Abac17 prosun-slides
Download as PPT, PDF1 like135 views
The document presents research on attribute transformation for attribute-based access control. It discusses two types of attribute transformation: attribute reduction, which transforms non-policy attributes into policy attributes, and attribute expansion, which transforms policy attributes into other policy attributes. The goal is to address issues like attribute explosion and enable more flexible authorization policies.
![1010
Attribute Reduction (motivation)
World-Leading Research with Real-World Impact!
Motivation from literature:
2. Concepts of Dynamic
roles by Kuhn, Coyne and
Weil [2]
1. Attribute-Based User-Role
Assignment [1]](https://image.slidesharecdn.com/abac17-prosun-slides-170324082317/85/Abac17-prosun-slides-10-320.jpg)
![Attribute Expansion (motivation)
Motivation from literature:
1. Hierarchical Group and Attribute-Based Access Control [3]
17](https://image.slidesharecdn.com/abac17-prosun-slides-170324082317/85/Abac17-prosun-slides-17-320.jpg)
Abac17 prosun-slides
- 1. 11World-Leading Research with Real-World Impact! Prosunjit Biswas, Ravi Sandhu and Ram Krishnan Department of Computer Science Department of Electrical and Computer Engineering University of Texas, San Antonio Institute for Cyber Security ABAC’17, March 24, 2017, Scottsdale, AZ, USA Attribute Transformation for Attribute-Based Access Control
- 2. 22World-Leading Research with Real-World Impact! Outline Summary Motivation Attribute Transformation Attribute Reduction Attribute Expansion Conclusion Q/A
- 3. 33World-Leading Research with Real-World Impact! Summary We have presented a concept of attribute transformation and specify two types of transformation---attribute reduction and attribute expansion.
- 4. 44World-Leading Research with Real-World Impact! Motivation Attribute explosion! Figure 1: Attributes defined for OpenStack Virtual Machines
- 5. 55World-Leading Research with Real-World Impact! Motivation (continuing) incurs difficulties in managing Attribute Explosion authorization policies attribute-value assignments
- 6. 66World-Leading Research with Real-World Impact! Motivation (continuing) We cannot get rid of attributes we need. But we can manage with Attribute Transformation
- 7. 77World-Leading Research with Real-World Impact! Attribute Transformation (assumptions) Attribute types Non-policy Attributes Policy Attributes Examples: Object attributes (Non-policy): size, created_by, shared, location Object attributes (Policy): sensitivity, security-label Assumptions: Non-policy Attributes Policy Attributes = φ∩ Non-policy Attributes >> Policy Attributes
- 8. 88 Attribute Transformation World-Leading Research with Real-World Impact! Types of attribute transformation Reduction (Non-policy Attr → Policy Attr) Expansion (Policy Attr → Policy Attr) Attribute Transformation is the process of transforming one set of attribute-value assignments into another set of assignments.
- 9. Attribute Reduction The process of transforming non-policy attribute-value assignments into policy attributes-value assignments. 9 size(f1)=100MB created-by(f1) = system-d location(f1)= /log/system-log security-label(f) = sensitiveshared(f1)= false Deriving assignments Derived assignments Effective assignments Non-policy attributes Policy attributes Attribute transformation security-label(f) = sensitive
- 10. 1010 Attribute Reduction (motivation) World-Leading Research with Real-World Impact! Motivation from literature: 2. Concepts of Dynamic roles by Kuhn, Coyne and Weil [2] 1. Attribute-Based User-Role Assignment [1]
- 11. Attribute Reduction (usefulness) Useful for Abstraction Modular design Hierarchical policy 11
- 12. Can-read ≡ security-label(o) = sensitive role(u)=managerʌ VM-mapping ≡ resource-type(o) = VM image-type(o) = corporateʌ → security-label(o) = sensitive Firewall-mapping ≡ resource-type(o) = firewall protocol(o) = UDPʌ ʌ network(o) = internal → security-label(o) = sensitive Attribute Reduction (usefulness) 12 Authorization policy with Policy attributes: Mapping rules with Non-policy Attributes:
- 13. Attribute Reduction (mapping rules) 13 Example of mapping rule: file-length(f) = 100 MB ˄ created-by(f) = system-d is-˄ shared(f) = false → security-label(f) = sensitive
- 14. Attribute Reduction (issues) resource- type(o) = VM encryption(o) = plain security-label(o) = regular resource-type(o) = VM image-type(o) = corporate mapping1 mapping2 Conflicts resulting from multiple mappings 14 security-label(o) = sensitive
- 15. resource-type(o) = VM encryption(o) = plain security-label(o) = regular mapping1 security-label(o) = sensitive Derivedvalue Explicitlyassigned value Attribute Reduction (issues) Conflicts resulting from assigned and derived values 15
- 16. is-a-veteran(u) = True benefits(u) = {b1,b2} skills(u) = {skill1, skill2} Deriving assignments Derived assignments Resulting assignments Policy attributes Policy attributes leadership(u) = True Policy attributes is-a-veteran(u) = True Attribute Expansion Expansion 16 The process of transforming policy attribute-value assignments into a different set of policy attributes-value assignments. skills(u) = {skill1, skill2}
- 17. Attribute Expansion (motivation) Motivation from literature: 1. Hierarchical Group and Attribute-Based Access Control [3] 17
- 18. Conclusion What next? - Other forms of Attribute Transformation - Chain of Attribute Transformation - Fitting Attribute Transformation in ABAC models 18
- 19. References 1. Servos, Daniel, and Sylvia L. Osborn. "HGABAC: Towards a formal model of hierarchical attribute-based access control." International Symposium on Foundations and Practice of Security. Springer International Publishing, 2014. 2. Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes to role-based access control." Computer 43.6 (2010): 79-81. 3. Servos, Daniel, and Sylvia L. Osborn. "HGABAC: Towards a formal model of hierarchical attribute-based access control." International Symposium on Foundations and Practice of Security. Springer International Publishing, 2014. 19
- 20. 20