Security Analysis and Administrative Insider Threat Assessment in Role-Based Access Control
Author
Somesh Jha, Ninghui Li, Mahesh Tripunitara, Qihua Wang, William Winsborough
Tech report number
CERIAS TR 2005-77
Abstract
Specifying and managing access control policies is a challenging problem. We propose to develop
formal verification techniques for access control policies to improve the current state of the art of policy
specification and management. In this paper, we formalize classes of security analysis and administrative
insider threat assessment problems in the context of Role-Based Access Control. We show that
in general these problems are PSPACE-complete. We also study the factors that contribute to the
computational complexity by considering a lattice of various subcases of the problem with different
restrictions. We show that several subcases remain PSPACE-complete, several further restricted subcases
are NP-complete, and identify two subcases that are solvable in polynomial time. We also discuss
our experiences and findings from experimentations that use existing formal method tools, such as model
checking and logic programming, for addressing these problems.
School
University of Wisconsin at Madison, Purdue University, University of Texas at San Antonio
Publication Date
2006-01-31