towards a times-based usage control model baoxian zhao 1, ravi sandhu 2, xinwen zhang 3, and xiaolin...
TRANSCRIPT
Towards A Times-based Usage Control Model
Baoxian Zhao1, Ravi Sandhu2, Xinwen Zhang3, and Xiaolin Qin4
1George Mason University, Fairfax, VA, USA2 Institute for Cyber-Security Research at the University of Texas, San Antonio, USA
3Samsung Information Systems America, San Jose, CA, USA
4 Nanjing University of Aeronautics and Astronautics, Nanjing, China
presented by Baoxian Zhao
Outline
• Reviewing access control models– Traditional access control models– Temporal access control models
• Construction of the TUCON model– Preliminaries of the TUCON model– Times-based authorizations– Authorization rules– The implementation of access control
• Conclusion and Future work
Reviewing existing access control models• Traditional access control models >Discretionary Access Control (DAC) >Mandatory Access Control (MAC) >Role-based Access Control (RBAC)
• Temporal access control models > The temporal authorization models suggested by E.Bertino et al 94,9
6,98» Only applied to the DAC model
>Temporal Data Authorization Model (TDAM), A. Gal et al 02» Adding transaction time and valid time
>TRBAC 01, GTRBAC 05 >> Adding temporal constraints to RBAC Model
Limitations of existing access control models
• Primary consider authorization decisions constrained by certain time periods
• Authorizations are static authorization decisions > Authorizations are made at the requested time and hardly
recognize ongoing controls for times constrained access or for immediate revocation
> Once an authorization decision is made, the object can be accessed without limitation during a valid period!
Requirements of new access control
• Usage of a digital object can not only be time-independent, like read and write
• But also temporal and times-consuming, such as payment-based online reading, or a downloadable music file that can only be played 10 times within a valid period.
• It means that authorization can be updated during ongoing usage
The principle of the TUCON model• Keeping the time periods
» Authorizations are still constrained by the time periods
• Introducing usage times » Times are consumed, to meet the request that the usage
of digital objects can be consumed and limited
» Times are decreased by 1, to update authorization during a single access process
• New features of the TUCON model» Authorizations can be updated during ongoing usage.
» Authorizations can be consumed» Effectively prevent systems from the attacks of DoS, su
ch as nimda and red codes.
Difference From UCON
• In UCON model, it uses ABC (Authorization, oBligation, Condition) core models to solve these problems
• In TUCON model, we consider temporal and consumed factors as attributes of Authorizations rather than attributes of subjects or objects
• Support delegation
• TUCON is simple to be implemented.
Preliminaries of TUCON
Definition 1 (Periodic expression) [ Bertino et al. 98] A periodic expression is defined as , where , and are calendars, for , and . Here let D present the set of all valid periods.
Example : From 9:00 AM to 12:00PM during workdays
Definition 2 (Times) Times are a set of natural numbers, formally defined as
{1,...,5}. 9. 3.Weeks Days Hours Hours
1. .
n
i i diR C r C
1 2 { }, 2 ,N NiR all R i N iC dC
1,..., , d ni n C C i N
{ }pt pt N
Times-based Authorizations
• Definition 3 (Times Authorization) A times authorization is a 6-tuple ( pt,s, o, priv, pn, g ) , where ,
Example : Mary grants Bob 5 read privilege on the book of Sun (5, Bob, Sun, read, +, Mary)
• Definition 4 (Non-Times Authorization) When pt= -1 in a tuple of times authorization, we call this kind of times authorization non-times authorization.
pt N , , , , { , }s g S o O priv P pn
Times-based Authorizations (cont)• Definition 5 (Times-based Authorization) A times-based author
ization is a 3-tuple (time, period, auth) where time represents a time interval , period is a periodical expression, and auth is a 6-tuple authorization. ( )
Example : Between Jan. 12, 2001 and Dec. 24 , 2005, Tom has 6 times of privilege read on object file, but he can operate this privilege only on Tuesday each week.
( [1/12/2001,12/24/2005],Weaks+2.days,(6,Tom, file, read,+, Sam) )
[ , ]a bt t
0 a bt t T
Authorization rules
• Definition 6 (Grant Rule) A grant rule is defined as the form of:
Li can be a trigger condition expression.
Example 1 In an application system Business_system, if a registered user Bob pre-pays $1000, he can enjoy a certain super-value service m for 6 times during every Friday since the time 09/12/2006. Let this privilege be super.
access( [09/12/2006,+∞] , Weeks+5.days, (6, Bob , m, super, +, Business_system)) prepay(Bob,1000) & register (Bob)
1( , , ) &....& naccess time period auth L L
Authorization rules (cont)
• Definition 7 (Derived Rule) A derived rule is defined as the form of:
Li can be access with conditional expressions
• Example 2 Now Bob wants to transfer 3 times for enjoying the service m to another user Alice.
deraccess( [09/12/2006,+ ∞ ] , Weeks+5.days, (3, Alice , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (6, Bob , m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6)
deraccess( [09/12/2006,+ ∞] , Weaks+5.days, (3, Bob , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (6, Bob , m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6)
1( , , ) &....& nderaccess time period auth L L
Authorization rules (cont)
• Definition 8 (Resolution Rule) A resolution rule is defined as the form of:
Li can be access or deraccess or condition expressions specified by security policy
Example 3 In example 2, if Alice has 4 times super right on service m.
force_access( [09/12/2006,+ ∞ ] , Weaks+5.days, (7, Alice , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (4, Alice , m, super, +, Business system)) & deraccess ( [09/12/2006,+ ∞ ] , Weeks+5.days, (3, Alice , m, super, +, Business system))
1_ ( , , ) &....& nforce access time period auth L L
• THEOREM 1 ( Completeness) The policy in TUCON can be specified by a non-empty set of TUCON rules.
Proof: 1 no conflict decisions 2 specifying all possible decisions
Completeness of rules
The Implementation of Access control
• Grant privileges
• Access objects
• Revoke privileges
Grant privileges
• Times-based authorization
>here, pt >0 and pn= +
• Unlimited authorization
>pt=-1 and pn = +
How about Times-based authorization &Unlimited authorization?
Access objects
• Times-based Authorization Base (TAB) > A set of authorizations, in which there is no conflict authorizations.
• Valid Access Function > A function to check every access request against the current TAB to determine whether the access is authorized.
Revoke privileges
• Time intervals > time intervals is expired!
• Usage Times > pt=0
• Other factors > Abusing privileges
> Breaking security policies
Conclusion and Future Work
• Wide applications, especially in times-metered systems
• Viewed as a solution to some specific problems of mutable attributes in modern access control
• Extend the model by considering different intervals and different periods.
• Develop the administration of authorization in UCON
Using temporal logic to express?
Any Question?
Thank you !