PhD Dissertation Defense:Prosunjit Biswas-ABAC Models

Date: April 12, 2017
Time: 10:00 am – 12:00 pm

 

 

 

 

Computer Science Dissertation Defense


"Enumerated Authorization and Policy ABAC Models: Expressive Power and Enforcement"


 

 Prosunjit Biswas

 Wednesday, April 12, 2017

 NPB 3.108A-1

10:00 A.M.- 12:00 P.M.


 

 

 

DISSERTATION COMMITTEE:

Dr. Ravi Sandhu: Supervising Professor

 Dr. Jianwei Niu
Dr. Gregory White
Dr. Palden Lama
Dr. Ram Krishnan

 

 

 

 

 Abstract:

 

Attribute Based Access Control (ABAC) has gained considerable attention from businesses, academia and standards bodies (e.g. NIST and NCCOE ) in recent years. ABAC uses attributes on users, objects and possibly other entities (e.g. context/environment), and specifies rules using these attributes to assert who can have which access permissions (e.g. read/write) on which objects. Although ABAC concepts have been around for over two decades, there remains a lack of well-accepted ABAC models. Recently there has been a resurgence of interest in ABAC due to continued dissatisfaction with the traditional models—notably Role Based Access Control (RBAC),Discretionary Access Control (DAC), and Lattice Based Access Control (LBAC).

 

There are two major techniques stated in the literature for specifying authorization policies in Attribute Based Access Control. The more conventional approach is to define policies by using logical formulas involving attribute values. The alternate technique for expressing policies is by enumeration. While considerable work has been done for the former approach, the later is comparatively less studied.

 

In this dissertation, we conduct a systematic study of Enumerated Authorization Policy (EAP) for ABAC. We have developed a representative, simple EAP ABAC model—EAP-ABAC1,1. For the sake of clarity and emphasis on different elements of the model, we present EAP-ABAC1,1 as a family of models. We have investigated how the defined models are comparable to other existing EAP models. We also demonstrate capability of the defined models by configuring traditional

LBAC and RBAC models in them.

 

We compare theoretical expressive power of EAP based ABAC models to logical-formula authorization policy ABAC models. In this regard, we present a finite-attribute, finite-domain ABAC model for enumerated authorization policies and investigate its relationship with logical-formula authorization policy ABAC models in the finite domain. We show that these models (EAP-ABAC and LAP-ABAC) are equivalent in their theoretical expressive power. We respectively show that

single and multi-attribute ABAC models are equally expressive.

 

As proof-of-concepts, we demonstrate how EAP ABAC models can be enforced in different application contexts. We have designed an enhanced EAP-ABAC1,1 model to protect JSON documents. While most of the existing XML protection model consider only hierarchical structure of underlying data, we additionally identify two more inherent characteristics of data— semantical association and scatteredness and consider them in the design. Finally, we have outlined how EAPABAC 1,1 can be 

Attribute Based Access Control (ABAC) has gained considerable attention from businesses, academia and standards bodies (e.g. NIST and NCCOE ) in recent years. ABAC uses attributes on users, objects and possibly other entities (e.g. context/environment), and specifies rules using these attributes to assert who can have which access permissions (e.g. read/write) on which objects. Although ABAC concepts have been around for over two decades, there remains a lack of well-accepted ABAC models. Recently there has been a resurgence of interest in ABAC due to continued dissatisfaction with the traditional models—notably Role Based Access Control (RBAC),Discretionary Access Control (DAC), and Lattice Based Access Control (LBAC).

 

There are two major techniques stated in the literature for specifying authorization policies in Attribute Based Access Control. The more conventional approach is to define policies by using logical formulas involving attribute values. The alternate technique for expressing policies is by enumeration. While considerable work has been done for the former approach, the later is comparatively less studied.

 

In this dissertation, we conduct a systematic study of Enumerated Authorization Policy (EAP) for ABAC. We have developed a representative, simple EAP ABAC model—EAP-ABAC1,1. For the sake of clarity and emphasis on different elements of the model, we present EAP-ABAC1,1 as a family of models. We have investigated how the defined models are comparable to other existing EAP models. We also demonstrate capability of the defined models by configuring traditional

LBAC and RBAC models in them.

 

We compare theoretical expressive power of EAP based ABAC models to logical-formula authorization policy ABAC models. In this regard, we present a finite-attribute, finite-domain ABAC model for enumerated authorization policies and investigate its relationship with logical-formula authorization policy ABAC models in the finite domain. We show that these models (EAP-ABAC and LAP-ABAC) are equivalent in their theoretical expressive power. We respectively show that

single and multi-attribute ABAC models are equally expressive.

 

As proof-of-concepts, we demonstrate how EAP ABAC models can be enforced in different application contexts. We have designed an enhanced EAP-ABAC1,1 model to protect JSON documents. While most of the existing XML protection model consider only hierarchical structure of underlying data, we additionally identify two more inherent characteristics of data— semantical association and scatteredness and consider them in the design. Finally, we have outlined how EAPABAC 1,1 can be

 

Return