The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Security Analysis and Administrative Insider Threat Assessment in Role-Based Access Control

Download

Download PDF Document
PDF

Author

Somesh Jha, Ninghui Li, Mahesh Tripunitara, Qihua Wang, William Winsborough

Tech report number

CERIAS TR 2005-77

Entry type

article

Abstract

Specifying and managing access control policies is a challenging problem. We propose to develop formal verification techniques for access control policies to improve the current state of the art of policy specification and management. In this paper, we formalize classes of security analysis and administrative insider threat assessment problems in the context of Role-Based Access Control. We show that in general these problems are PSPACE-complete. We also study the factors that contribute to the computational complexity by considering a lattice of various subcases of the problem with different restrictions. We show that several subcases remain PSPACE-complete, several further restricted subcases are NP-complete, and identify two subcases that are solvable in polynomial time. We also discuss our experiences and findings from experimentations that use existing formal method tools, such as model checking and logic programming, for addressing these problems.

Download

PDF

Date

2006 – 01 – 31

Key alpha

access control

School

University of Wisconsin at Madison, Purdue University, University of Texas at San Antonio

Publication Date

2006-01-31

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.