Ninghui Li
Mahesh V. Tripunitara
Skip Abstract Section
Abstract
Separation-of-duty (SoD) is widely considered to be a fundamental principle in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain number of users is required. Role-based access control (RBAC) is today's dominant access-control model. It is widely believed that one of RBAC's main strengths is that it enables the use of constraints to support policies, such as separation-of-duty. In the literature on RBAC, statically mutually exclusive roles (SMER) constraints are used to enforce SSoD policies. In this paper, we formulate and study fundamental computational problems related to the use of SMER constraints to enforce SSoD policies. We show that directly enforcing SSoD policies is intractable (coNP-complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient; however, verifying whether a given set of SMER constraints enforces an SSoD policy is also intractable (coNP-complete). We discuss the implications of these results. We show also how to generate SMER constraints that are as accurate as possible for enforcing an SSoD policy.
- Ahn, G.-J. and Sandhu, R. S. 1999. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control. 43--54. Google Scholar
Digital Library
- Ahn, G.-J. and Sandhu, R. S. 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security 3, 4 (Nov.), 207--226. Google ScholarDigital Library
- ANSI. 2004. American national standard for information technology---role based access control. ANSI INCITS 359-2004.Google Scholar
- Atluri, V. and Huang, W. 1996. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS). 44--64. Google ScholarDigital Library
- Baldwin, R. W. 1990. Naming and grouping privileges to simplify security management in large databases. In Proceedings of the IEEE Symposium on Research in Security and Privacy. 116--132.Google ScholarCross Ref
- Bertino, E., Ferrari, E., and Atluri, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (Feb.), 65--104. Google ScholarDigital Library
- Botha, R. and Eloff, J. 2001. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40, 3, 666--682. Google ScholarDigital Library
- Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Washington, D.C. 184--194.Google Scholar
- Crampton, J. 2003. Specifying and enforcing constraints in role-based access control. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003). Como, Italy. 43--50. Google ScholarDigital Library
- Crampton, J. 2004. An algebraic approach to the analysis of constrained workflow systems. In Proceedings of the 3rd Workshop on Foundations of Computer Security. Turku, Finland. 61--74.Google Scholar
- Crampton, J. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT 2005). Stockholm, Sweden. 38--47. Google ScholarDigital Library
- Du, D., Gu, J., and Pardalos, P. M., Eds. 1997. Satisfiability Problem: Theory and Applications. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 35. AMS Press, Brooklyn, NY.Google Scholar
- Ferraiolo, D. F. and Kuhn, D. R. 1992. Role-based access control. In Proceedings of the 15th National Information Systems Security Conference.Google Scholar
- Ferraiolo, D. F., Cuigini, J. A., and Kuhn, D. R. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Applications Conference (ACSAC'95).Google Scholar
- Ferraiolo, D. F., Sandhu, R. S., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security 4, 3 (Aug.), 224--274. Google ScholarDigital Library
- Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. 2003. Role-Based Access Control. Artech House. Google ScholarDigital Library
- Foley, S., Gong, L., and Qian, X. 1996. A security model of dynamic labeling providing a tiered approach to verification. In Proceedings of IEEE Symposium on Research in Security and Privacy. 142--153. Google ScholarDigital Library
- Foley, S. N. 1997. The specification and implementation of ‘commercial’ security requirements including dynamic segregation of duties. In Proceedings of the 4th ACM Conference on Computer and Communications Security (CCS-4). 125--134. Google ScholarDigital Library
- Garey, M. R. and Johnson, D. J. 1979. Computers And Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco, CA. Google ScholarDigital Library
- Gligor, V. D., Gavrila, S. I., and Ferraiolo, D. F. 1998. On the formal definition of separation-of-duty policies and their composition. In Proceedings of IEEE Symposium on Research in Security and Privacy. 172--183.Google Scholar
- Jaeger, T. 1999. On the increasing importance of constraints. In Proceedings of ACM Workshop on Role-Based Access Control. 33--42. Google ScholarDigital Library
- Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Transactions on Information and System Security 4, 2 (May), 158--190. Google ScholarDigital Library
- Joshi, J., Bertino, E., Shafiq, B., and Ghafoor, A. 2003. Dependencies and separation of duty constraints in gtrbac. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT). 51--64. Google ScholarDigital Library
- Joshi, J., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering (TKDE) 17, 1 (Jan.), 4--23. Google ScholarDigital Library
- Kandala, S. and Sandhu, R. 2002. Secure Role-Based Workflow Models. In Proceedings of the Fifteenth Annual Working Conference on Database and Application Security. Kluwer Academic Publishers, Norwell, MA. 45--58. Google ScholarDigital Library
- Knorr, K. and Stormer, H. 2001. Modeling and Analyzing Separation of Duties in Workflow Environments. 199--212. Google ScholarDigital Library
- Kuhn, D. R. 1997. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In Proceedings of the Second ACM Workshop on Role-Based Access Control (RBAC'97). 23--30. Google ScholarDigital Library
- Li, N., Bizri, Z., and Tripunitara, M. V. 2004. On mutually-exclusive roles and separation of duty. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS-11). ACM Press, New York. 42--51. Google ScholarDigital Library
- Nash, M. J. and Poland, K. R. 1990. Some conundrums concerning separation of duty. In Proceedings of IEEE Symposium on Research in Security and Privacy. 201--209.Google Scholar
- Papadimitriou, C. H. 1994. Computational Complexity. Addison Wesley Longman, New York.Google Scholar
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (Sept.), 1278--1308.Google ScholarCross Ref
- Sandhu, R. 1990. Separation of duties in computerized information systems. In Proceedings of the IFIP WG11.3 Workshop on Database Security.Google Scholar
- Sandhu, R. and Jajodia, S. 1990. Integrity mechanisms in database management systems. In Proceedings of the 13th NIST-NCSC National Computer Security Conference. 526--540.Google Scholar
- Sandhu, R. S. 1988. Transaction control expressions for separation of duties. In Proceedings of the Fourth Annual Computer Security Applications Conference (ACSAC'88).Google ScholarCross Ref
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2 (Feb.), 38--47. Google ScholarDigital Library
- Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. ACM Press, New York. 3--9. Google ScholarDigital Library
- Simon, T. T. and Zurko, M. E. 1997. Separation of duty in role-based environments. In Proceedings of The 10th Computer Security Foundations Workshop. IEEE Computer Society Press, Washington, D.C. 183--194. Google ScholarDigital Library
- Tan, K., Crampton, J., and Gunter, C. 2004. The consistency of task-based authorization constraints in workflow systems. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW). 155--169. Google ScholarDigital Library
- Tidswell, J. and Jaeger, T. 2000. An access control model for simplifying constraint expression. In Proceedings of ACM Conference on Computer and Communications Security. 154--163. Google ScholarDigital Library
- Ting, T. C. 1988. A user-role based data security approach. In Database Security: Status and Prospects. Results of the IFIP WG 11.3 Initial Meeting, C. Landwehr, Ed. North-Holland, Amsterdam. 187--208. Google ScholarDigital Library
Recommendations
On mutually-exclusive roles and separation of duty
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securitySeparation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
Dynamic Enforcement of Separation-of-Duty Policies
MINES '09: Proceedings of the 2009 International Conference on Multimedia Information Networking and Security - Volume 02Separation-of-duty (SoD) policy is widely considered to be a fundamental security principle for prevention of fraud and errors in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a ...
Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control
ISC '09: Proceedings of the 12th International Conference on Information SecuritySeparation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, ...
Comments