Safety Decidability for Pre-Authorization Usage Control with Identifier Attribute Domains

Safety analysis is a fundamental problem in authorization models. Safety decidable models provide theoretical foundations for decentralized security administration. Attributes of objects are central to usage control authorization models. It has previously been shown that inclusion of a single infini...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on dependable and secure computing Vol. 17; no. 3; pp. 465 - 478
Main Authors Rajkumar, P. V., Sandhu, Ravi
Format Journal Article
LanguageEnglish
Published Washington IEEE 01.05.2020
IEEE Computer Society
Subjects
access control
Analytical models
and safety analysis
Authorization
Computational modeling
Configurations
Constrictions
Domains
Equivalence
Questions
Safety
Security
Task analysis
usage control
Online AccessGet full text

Cover

More Information
Summary:Safety analysis is a fundamental problem in authorization models. Safety decidable models provide theoretical foundations for decentralized security administration. Attributes of objects are central to usage control authorization models. It has previously been shown that inclusion of a single infinite attribute leads to undecidable safety, even without any creation of objects. Therefore unrestricted inclusion of infinite attributes is not possible in a safety decidable model. On the other hand, it has recently been shown that the safety problem for the pre-authorization usage control sub-model with finite attribute domains, called <inline-formula><tex-math notation="LaTeX">{PreUCON_A^{finite}}</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>U</mml:mi><mml:mi>C</mml:mi><mml:mi>O</mml:mi><mml:msubsup><mml:mi>N</mml:mi><mml:mi>A</mml:mi><mml:mrow><mml:mi>f</mml:mi><mml:mi>i</mml:mi><mml:mi>n</mml:mi><mml:mi>i</mml:mi><mml:mi>t</mml:mi><mml:mi>e</mml:mi></mml:mrow></mml:msubsup></mml:mrow></mml:math><inline-graphic xlink:href="pv-ieq1-2839745.gif"/> </inline-formula>, is decidable even with unbounded object creation. A major limitation of finite attributes is the inability to link objects through attribute values in presence of unbounded object creation (since attributes that reference other objects must be infinite in this case). It would be desirable to have safety-decidable attribute-based models which include both finite and infinite attributes (necessarily with some restrictions). This paper develops a pre-authorization usage control sub-model, called <inline-formula><tex-math notation="LaTeX">{PreUCON}_A^{id}</tex-math> <mml:math><mml:msubsup><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>U</mml:mi><mml:mi>C</mml:mi><mml:mi>O</mml:mi><mml:mi>N</mml:mi></mml:mrow><mml:mi>A</mml:mi><mml:mrow><mml:mi>i</mml:mi><mml:mi>d</mml:mi></mml:mrow></mml:msubsup></mml:math><inline-graphic xlink:href="pv-ieq2-2839745.gif"/> </inline-formula>, with attribute domains solely comprised of infinite object identifiers with considerable restrictions on how these attributes can be updated. Safety decidability for <inline-formula><tex-math notation="LaTeX">{PreUCON}_A^{id}</tex-math> <mml:math><mml:msubsup><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>U</mml:mi><mml:mi>C</mml:mi><mml:mi>O</mml:mi><mml:mi>N</mml:mi></mml:mrow><mml:mi>A</mml:mi><mml:mrow><mml:mi>i</mml:mi><mml:mi>d</mml:mi></mml:mrow></mml:msubsup></mml:math><inline-graphic xlink:href="pv-ieq3-2839745.gif"/> </inline-formula> is proved by defining the notion of <inline-formula><tex-math notation="LaTeX">\omega</tex-math> <mml:math><mml:mi>ω</mml:mi></mml:math><inline-graphic xlink:href="pv-ieq4-2839745.gif"/> </inline-formula>-equivalent usage configurations, and showing that the reachable set of <inline-formula><tex-math notation="LaTeX">\omega</tex-math> <mml:math><mml:mi>ω</mml:mi></mml:math><inline-graphic xlink:href="pv-ieq5-2839745.gif"/> </inline-formula>-equivalent usage configurations is computable and can be used to answer safety questions. The utility of such models in practice is illustrated by means of an example. The paper further shows that addition of even a single finite domain attribute to <inline-formula><tex-math notation="LaTeX">{PreUCON}_A^{id}</tex-math> <mml:math><mml:msubsup><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>U</mml:mi><mml:mi>C</mml:mi><mml:mi>O</mml:mi><mml:mi>N</mml:mi></mml:mrow><mml:mi>A</mml:mi><mml:mrow><mml:mi>i</mml:mi><mml:mi>d</mml:mi></mml:mrow></mml:msubsup></mml:math><inline-graphic xlink:href="pv-ieq6-2839745.gif"/> </inline-formula> results in undecidable safety. These results indicate that combining finite and infinite attributes in a safety decidable model is a challenging task, which will likely require carefully crafted restrictions on updates to these attributes. The formulation of such a model remains an important open question.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2018.2839745