocols to support real world use of HGABAC Group Membership Attribute Based Permission Based Servos et al., 2018 Based Delegation Delegation Model Delegation Model Model Future Work Sabahein et al., 2018 Servos et al., 2019 Reference Implementation and Full Evaluation of Each Delegation Model Future Work Background 4

  5. HGABAC Project HGABAC Hierarchical group based formal model HGABAC Administrative of ABAC Model Model governing the Servos et al., 2014 administration of attributes, Hierarchical Group and Attribute-Based Access Control (2014) users, etc. in HGABAC GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies • Formal attribute-based access control model. Set of potential strategies for incorporating delegation • into ABAC models and architectures Introduces concepts of hierarchical user and object attribute Time HGAA Servos et al., 2016 groups. System architecture and protocols to • Goals: support real world use of HGABAC ▪ Lightweight Group Membership Attribute Based Permission Based Servos et al., 2018 Based Delegation ▪ Delegation Model Delegation Model Easy to comprehend policies Model Future Work ▪ Sabahein et al., 2018 Servos et al., 2019 User and object groups to simplify administration ▪ Scalable ▪ Ability to emulate traditional models (MAC, DAC, RBAC) Reference Implementation and Full Evaluation of Each • Shown to be capable of emulating MAC, DAC and RBAC. Delegation Model Future Work Background 5

  6. HGABAC Project HGABAC Hierarchical group based formal model HGABAC Administrative of ABAC Model Model governing the Servos et al., 2014 administration of attributes, users, etc. in HGABAC GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies Set of potential strategies for incorporating delegation into ABAC models and architectures Time HGAA Servos et al., 2016 System architecture Strategies for Incorporating Delegation into ABAC (2016) and protocols to support real world • use of HGABAC Details strategies for incorporating delegation into ABAC. Group Membership Attribute Based Permission Based Servos et al., 2018 Based Delegation Delegation Model Delegation Model • Strategies formulated by evaluating each possible combination of Model Future Work Sabahein et al., 2018 Servos et al., 2019 delegator , delegatee and delegatable access control component . • Resulted in three potential families of strategies that share Reference Implementation and Full Evaluation of Each common properties; Group Membership Delegation , Attribute Delegation Model Future Work Delegation and Permission Delegation . Background 6

  7. HGABAC Project HGABAC Hierarchical group based formal model HGABAC Administrative Hierarchical Group Attribute Architecture (2018) of ABAC Model Model governing the Servos et al., 2014 • System architecture and protocols for administration of attributes, users, etc. in HGABAC implementing an HGABAC based system. GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies • Answers questions like; “Who assigns the Set of potential strategies for incorporating delegation into ABAC models and architectures Time attributes?” , “How are attributes shared?” , HGAA Servos et al., 2016 System architecture “How is proof of attribute ownership given?” , and protocols to support real world and “where and how are policies evaluated?” use of HGABAC Group Membership Attribute Based Permission Based Servos et al., 2018 • Defines Attribute Certificate format, HGABAC Based Delegation Delegation Model Delegation Model Model Namespace , and core services . Future Work Sabahein et al., 2018 Servos et al., 2019 • Focus on “Off - Line” function (no dependence on third party once attribute certificate issued). Reference Implementation and Full Evaluation of Each Delegation Model Future Work Background 7

  8. HGABAC Project Incorporating Off-Line Attribute Delegation into HGABAC (2019) • Current effort, to create formal delegation model for each strategy. HGABAC • Group Membership based model created by Sabahein et al. Hierarchical group based formal model HGABAC Administrative • Presenting Attribute based model today. of ABAC Model Model governing the Servos et al., 2014 administration of attributes, • Permission based model still in development. users, etc. in HGABAC GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies Set of potential strategies for incorporating delegation into ABAC models and architectures Time HGAA Servos et al., 2016 System architecture and protocols to support real world use of HGABAC Group Membership Attribute Based Permission Based Servos et al., 2018 Based Delegation Delegation Model Delegation Model Model Future Work Sabahein et al., 2018 Servos et al., 2019 Work I am presenting today. Reference Implementation and Full Evaluation of Each Delegation Model Future Work Background 8

  9. HGABAC Project End Goal for Delegation HGABAC Hierarchical group • Formalization of each ABAC delegation model. based formal model HGABAC Administrative of ABAC Model • Creation of reference implementation for each model. Model governing the Servos et al., 2014 administration of attributes, • Full evaluation and comparison. users, etc. in HGABAC GURA G by Gupta and Sandhu, 2016 ABAC Delegation Strategies Set of potential strategies for incorporating delegation into ABAC models and architectures Time HGAA Servos et al., 2016 System architecture and protocols to support real world use of HGABAC Group Membership Attribute Based Permission Based Servos et al., 2018 Based Delegation Delegation Model Delegation Model Model Future Work Sabahein et al., 2018 Servos et al., 2019 End Goal Reference Implementation and Full Evaluation of Each Delegation Model Future Work Background 9

  10. Attribute Delegation Model

  11. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Year: 3 Role : grad Department : SoftEng Charlie Attribute Delegation Model 11

  12. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Alice wishes to delegate her access to the CS student lounge to Charlie so he can pick up a textbook for her. The normal policy governing access is: Department = “ CompSci ” AND year >= 4 Year: 3 Role : grad Department : SoftEng Charlie Attribute Delegation Model 12

  13. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Department : CompSci Year : 4 Year: 3 Role : grad Department : SoftEng Charlie Attribute Delegation Model 13

  14. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Department : CompSci Year : 4 Direct att. set Year: 3 Role : grad Department : SoftEng Delegated set from Alice Charlie Department : CompSci Year : 4 Attribute Delegation Model 14

  15. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Bob wishes to delegate his access to the faculty software engineering lab to Charlie while Bob is away temporarily. The normal policy governing access is: Department = “ SoftEng ” AND Role = “faculty” Direct att. set Year: 3 Role : grad Department : SoftEng Delegated set from Alice Charlie Department : CompSci Year : 4 Attribute Delegation Model 15

  16. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Role : faculty Department : SoftEng Direct att. set Year: 3 Role : grad Department : SoftEng Delegated set from Alice Charlie Department : CompSci Year : 4 Attribute Delegation Model 16

  17. Attribute Delegation Example Year : 4 Role : faculty Role : undergrad Department : SoftEng Department : CompSci Alice Bob Role : faculty Department : SoftEng Direct att. set Year: 3 Delegated set from Bob Role : grad Role : faculty Department : SoftEng Department : SoftEng Delegated set from Alice Charlie Department : CompSci Year : 4 Attribute Delegation Model 17

Recommend


More recommend