Evaluating the Comprehensive Complexity of Authorization-based Access Control Policies using Quantitative Metrics

Malek Belhaouane, Joaquin Garcia-Alfaro, Hervé Debar

Abstract

Access control models allow flexible authoring and management of security policies, using high-level statements. They enable the expression of structured and expressive policies. However, they have an impact on the policy characteristics. The complexity of such policies is one of the affected characteristics. We propose a series of quantitative metrics to assess comprehensive complexity of policies. By comprehensive, we mean the difficulty of understanding a policy by administrators. We formalize the concepts of authorization-based access control models, to propose general metrics regardless of the model. We also show the application of the proposed metrics through a content management system (CMS) policy example. We outline a proof-of-concept to evaluate the feasibility of our proposal, based on SELinux policies for a general-purpose CMS.

References

  1. Abou-El-Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., and Trouessin, G. (2003). Organization Based Access Control. In IEEE 4th International Workshop on Policies for Distributed Systems and Networks (Policy 2003), pages 120-131. IEEE Computer Society.
  2. Badger, L., Sterne, D. F., Sherman, D. L., and Walker, K. M. (1996). A domain and type enforcement UNIX prototype. Computing Systems, 9(1):47-83.
  3. Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. (1995). Practical domain and type enforcement for UNIX. In Security and Privacy, 1995. Proceedings., 1995 IEEE Symposium on, pages 66-77. IEEE.
  4. Beckerle, M. and Martucci, L. A. (2013). Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics. In Ninth Symposium on Usable Privacy and Security (SOUPS 2013), pages 1-11. ACM.
  5. Belhaouane, M., Debar, H., and Garcia-Alfaro, J. (Last Access: 2015). Evaluating the Complexity of Access Control Policies Using Quantitative Metrics - SELinux Testbed Repository (Appendix). [On-line]. Available at https://github.com/met-testbeds/selinux.
  6. Colantonio, A., Pietro, R. D., Ocello, A., and Verde, N. V. (2010). Taming role mining complexity in RBAC. Computers & Security, 29(5):548-564.
  7. Cuppens, F., Cuppens-Boulahia, N., and Ben Ghorbel, M. (2007). High Level Conflict Management Strategies in Advanced Access Control Models. Electronic Notes in Theoretical Computer Science, 186:3-26.
  8. Garcia-Alfaro, J., Boulahia-Cuppens, N., and Cuppens, F. (2008). Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Sec., 7(2):103-122.
  9. Garcia-Alfaro, J., Cuppens, F., and Cuppens-Boulahia, N. (2006). Analysis of policy anomalies on distributed network security setups. In Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings, pages 496-511.
  10. Garcia-Alfaro, J., Cuppens, F., and Cuppens-Boulahia, N. (2007). Management of Exceptions on Access Control Policies. In 22nd IFIP TC-11 International Information Security Conference (IFIP SEC 2007), pages 97-108.
  11. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Martínez Perez, S., and Cabot, J. (2013). Management of stateful firewall misconfiguration. Computers & Security, 39:64-85.
  12. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Commun. ACM, 19(8):461-471.
  13. Jaeger, T. (2001). Managing Access Control Complexity Using Metrics. In Sixth ACM Symposium on Access Control Models and Technologies (SACMAT-01), pages 131-152.
  14. Kateb, D. E., Mouelhi, T., Traon, Y. L., Hwang, J., and Xie, T. (2012). Refactoring access control policies for performance improvement. In Third Joint WOSP/SIPEW International Conference on Performance Engineering, ICPE'12, Boston, MA, USA - April 22 - 25, 2012, pages 323-334.
  15. Lampson, B. W. (1969). Dynamic protection structures. In AFIPS Fall Joint Computing Conference, pages 27- 38.
  16. Lampson, B. W. (1974). Protection. Operating Systems Review, 8(1):18-24.
  17. Lil CMS - The Easiest Content Management System (Last Access: 2014). Available at http://www.lilcms.com/.
  18. Martin, E., Xie, T., and Yu, T. (2006). Defining and Measuring Policy Coverage in Testing Access Control Policies. In 2006 International Conference on Information and Communications Security (ICICS 7806), pages 139-158. Springer.
  19. Mayer, F., MacMillan, K., and Caplan, D. (2006). SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series). Prentice Hall PTR, Upper Saddle River, NJ, USA.
  20. McCarty, B. (2004). SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc.
  21. Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63:81-97.
  22. Samarati, P. and De Capitani di Vimercati, S. (2000). Access control: Policies, models, and mechanisms. In FOSAD, pages 137-196.
  23. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2):38-47.
  24. The Drupal project (Last Access: 2015). Available at http://drupal.org/.
  25. Vaidya, J., Atluri, V., and Guo, Q. (2010). The role mining problem: A formal perspective. ACM Trans. Inf. Syst. Secur., 13(3).
  26. Wordpress Web Site (Last Access: 2015). Available at http://wordpress.com/.
  27. Yuan, E. and Tong, J. (2005). Attributed Based Access Control (ABAC) for Web Services. In 2005 IEEE International Conference on Web Services, pages 561-569.
Download


Paper Citation


in Harvard Style

Belhaouane M., Garcia-Alfaro J. and Debar H. (2015). Evaluating the Comprehensive Complexity of Authorization-based Access Control Policies using Quantitative Metrics . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 53-64. DOI: 10.5220/0005544100530064


in Bibtex Style

@conference{secrypt15,
author={Malek Belhaouane and Joaquin Garcia-Alfaro and Hervé Debar},
title={Evaluating the Comprehensive Complexity of Authorization-based Access Control Policies using Quantitative Metrics},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={53-64},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005544100530064},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Evaluating the Comprehensive Complexity of Authorization-based Access Control Policies using Quantitative Metrics
SN - 978-989-758-117-5
AU - Belhaouane M.
AU - Garcia-Alfaro J.
AU - Debar H.
PY - 2015
SP - 53
EP - 64
DO - 10.5220/0005544100530064