Document Type : Original Research Paper
Authors
Department of Computer Science Faculty of Computer Science and Information Technology
Abstract
Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work.
Keywords
- access control policies
- authorization propagation
- Effectiveness
- modality conflict
- policy evaluation
- XACML
Main Subjects
[2] Ammar, N., Malik, Z., Bertino, E., & Rezgui, A. 2015. XACML Policy Evaluation with Dynamic Context Handling. IEEE Transactions on Knowledge and Data Engineering, 27(9), pp. 2575-2588.
[3] Bertino, E., Ghinita, G., and Kamra, A. 2011. Access Control for Databases: Concepts and Systems. Foundations and Trends in Databases, 3(1-2), pp. 1-148.
[4] Brodecki, B., Szychowiak, M., and Sasak, P. 2012. Security Policy Conflicts in Service Oriented Systems. New Generation Computing, 30(2-3), pp. 215-240.
[5] di Vimercati, S. D. C., Foresti, S., Jajodia, S., and Samarati, P. 2007. Access Control Policies and Languages in Open Environments. Secure Data Management in Decentralized Systems, pp. 21-58.
[6] Hu, H., Ahn, G., and Kulkarni, K. 2013. Discovery and Resolution of Anomalies in Web Access Control Policies. IEEE Transactions on Dependable and Secure Computing, 10(6), pp. 341-354.
[7] Jajodia, S., Samarati, P., Sapino, M. L., and Subrahmanian, V. 2001. Flexible Support for Multiple Access Control Policies. ACM Transactions on Database Systems (TODS), 26(2), pp. 214-260.
[8] Lin, D., Rao, P., Ferrini, R., Bertino, E., and Lobo, J. 2013. A Similarity Measure for Comparing XACML Policies. IEEE Transactions on Knowledge and Data Engineering, 25(9), pp. 1946-1959.
[9] Liu, A. X., Chen, F., Hwang, J., and Xie, T. 2011. Designing Fast and Scalable XACML Policy Evaluation Engines. IEEE Transactions on Computers, 60(12), pp. 1802-1817.
[10] Ngo, C., Demchenko, Y., and Laat, C. D. 2015. Decision Diagrams for XACML Policy Evaluation and Management. Journal of Computers and Security, 49, pp. 1-16.
[11] Priebe, T., Dobmeier, W., Schläger, C., and Kamprath, N. 2007. Supporting Attribute Based Access Control in Authorization and Authentication Infrastructures with Ontologies. Journal of Software, 2(1), pp. 27-38.
[12] Shaikh, R. A., Adi, K., and Logrippo, L. 2016. A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets. International Journal of Information Security, pp. 1-23.
[13] Singh, K. and Singh, S. 2010. Design and Evaluation of XACML Conflict Policies Detection Mechanism. International Journal of Computer Science and Information Technology, 2, pp. 65-74.
[14] Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., and Mankovskii, S. 2009. Typing for Conflict Detection in Access Control Policies. Proceedings of the 4th International Conference on E-Technologies (MCETECH), pp. 212-226.
[15] Bertino, E., Buccafurri, F., Ferrari, E., and Rullo, P. 1998. An Authorization Model and its Formal Semantics. Proceedings of the 5th European Symposium on Research in Computer Security (ESORICS), pp. 127-142.
[16] Damiani, E., di Vimercati, S. D. C., Fugazza, C., and Samarati, P. 2006. Modality Conflicts in Semantics Aware Access Control. Proceedings of the 6th International Conference on Web Engineering (ICWE), pp. 249-256.
[17] Dong, C., Russello, G., and Dulay, N. 2008. Flexible Resolution of Authorisation Conflicts in Distributed Systems. Proceedings of the 19th International Workshop on Distributed Systems: Operations and Management (DSOM), pp. 95-108.
[18] Fatema, K. and Chadwick, D. 2014. Resolving Policy Conflicts-Integrating Policies from Multiple Authors. Proceedings of the International Conference on Advanced Information Systems Engineering (CAiSE), pp. 310-321.
[19] Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., and Sloman, M. 2005. Policy Conflict Analysis using Free Variable Tableaux for Access Control in Web Services Environments. Proceedings of the 14th International World Wide Web Conference (WWW), pp. 121-126.
[20] Teo, P. K., Ibrahim, H., Udzir, N. I., and Sidi, F. 2013. Heterogeneity XACML Policy Evaluation Engine. Proceedings of the 2nd International Conference on Digital Enterprise and Information Systems(DEIS), pp. 230-238.
[21] Mohan, A., Blough, D. M., Kurc, T., Post, A., and Saltz, J. 2011. Detection of Conflicts and Inconsistencies in Taxonomy Based Authorization Policies. Proceedings of the 2011 IEEE International Conference on Bioinformatics and Biomedicine (BIBM), pp. 590-594.
[22] Neri, M. A., Guarnieri, M., Magri, E., Mutti, S., and Paraboschi, S. 2012. Conflict Detection in Security Policies using Semantic Web Technology. Proceedings of the 1st AESS European Conference on Satellite Telecommunications (ESTEL), pp. 1-6.
[23] Reul, Q. and Zhao, G. 2010. Enabling Access to Web Resources through SecPODE-based Annotations. Proceedings of the 2010 Confederated International Conferences on the Move to Meaningful Internet Systems (OTM), pp. 596-605.
[24] Russello, G., Dong, C., and Dulay, N. 2007. Authorisation and Conflict Resolution for Hierarchical Domains. Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 201-210.
[25] Stepien, B. and Felty, A. 2016. Using Expert Systems to Statically Detect “Dynamic” Conflicts in XACML. Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES).
[26] Xia, X. 2012. A Conflict Detection Approach for XACML Policies on Hierarchical Resources. Proceedings of the 2012 IEEE International Conference on Green Computing and Communications (GREENCOM), pp. 755-760.
)