Risk Based Security Analysis of Permissions in RBAC

Nimal Nissanke, Etienne J. Khayat

2004

Abstract

Because of its vulnerability to errors and, hence, unauthorised access, assignment of access rights is a critically important aspect of RBAC. Despite major advances in addressing this clearly using formal models, there is still a need for a more robust formulation, especially incorporating strict guidelines on assignment of access rights and how to perform such tasks as delegation of access rights. In this respect, this paper proposes a precise mathematical framework, capable of considering important factors such as the relative security risks posed by different access operations when performed by different users. This is based on a novel concept of a security risk ordering relation on such tasks, to be established by a detailed independent risk assessment process. In the case of lack of information on security risks, the approach makes conservative assumptions, thus forcing the security analyst to re-assess such situations if he disagrees with this default interpretation. The risk ordering relation is central to a security-orientated definition of role hierarchies and a security-risk minimising strategy to role delegation.

References

  1. American National Standard for Information Technology. Role Based Access Control. Draft BSR INCITS 359, April 2003.
  2. Barka E. and Sandhu R. A Role-Based Delegation Model and Some Extensions. Proceedings of the 23rd NIST-NCSC National Information Systems Security Conference, pp: 101-114, Baltimore, USA, October, 2000.
  3. Barka E. and Sandhu R. Framework for Role-Based Delegation Models. Proceedings of the 16th IEEE Annual Computer Security Applications Conference, pp: 168-175, New Orleans, Louisiana, USA, December, 2000.
  4. Dammag H. and Nissanke N. A Mathematical Framework for Safecharts. Proceedings of the 5th International Conference of Formal Engineering Methods, pp: 620-640, Singapore, Singapore, November, 2003.
  5. Ferraiolo D. Cugini J., and Kuhn R. Role-Based Access Control (RBAC): Features and Motivations. Proceedings of the 11th Annual Computer Security Applications Conference, pp: 241-248, New Orleans, LA, USA, December, 1995.
  6. Ferraiolo D., Sandhu R., Gavrila S., Kuhn R. and Chandramouli R. “Proposed NIST Standard for Role-Based Access Control”. ACM Transactions on Information and System Security (TISSEC), Vol. 4, No. 3, August 2001, pp: 224-474.
  7. Khayat E. and Abdallah A. A Formal Model for Flat Role-Based Access Control. Proceedings of the ACS/IEEE Conference on Computer Systems Applications, Tunis, Tunisia, July, 2003.
  8. Na S. and Cheon S. Role Delegation in Role-Based Access Control. Proceedings of the 5th ACM workshop on Role-Based Access Control, pp: 39-44, Berlin, Germany, June, 2000.
  9. Sandhu R., Coyne E., Feinstein H. and Youman C. “Role-Based Access Control Models”. IEEE Computer, Vol. 29, No. 2, November 1996, pp: 38-47.
  10. Sandhu R., Ferraiolo D. and Kuhn R. The NIST Model for Role-Based Access Control: Towards A Unified Standard. Proceedings of 5th ACM Workshop on Role-Based Access Control, pp: 47-64, Berlin, Germany, July, 2000.
  11. Zhang L., Ahn. G.J. and Chu B.T. “A Rule-Based Framework for Role-Based Delegation and Revocation”. ACM Transactions on Information and System Security, Vol. 6, No. 3, August 2003, pp: 404-441.
  12. Zhang L., Ahn. G.J. and Chu B.T. A Role-Based Delegation Framework for Healthcare Information Systems. Proceedings of the 7th ACM symposium on Access Control Models and Technologies, pp: 125-134, Monterey, California, USA, June, 2003.
  13. Zhang X., Oh S. and Sandhu R. PBDM: A Flexible Delegation Model in RBAC. Proceedings of the 8th ACM symposium on Access Control Models and Technologies, pp: 149-157, Como, Italy, June, 2003.
Download


Paper Citation


in Harvard Style

Nissanke N. and J. Khayat E. (2004). Risk Based Security Analysis of Permissions in RBAC . In Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004) ISBN 972-8865-07-4, pages 331-340. DOI: 10.5220/0002687403310340


in Bibtex Style

@conference{wosis04,
author={Nimal Nissanke and Etienne J. Khayat},
title={Risk Based Security Analysis of Permissions in RBAC},
booktitle={Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)},
year={2004},
pages={331-340},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002687403310340},
isbn={972-8865-07-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)
TI - Risk Based Security Analysis of Permissions in RBAC
SN - 972-8865-07-4
AU - Nissanke N.
AU - J. Khayat E.
PY - 2004
SP - 331
EP - 340
DO - 10.5220/0002687403310340