Security analysis of temporal RBAC under an administrative model

Sadhana Jha; Shamik Sural; Jaideep Vaidya; Vijayalakshmi Atluri

doi:10.1016/j.cose.2014.08.001

Security analysis of temporal RBAC under an administrative model

Sadhana Jha, Shamik Sural, Jaideep Vaidya, Vijayalakshmi Atluri

Rutgers Business School, Management & Information Systems

Research output: Contribution to journal › Article › peer-review

19 Scopus citations

Abstract

Security analysis of access control models is critical to confirm whether they ensure certain security properties. Administrative models specify the rules for state transition for any given access control model. While security analysis of role-based access control (RBAC) systems has been done using administrative models, work on security analysis of its temporal, spatial and spatio-temporal extensions has so far not considered the presence of any corresponding administrative model. In this paper, we present a methodology for performing security analysis of temporal RBAC (TRBAC) where state changes occur using the relations defined in a recently proposed administrative model named as AMTRAC (Administrative Model for Temporal Role-based Access Control). We initially define a number of security properties for TRBAC. These properties along with a representation of the TRBAC system and the administrative relations in AMTRAC are then formally specified using Alloy, a first order logic based language. Subsequently, validity of the specified properties is analyzed using the Alloy analyzer. We study the impact of the number of roles, users and temporal elements of TRBAC as well as various relations defined in AMTRAC on the time taken for security analysis.

Original language	English (US)
Pages (from-to)	154-172
Number of pages	19
Journal	Computers and Security
Volume	46
DOIs	https://doi.org/10.1016/j.cose.2014.08.001
State	Published - Oct 2014

All Science Journal Classification (ASJC) codes

General Computer Science
Law

Keywords

AMTRAC
Administrative model
Alloy analyzer
Security analysis
Temporal RBAC

Access to Document

10.1016/j.cose.2014.08.001

Cite this

@article{9c43ba0f82a1479392c3687a4a8c908f,

title = "Security analysis of temporal RBAC under an administrative model",

abstract = "Security analysis of access control models is critical to confirm whether they ensure certain security properties. Administrative models specify the rules for state transition for any given access control model. While security analysis of role-based access control (RBAC) systems has been done using administrative models, work on security analysis of its temporal, spatial and spatio-temporal extensions has so far not considered the presence of any corresponding administrative model. In this paper, we present a methodology for performing security analysis of temporal RBAC (TRBAC) where state changes occur using the relations defined in a recently proposed administrative model named as AMTRAC (Administrative Model for Temporal Role-based Access Control). We initially define a number of security properties for TRBAC. These properties along with a representation of the TRBAC system and the administrative relations in AMTRAC are then formally specified using Alloy, a first order logic based language. Subsequently, validity of the specified properties is analyzed using the Alloy analyzer. We study the impact of the number of roles, users and temporal elements of TRBAC as well as various relations defined in AMTRAC on the time taken for security analysis.",

keywords = "AMTRAC, Administrative model, Alloy analyzer, Security analysis, Temporal RBAC",

author = "Sadhana Jha and Shamik Sural and Jaideep Vaidya and Vijayalakshmi Atluri",

note = "Funding Information: Vijayalakshmi Atluri is a professor of computer information systems and research director for CIMIC at Rutgers University. She was a program director at US National Science Foundation (NSF) in the Information and Intelligent Systems division. Her research interests include information security, spatial databases, multimedia and distributed systems. She has published extensively in premier journals and conferences. She was the recipient of the NSF CAREER Award, and the Rutgers University Research Award for untenured faculty for outstanding research contributions. She is a senior member of the IEEE Computer Society and a member of the ACM. Funding Information: Jaideep Vaidya is an associate professor of Computer Information Systems at Rutgers University. He received the master's and PhD degrees in Computer Science at Purdue University. His research interests are in privacy, security and data management. He has published more than 90 papers in international conferences and journals. He has received three best paper awards from premier conferences. He is a recipient of US National Science Foundation Career Award and a Rutgers Board of Trustees Research Fellowship for Scholarly Excellence. He is a senior member of the IEEE Computer Society and a member of the ACM. ",

year = "2014",

month = oct,

doi = "10.1016/j.cose.2014.08.001",

language = "English (US)",

volume = "46",

pages = "154--172",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Ltd",

}

TY - JOUR

T1 - Security analysis of temporal RBAC under an administrative model

AU - Jha, Sadhana

AU - Sural, Shamik

AU - Vaidya, Jaideep

AU - Atluri, Vijayalakshmi

N1 - Funding Information: Vijayalakshmi Atluri is a professor of computer information systems and research director for CIMIC at Rutgers University. She was a program director at US National Science Foundation (NSF) in the Information and Intelligent Systems division. Her research interests include information security, spatial databases, multimedia and distributed systems. She has published extensively in premier journals and conferences. She was the recipient of the NSF CAREER Award, and the Rutgers University Research Award for untenured faculty for outstanding research contributions. She is a senior member of the IEEE Computer Society and a member of the ACM. Funding Information: Jaideep Vaidya is an associate professor of Computer Information Systems at Rutgers University. He received the master's and PhD degrees in Computer Science at Purdue University. His research interests are in privacy, security and data management. He has published more than 90 papers in international conferences and journals. He has received three best paper awards from premier conferences. He is a recipient of US National Science Foundation Career Award and a Rutgers Board of Trustees Research Fellowship for Scholarly Excellence. He is a senior member of the IEEE Computer Society and a member of the ACM.

PY - 2014/10

Y1 - 2014/10

N2 - Security analysis of access control models is critical to confirm whether they ensure certain security properties. Administrative models specify the rules for state transition for any given access control model. While security analysis of role-based access control (RBAC) systems has been done using administrative models, work on security analysis of its temporal, spatial and spatio-temporal extensions has so far not considered the presence of any corresponding administrative model. In this paper, we present a methodology for performing security analysis of temporal RBAC (TRBAC) where state changes occur using the relations defined in a recently proposed administrative model named as AMTRAC (Administrative Model for Temporal Role-based Access Control). We initially define a number of security properties for TRBAC. These properties along with a representation of the TRBAC system and the administrative relations in AMTRAC are then formally specified using Alloy, a first order logic based language. Subsequently, validity of the specified properties is analyzed using the Alloy analyzer. We study the impact of the number of roles, users and temporal elements of TRBAC as well as various relations defined in AMTRAC on the time taken for security analysis.

AB - Security analysis of access control models is critical to confirm whether they ensure certain security properties. Administrative models specify the rules for state transition for any given access control model. While security analysis of role-based access control (RBAC) systems has been done using administrative models, work on security analysis of its temporal, spatial and spatio-temporal extensions has so far not considered the presence of any corresponding administrative model. In this paper, we present a methodology for performing security analysis of temporal RBAC (TRBAC) where state changes occur using the relations defined in a recently proposed administrative model named as AMTRAC (Administrative Model for Temporal Role-based Access Control). We initially define a number of security properties for TRBAC. These properties along with a representation of the TRBAC system and the administrative relations in AMTRAC are then formally specified using Alloy, a first order logic based language. Subsequently, validity of the specified properties is analyzed using the Alloy analyzer. We study the impact of the number of roles, users and temporal elements of TRBAC as well as various relations defined in AMTRAC on the time taken for security analysis.

KW - AMTRAC

KW - Administrative model

KW - Alloy analyzer

KW - Security analysis

KW - Temporal RBAC

UR - http://www.scopus.com/inward/record.url?scp=84906824422&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84906824422&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2014.08.001

DO - 10.1016/j.cose.2014.08.001

M3 - Article

AN - SCOPUS:84906824422

SN - 0167-4048

VL - 46

SP - 154

EP - 172

JO - Computers and Security

JF - Computers and Security

ER -

Security analysis of temporal RBAC under an administrative model

Abstract

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this