Towards A Times-based Usage Control Model

Baoxian Zhao1, Ravi Sandhu2, Xinwen Zhang3, and Xiaolin Qin4

1George Mason University, Fairfax, VA, USA2 Institute for Cyber-Security Research at the University of Texas, San Antonio, USA

3Samsung Information Systems America, San Jose, CA, USA

4 Nanjing University of Aeronautics and Astronautics, Nanjing, China

presented by Baoxian Zhao

Outline

• Reviewing access control models– Traditional access control models– Temporal access control models

• Construction of the TUCON model– Preliminaries of the TUCON model– Times-based authorizations– Authorization rules– The implementation of access control

• Conclusion and Future work

Reviewing existing access control models• Traditional access control models >Discretionary Access Control (DAC) >Mandatory Access Control (MAC) >Role-based Access Control (RBAC)

• Temporal access control models > The temporal authorization models suggested by E.Bertino et al 94,9

6,98» Only applied to the DAC model

>Temporal Data Authorization Model (TDAM), A. Gal et al 02» Adding transaction time and valid time

>TRBAC 01, GTRBAC 05 >> Adding temporal constraints to RBAC Model

Limitations of existing access control models

• Primary consider authorization decisions constrained by certain time periods

• Authorizations are static authorization decisions > Authorizations are made at the requested time and hardly

recognize ongoing controls for times constrained access or for immediate revocation

> Once an authorization decision is made, the object can be accessed without limitation during a valid period!

Requirements of new access control

• Usage of a digital object can not only be time-independent, like read and write

• But also temporal and times-consuming, such as payment-based online reading, or a downloadable music file that can only be played 10 times within a valid period.

• It means that authorization can be updated during ongoing usage

The principle of the TUCON model• Keeping the time periods

» Authorizations are still constrained by the time periods

• Introducing usage times » Times are consumed, to meet the request that the usage

of digital objects can be consumed and limited

» Times are decreased by 1, to update authorization during a single access process

• New features of the TUCON model» Authorizations can be updated during ongoing usage.

» Authorizations can be consumed» Effectively prevent systems from the attacks of DoS, su

ch as nimda and red codes.

Difference From UCON

• In UCON model, it uses ABC (Authorization, oBligation, Condition) core models to solve these problems

• In TUCON model, we consider temporal and consumed factors as attributes of Authorizations rather than attributes of subjects or objects

• Support delegation

• TUCON is simple to be implemented.

Preliminaries of TUCON

Definition 1 (Periodic expression) [ Bertino et al. 98] A periodic expression is defined as , where , and are calendars， for ， and . Here let D present the set of all valid periods.

Example : From 9:00 AM to 12:00PM during workdays

Definition 2 (Times) Times are a set of natural numbers, formally defined as

{1,...,5}. 9. 3.Weeks Days Hours Hours

1. .

n

i i diR C r C

1 2 { }, 2 ,N NiR all R i N iC dC

1,..., , d ni n C C i N

{ }pt pt N

Times-based Authorizations

• Definition 3 (Times Authorization) A times authorization is a 6-tuple （ pt,s, o, priv, pn, g ） , where ,

Example : Mary grants Bob 5 read privilege on the book of Sun (5, Bob, Sun, read, +, Mary)

• Definition 4 (Non-Times Authorization) When pt= -1 in a tuple of times authorization, we call this kind of times authorization non-times authorization.

pt N , , , , { , }s g S o O priv P pn

Times-based Authorizations (cont)• Definition 5 (Times-based Authorization) A times-based author

ization is a 3-tuple (time, period, auth) where time represents a time interval , period is a periodical expression, and auth is a 6-tuple authorization. ( )

Example : Between Jan. 12, 2001 and Dec. 24 , 2005, Tom has 6 times of privilege read on object file, but he can operate this privilege only on Tuesday each week.

（ [1/12/2001,12/24/2005]，Weaks+2.days,(6,Tom, file, read,+, Sam) )

[ , ]a bt t

0 a bt t T

Authorization rules

• Definition 6 (Grant Rule) A grant rule is defined as the form of:

Li can be a trigger condition expression.

Example 1 In an application system Business_system, if a registered user Bob pre-pays $1000, he can enjoy a certain super-value service m for 6 times during every Friday since the time 09/12/2006. Let this privilege be super.

access( [09/12/2006,+∞] , Weeks+5.days, (6, Bob , m, super, +, Business_system)) prepay(Bob,1000) & register (Bob)

1( , , ) &....& naccess time period auth L L

Authorization rules (cont)

• Definition 7 (Derived Rule) A derived rule is defined as the form of:

Li can be access with conditional expressions

• Example 2 Now Bob wants to transfer 3 times for enjoying the service m to another user Alice.

deraccess( [09/12/2006,+ ∞ ] , Weeks+5.days, (3, Alice , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (6, Bob , m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6)

deraccess( [09/12/2006,+ ∞] , Weaks+5.days, (3, Bob , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (6, Bob , m, super,+, Business system)) & give(3, Alice, m, super, Bob) & less(3,6)

1( , , ) &....& nderaccess time period auth L L

Authorization rules (cont)

• Definition 8 (Resolution Rule) A resolution rule is defined as the form of:

Li can be access or deraccess or condition expressions specified by security policy

Example 3 In example 2, if Alice has 4 times super right on service m.

force_access( [09/12/2006,+ ∞ ] , Weaks+5.days, (7, Alice , m, super, +, Business_system)) access ( [09/12/2006,+ ∞ ] , Weeks+5.days, (4, Alice , m, super, +, Business system)) & deraccess ( [09/12/2006,+ ∞ ] , Weeks+5.days, (3, Alice , m, super, +, Business system))

1_ ( , , ) &....& nforce access time period auth L L

• THEOREM 1 ( Completeness) The policy in TUCON can be specified by a non-empty set of TUCON rules.

Proof: 1 no conflict decisions 2 specifying all possible decisions

Completeness of rules

The Implementation of Access control

• Grant privileges

• Access objects

• Revoke privileges

Grant privileges

• Times-based authorization

>here, pt >0 and pn= +

• Unlimited authorization

>pt=-1 and pn = +

How about Times-based authorization &Unlimited authorization?

Access objects

• Times-based Authorization Base (TAB) > A set of authorizations, in which there is no conflict authorizations.

• Valid Access Function > A function to check every access request against the current TAB to determine whether the access is authorized.

Revoke privileges

• Time intervals > time intervals is expired!

• Usage Times > pt=0

• Other factors > Abusing privileges

> Breaking security policies

Conclusion and Future Work

• Wide applications, especially in times-metered systems

• Viewed as a solution to some specific problems of mutable attributes in modern access control

• Extend the model by considering different intervals and different periods.

• Develop the administration of authorization in UCON

Using temporal logic to express?

Any Question?

Thank you !