inter domain role mapping and least privilege
play

Inter-domain Role Mapping and Least Privilege Liang Chen Jason - PowerPoint PPT Presentation

Inter-domain Role Mapping and Least Privilege Liang Chen Jason Crampton Information Security Group, Royal Holloway, University of London 12th ACM Symposium on Access Control Models and Technologies IDRM and Least Privilege Introduction


  1. Inter-domain Role Mapping and Least Privilege Liang Chen Jason Crampton Information Security Group, Royal Holloway, University of London 12th ACM Symposium on Access Control Models and Technologies

  2. IDRM and Least Privilege · Introduction RBAC96 • The RBAC96 family of models define a number of basic components – A set of users U – A partially ordered set of roles RH ⊆ R × R – A set of permissions P – A user-role assignment relation UA ⊆ U × R – A set of sessions S – A permission-role assignment relation PA ⊆ P × R 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  3. IDRM and Least Privilege · Introduction Inter-domain role mapping (IDRM) problem • Given a set of requested permissions Q ⊆ P , find the minimal set of roles R ′ ⊆ R such that Auth ( R ′ ) = Q (Du and Joshi, SACMAT, 2006) • The IDRM problem is not well defined for at least two reasons – There may be several sets R 1 , . . . , R k such that Auth ( R i ) = Q, i = 1 , . . . , k – There may not exist R ′ ⊆ R such that Auth ( R ′ ) = Q 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  4. IDRM and Least Privilege · Introduction r 1 Motivating example t ✁ ❆ ✁ ❆ • Given Q = { p 2 , p 3 , p 4 , p 5 } , then ✁ ❆ { r 2 , r 4 } and { r 3 , r 4 } are both mini- ✁ ❆ ✁ ❆ mal solutions ✁ ❆ ✁ ❆ • Given Q = { p 2 , p 3 , p 4 } , what is the t r 2 t r 3 t r 4 appropriate solution for the IDRM problem? t t t t t p 1 p 2 p 3 p 4 p 5 – Auth ( { r 3 } ) = { p 2 , p 3 } – Auth ( { r 3 , r 4 } ) = { p 2 , p 3 , p 4 , p 5 } 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  5. IDRM and Least Privilege · Introduction Our motivation We want to formulate the IDRM problem more accurately in terms of availability and safety • Availability and least privilege – Auth ( R ′ ) ⊇ Q – | Auth ( R ′ ) | is minimized – | R ′ | is minimized • Safety – Auth ( R ′ ) ⊆ Q – | Auth ( R ′ ) | is maximized – | R ′ | is minimized 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  6. IDRM and Least Privilege · Introduction Outline • Weighted set cover problem and greedy algorithm • An availability approach to IDRM • A safety approach to IDRM • Conclusion and future work 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  7. IDRM and Least Privilege · Weighted set cover problem Set cover optimization problem • Given a universe U and a collection C of subsets of U whose union is U , find a subset D ⊆ C such that � U = D and | D | is minimized D ∈D • Let U = { 1 , 2 , 3 , 4 , 5 , 6 } , and C = {{ 1 , 2 } , { 1 , 3 } , { 1 , 4 } , { 1 , 5 } , { 1 , 6 } , { 1 , 2 , 3 } , { 3 , 4 , 5 }} – Then {{ 1 , 2 , 3 } , { 3 , 4 , 5 } , { 1 , 6 }} is a solution of the set cover optimization problem 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  8. IDRM and Least Privilege · Weighted set cover problem Weighted set cover problem • Given a universe U , a collection C of subsets of U whose union is U , and a weight function w : C → R + , find a subset D ⊆ C such that � � U = D and w ( D ) is minimized D ∈D D ∈D • The set covering optimization problem is an instance of the weighted set cover problem in which w ( C ) = 1 for all C ∈ C 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  9. IDRM and Least Privilege · Weighted set cover problem Greedy algorithm • The weighted set cover problem is NP-hard • There exists a greedy algorithm that provides good approximate solutions – Let A i − 1 ⊆ U denotes the set of elements that remain uncovered at the ( i − 1)th iteration ( A 0 = U ) w ( C i ) – At the i th iteration, C i ∈ C is selected such that | C i ∩ A i − 1 | is minimized 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  10. IDRM and Least Privilege · An availability approach to IDRM Basic idea • Recall that we want to ensure that Auth ( R ′ ) ⊇ Q , and | Auth ( R ′ ) | and | R ′ | are minimized • We compute R Q = { r ∈ R : Auth ( r ) ∩ Q � = ∅} • We map the IDRM problem to the weighted set cover problem – Q is contained in the union of Auth ( r ), r ∈ R Q – We select a subset of R Q minimizing the choices from r ∈ R Q where Auth ( r ) contains a permission that is not in Q 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  11. IDRM and Least Privilege · An availability approach to IDRM The weight function • We define the weight function w : R Q → R + , where w ( r ) = | Auth ( r ) | · | Auth ( r ) \ Q | + 1 | Q | – If Auth ( r ) ⊆ Q , then | Auth ( r ) \ Q = ∅| and w ( r ) = 1 / | Q | – In contrast, roles that “step outside” Q have a much greater weight 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  12. IDRM and Least Privilege · An availability approach to IDRM The algorithm • Given a set of permissions Q , a collection of subsets { Auth ( r ) : r ∈ R Q } , and a weight function w : R Q → R + , find R ′ Q ⊆ R Q such that � � Auth ( r ) ⊇ Q and w ( r ) is minimized r ∈ R ′ r ∈ R ′ Q Q • We modify the greedy algorithm to compute an approximate solution for the IDRM problem – Let A i − 1 ⊆ Q denote the set of elements remain uncovered – At the i th iteration, we choose r such that w ( r ) A i − 1 ∩ Auth ( r ) � = ∅ and γ ( r ) = | A i − 1 ∩ Auth ( r ) | is minimized 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  13. IDRM and Least Privilege · An availability approach to IDRM An example • Given { p 2 , p 3 , p 4 } , Q = then R Q = { r 1 , r 2 , r 3 , r 4 } , w ( r 1 ) = 31 3 , r 1 t w ( r 2 ) = w ( r 3 ) = 1 3 , w ( r 4 ) = 10 ✁ ❆ 3 ✁ ❆ ✁ ❆ • The first iteration of the greedy al- ✁ ❆ gorithm selects r 3 since γ ( r 3 ) = 1 6 , ✁ ❆ ✁ ❆ and then selects r 4 , at which point ✁ ❆ t r 2 t r 3 t r 4 the algorithm terminates • The solution { r 3 , r 4 } is an optimal t t t t t solution for the IDRM problem (at p 1 p 2 p 3 p 4 p 5 least with respect to availability) • The algorithm does not necessarily compute an optimal solution (see proceedings) 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  14. IDRM and Least Privilege · A safety approach to IDRM Basic idea • Recall that we want to ensure that Auth ( R ′ ) ⊆ Q , | Auth ( R ′ ) | is maximized, and | R ′ | is a minimized • Given Q ∈ P , we compute R Q = { r ∈ R : Auth ( r ) ⊆ Q } • Given R Q , Q ′ = Auth ( R Q ) ⊆ Q and { Auth ( r ) : r ∈ R Q } , find R ′ Q ⊆ R Q such that � Auth ( r ) = Q ′ | R ′ Q | and is minimized r ∈ R ′ Q 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  15. IDRM and Least Privilege · A safety approach to IDRM Solution • We simply map the standard set covering optimization problem to the IDRM problem (defined in terms of safety) • The greedy algorithm is applied to compute R ′ Q , and the weight w ( r ) is 1 for all r 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  16. IDRM and Least Privilege · A safety approach to IDRM An example r 1 • Given Q = { p 2 , p 3 , p 4 } , then R Q = t ✁ ❆ { r 2 , r 3 } and Q ′ = { p 2 , p 3 } ✁ ❆ ✁ ❆ ✁ ❆ • The first iteration of the greedy al- ✁ ❆ gorithm selects r 3 since γ ( r 3 ) = 1 2 , ✁ ❆ ✁ ❆ at which point the algorithm ter- t r 2 t r 3 t r 4 minates – Auth ( r 3 ) = { p 2 , p 3 } ⊆ Q t t t t t p 1 p 2 p 3 p 4 p 5 – The solution { r 3 } is an optimal solution for the IDRM problem (in terms of safety) 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  17. IDRM and Least Privilege · Conclusion and future work Conclusion and future work • We examined the IDRM problem from two different perspectives – Availability and least privilege – Safety – The greedy algorithm for the weighted set cover problem computes an approximate solution to the IDRM problem but might not return an optimal solution for availability • We also examine these problem in the context of ERBAC07, TRBAC07 and ETRBAC07 (see proceedings) • We would like to see if there are other heuristics for the availability problem and to compare these alternatives with the weighted set cover greedy algorithm 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

  18. IDRM and Least Privilege · Questions Questions 12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

Recommend


More recommend