Sage Journals: Discover world-class research

Abstract

Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present ERBAC – an event-driven extension of the TRBAC model that allows the specification and enforcement of general reactive policies – and its implementation. While almost all the individual features of ERBAC occur separately in some previous model, the detailed design of the policy language, its implementation in XACML, and its testing contribute to the development of expressive, event-driven policy frameworks by demonstrating that this rich model can be satisfactorily implemented, and that its expressivity and performance are compatible with a variety of realistic application scenarios. In particular, a number of examples illustrate ERBAC’s expressive power, and its ability of handling exceptional situations in a flexible way, while keeping policies compact and manageable. The prototype extends XACML’s language and the implementation of the PDP to support the new model. Systematic scalability experiments show that the computational cost of policy rule evaluation in ERBAC is compatible with real-world applications.

Keywords

Event-driven access control Role Based Access Control

Get full access to this article

View all access options for this article.

References

[1]

Abdunabi,

Ray and

France, Specification and analysis of access control policies for mobile applications, in: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT’13, ACM, New York, NY, USA, 2013, pp. 173–184.

[2]

Aich,

Mondal,

Sural and

Majumdar, Role based access control with spatiotemporal context for mobile applications, in: Transactions on Computational Science IV, LNCS, Vol. 5430, Springer, Berlin, 2009, pp. 177–199.

[3]

Aich,

Sural and

Majumdar, STARBAC: Spatiotemporal role based access control, in: Proceedings of the 2007 OTM Confederated International Conferences: CoopIS, DOA, ODBASE, GADA, and IS – Part II, Springer, Berlin, 2007, pp. 1567–1582.

[4]

Bacon,

Moody and

Yao, A model of OASIS role-based access control and its support for active security, ACM Trans. Inf. Syst. Secur. 5(4) (2002), 492–540.

[5]

Bertino,

Bettini,

Ferrari and

Samarati, An access control model supporting periodicity constraints and temporal reasoning, ACM Trans. Database Syst. 23(3) (1998), 231–285.

[6]

Bertino,

P.A.

Bonatti and

Ferrari, TRBAC: A temporal role-based access control model, ACM Trans. Inf. Syst. Secur. 4 (2001), 191–233.

[7]

Bonatti,

Galdi and

Torres, ERBAC prototype implementation, available at: http://wpage.unina.it/clemente.galdi/ERBAC.

[8]

Bonatti,

Galdi and

Torres, ERBAC: Event-driven RBAC, in: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT’13, ACM, New York, NY, USA, 2013, pp. 125–136.

[9]

Chandran and

Joshi, LoT-RBAC: A location and time-based RBAC model, in: Web Information Systems Engineering, WISE 2005,

Ngu,

Kitsuregawa,

Neuhold,

J.-Y.

Chung and

Sheng, eds, LNCS, Vol. 3806, Springer, Berlin, 2005, pp. 361–375.

10.

[10]

Chen and

Crampton, On spatio-temporal constraints and inheritance in role-based access control, in: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS’08, ACM, New York, NY, USA, 2008, pp. 205–216.

11.

[11]

T.H.

Cormen,

C.E.

Leiserson,

R.L.

Rivest and

Stein, Introduction to Algorithms, 3rd edn, MIT Press, Cambridge, MA, USA, 2009.

12.

[12]

M.J.

Covington,

Fogla,

Zhan and

Ahamad, A context-aware security architecture for emerging applications, in: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC’02, IEEE Computer Society, Washington, DC, USA, 2002, pp. 249–258.

13.

[13]

M.J.

Covington,

Long,

Srinivasan,

A.K.

Dev,

Ahamad and

G.D.

Abowd, Securing context-aware applications using environment roles, in: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT’01, ACM, New York, NY, USA, 2001, pp. 10–20.

14.

[14]

M.L.

Damiani,

Bertino,

Catania and

Perlasca, GEO-RBAC: A spatially aware RBAC, ACM Trans. Inf. Syst. Secur. 10(1) (2007), Article No. 2.

15.

[15]

D.F.

Ferraiolo,

R.S.

Sandhu,

S.I.

Gavrila,

D.R.

Kuhn and

Chandramouli, Proposed NIST standard for role-based access control, ACM Trans. Inf. Syst. Secur. 4(3) (2001), 224–274.

16.

[16]

C.K.

Georgiadis,

Mavridis,

Pangalos and

R.K.

Thomas, Flexible team-based access control using contexts, in: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT’01, 2001, pp. 21–27.

17.

[17]

Giuri and

Iglio, Role templates for content-based access control, in: Second ACM Workshop on Role-Based Access Control, 1997, pp. 153–159.

18.

[18]

Joshi,

Bertino and

Ghafoor, An analysis of expressiveness and design issues for the generalized temporal role-based access control model, IEEE Trans. Dependable Sec. Comput. 2(2) (2005), 157–175.

19.

[19]

Joshi,

Bertino,

Latif and

Ghafoor, A generalized temporal role-based access control model, IEEE Trans. Knowl. Data Eng. 17(1) (2005), 4–23.

20.

[20]

Kulkarni and

Tripathi, Context-aware role-based access control in pervasive computing systems, in: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT’08, 2008, pp. 113–122.

21.

[21]

Kulkarni and

A.R.

Tripathi, A framework for programming robust context-aware applications, IEEE Trans. Software Eng. 36(2) (2010), 184–197.

22.

[22]

O.G.

Morchon and

Wehrle, Efficient and context-aware access control for pervasive medical sensor networks, in: PerCom Workshops, IEEE, 2010, pp. 322–327.

23.

[23]

O.G.

Morchon and

Wehrle, Modular context-aware access control for medical sensor networks, in: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, SACMAT’10,

Carminati and

Joshi, eds, 2010, pp. 129–138.

24.

[24]OASIS Consortium, Core and hierarchical role based access control (RBAC) profile of XACML v2.0, available at: https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.

25.

[25]OASIS Consortium, Extensible access control markup language (XACML), v. 2.0.

26.

[26]OpenGIS Consortium, Geography Markup Language (GML) simple features profile, available at: http://www.opengeospatial.org/standards/gml.

27.

[27]OpenGIS Consortium, Geospatial eXtensible Access Control Markup Language (GeoXACML) v 1.0, available at: http://www.opengeospatial.org/standards/geoxacml.

28.

[28]OpenGIS Consortium, GeoXACML implementation specification – Extension B (GML3) encoding, available at: http://www.opengeospatial.org/standards/gml.

29.

[29]OpenGIS Consortium, Implementation Standard for Geographic information – Simple feature access – Part 1: Common architecture, available at: http://www.opengeospatial.org/standards/sfa.

30.

[30]

Osborne (ed.), Fifth ACM Workshop on Role-Based Access Control, ACM, New York, NY, USA, 2000.

31.

[31]

Park and

R.S.

Sandhu, The UCON_ABC usage control model, ACM Trans. Inf. Syst. Secur. 7(1) (2004), 128–174.

32.

[32]

Ray,

Kumar and

Yu, LRBAC: A location-aware role-based access control model, in: ICISS,

Bagchi and

Atluri, eds, LNCS, Vol. 4332, Springer, 2006, pp. 147–161.

33.

[33]

Ray and

Toahchoodee, A spatio-temporal role-based access control model, in: Data and Applications Security XXI,

Barker and

G.-J.

Ahn, eds, LNCS, Vol. 4602, Springer, Berlin, 2007, pp. 211–226.

34.

[34]

Ray and

Toahchoodee, A spatio-temporal access control model supporting delegation for pervasive computing applications, in: Trust, Privacy and Security in Digital Business, LNCS, Vol. 5185, Springer, Berlin, 2008, pp. 48–58.

35.

[35]

Sampemane,

Naldurg and

R.H.

Campbell, Access control for active spaces, in: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC’02, IEEE Computer Society, Washington, DC, USA, 2002, p. 343.

36.

[36]

R.S.

Sandhu, Role hierarchies and constraints for lattice-based access controls, in: ESORICS,

Bertino,

Kurth,

Martella and

Montolivo, eds, LNCS, Vol. 1146, Springer, Berlin, 1996, pp. 65–79.

37.

[37]

R.S.

Sandhu (ed.), Second ACM Workshop on Role-Based Access Control, ACM, New York, NY, USA, 1997.

38.

[38]

R.S.

Sandhu (ed.), Third ACM Workshop on Role-Based Access Control, ACM, New York, NY, USA, 1998.

39.

[39]

R.S.

Sandhu,

E.J.

Coyne,

H.L.

Feinstein and

C.E.

Youman, Role-based access control models, IEEE Computer 29(2) (1996), 38–47.

40.

[40]

Strembeck and

Neumann, An integrated approach to engineer and enforce context constraints in RBAC environments, ACM Trans. Inf. Syst. Secur. 7(3) (2004), 392–427.

41.

[41]Sun Microsystems, Sun’s xacml implementation, available at: http://sunxacml.sourceforge.net.

42.

[42]

Turkmen and

Crispo, Performance evaluation of XACML PDP implementations, in: Proceedings of the 2008 ACM Workshop on Secure Web Services, SWS’08, ACM, New York, NY, USA, 2008, pp. 37–44.

43.

[43]Vivid Solutions, JTS topology suite, available at: http://www.vividsolutions.com/jts/jtshome.htm.

44.

[44]XACML enterprise, available at: http://code.google.com/p/enterprise-java-xacml/.

45.

[45]XACML light, available at: http://sourceforge.net/projects/xacmllight/.