Automated Certification of Authorisation Policy Resistance
نویسندگان
چکیده
Attribute-based Access Control (ABAC) extends traditional Access Control by considering an access request as a set of pairs attribute name-value, making it particularly useful in the context of open and distributed systems, where security relevant information can be collected from different sources. However, ABAC enables attribute hiding attacks, allowing an attacker to gain some access by withholding information. In this paper, we first introduce the notion of policy resistance to attribute hiding attacks. We then propose the tool ATRAP (Automatic Term Rewriting for Authorisation Policies), based on the recent formal ABAC language PTaCL, which first automatically searches for resistance counter-examples using Maude, and then automatically searches for an Isabelle proof of resistance. We illustrate our approach with two simple examples of policies and propose an evaluation of ATRAP performances.
منابع مشابه
Management Policy Service for Distributed Systems
Interpreting policy in automated managers facilitates the dynamic change of behaviour of a distributed management system by simply changing policies. This paper describes a management policy notation which can be used to define both authorisation policies (what activities a manager is permitted to do) and obligation policies (the activities a manager must perform). Some example policy specifica...
متن کاملCertificate Policy Tool for Automated Cross-Certification
One of the main PKI problems is currently the lack of interoperability at international level, which is greatly dependent on the automation of the cross-certification procedure using Certificate Policies (CP). This paper addresses the above-mentioned need by presenting an XML-based tool for the automated development and comparison of CPs, with main emphasis on healthcare environments. The CP to...
متن کاملBP-XACML an Authorisation Policy Language for Business Processes
XACML has become the defacto standard for enterprisewide, policy-based access control. It is a structured, extensible language that can express and enforce complex access control policies. There have been several efforts to extend XACML to support specific authorisation models, such as the OASIS RBAC profile to support Role Based Access Control. A number of proposals for authorisation models th...
متن کاملResolving Policy Conflicts - Integrating Policies from Multiple Authors
In this paper we show that the static conflict resolution strategy of XACML is not always sufficient to satisfy the policy needs of an organisation where multiple parties provide their own individual policies. Different conflict resolution strategies are often required for different situations. Thus combining one or more sets of policies into a single XACML ‘super policy’ that is evaluated by a...
متن کاملAuthorisation in Grid computing
This paper briefly surveys how authorisation in Grid computing has evolved during the last few years, and presents the latest developments in which Grid applications can utilise a policy controlled authorisation infrastructure to make decisions about which users are allowed to perform which actions on which Grid resources. The paper describes the Global Grid Forum SAML interface for connecting ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2013