towards automatic update of access control policy
play

Towards Automatic Update of Access Control Policy Jinwei Hu, Yan - PowerPoint PPT Presentation

Towards Automatic Update of Access Control Policy Jinwei Hu, Yan Zhang, Ruixuan Li Huazhong University of Science and Technology, Wuhan, China University of Western Sydney, Sydney, Australia jwhu@hust.edu.cn 1 Contents Motivations and


  1. Towards Automatic Update of Access Control Policy Jinwei Hu, Yan Zhang, Ruixuan Li Huazhong University of Science and Technology, Wuhan, China University of Western Sydney, Sydney, Australia jwhu@hust.edu.cn 1

  2. Contents • Motivations and Background • Key Questions • Ideas • Conclusions 2

  3. Contents • Motivations and Background • Key Questions • Ideas • Conclusions 3

  4. Motivations - Why Update? • Misconfigurations [ SACMAT’08, USENIX SEC’10] • Permission Assignment - A new user joins - Task assignment • Property satisfactions [ TISSEC] • Requirement dynamics [ CACM] 4

  5. Workflow of manual update specify update constraints observe the system and update constraints perform some operations Are all check system and constraints changes necessary? yes undo operations constraints violated? no yes update achieved? no Is the update no achievable at give up? atll? yes end 5

  6. Background - RBAC Systems • Role-based access control 6

  7. Contents • Motivations and Background • Key Questions • Ideas • Conclusions 7

  8. Key Questions • Q1: What is the update objective? - Assign { p 5 ,p 8 ,p 9 } via { r 1 , r 2 , r 3 , r 4 , r 5 , r 6 } 8

  9. Key Questions • Q1: What is the update objective? • Q2: Who is to implement the update? - Different administrators come with different power. - Interactions/ dependencies among administrators. 9

  10. Key Questions • Q1: What is the update objective? • Q2: Who is to implement the update? • Q3: What is the system behavior after update? - Can users still perform their works? 1 0

  11. Consideration of Q3 • Users’ permissions vary within range [ lower bound, upper bound ] - transparency to users - maintain access control system functions smoothly 1 1

  12. Key Questions • Q1: What is the update objective? • Q2: Who is to implement the update? • Q3: What is the system behavior after update? • Q4: What are the tolerable changes to roles and role hierarchies? 1 2

  13. Consideration of Q4 • Role definitions - in terms of permissions, e.g., student = { use_printer, use_lab, … } • Top-down - Business meanings, semantics • Bottom-up - role engineering/ mining • Role definitions change as needed? No change at all? 1 3

  14. Key Questions • Q1: What is the update objective? • Q2: Who is to implement the update? • Q3: What is the system behavior after update? • Q4: What are the tolerable changes to roles and role hierarchies? • Q5: Is an update optimal (minimal)? 1 4

  15. Consideration of Q5 original state qualified states other states s1 s2 … … gap gap difference W hich update is better, s1 or s2 ? 1 5

  16. Contents • Motivations and Background • Key Questions • Ideas • Conclusions 1 6

  17. Update specification 1 7

  18. Model Checking System Property Model Checking Property holds. Property fails; A counter ‐ example is generated . 1 8

  19. Updating via Model Checking Property: RBAC Requested state is System never reachable. update achievable? Model Checking Yes. No. Requested state is Requested not never state is never reachable, and can reachable. be constructed from the counter- example. Property holds. Property fails; A counter ‐ example is generated . 1 9

  20. Overview simplified request Update request Transformer Translator NuSMV Programs Checking results Update NuSMV Reports Constructor 2 0

  21. Problems • State explosion problem • Memory crash simplified request Update request Transformer Translator NuSMV Programs Reductions crash NuSMV 2 1

  22. The Idea of Minimal Update original state qualified states other states s1 s2 s3 … … Updating algorithm difference 2 2

  23. The Idea of Minimal Update original state qualified states other states s1 s2 s3 … … Updating algorithm difference 2 3

  24. The Idea of Minimal Update original state qualified states other states s1 s2 s3 … … Updating algorithm difference 2 4

  25. The Idea of Minimal Update original state qualified states other states s1 s2 s3 … … No update Updating report algorithm difference 2 5

  26. Contents • Motivations and Background • Key Questions • Ideas • Conclusions 2 6

  27. Conclusions • A tool that accepts and answers high-level update requests. • Experiments (synthesized data) • Future work - Full administrative model - Composition (sequence of update requests) 2 7

  28. 2 8

Recommend


More recommend