Web & Social Media Analytics Previous Year Question Paper.pdf
FORBAC ETH
1. ANALYZING FIRST ORDER ROLE BASED ACCESS CONTROL
BY CARLOS COTRINI, THILO WEGHORN, DAVID BASIN AND MANUEL CLAVEL
Presenter:
JINANK JAIN
ETH Zurich
Seminar: Current Topics in Information Security
4. ROLE BASED ACCESS CONTROL
Simpler and Cleaner Role Based Access Control
Source: https://hitachi-id.com
5. ROLE BASED ACCESS CONTROL
Role-based access control (RBAC) is a popular access control model for
specifying policies in large organizations.
Unlike access control policies that assign permissions to subjects, RBAC
associates permissions with roles within an organization.
A role is a collection of job functions (e.g. president, manager, trainer,
teller, auditor, janitor)
7. CONTRIBUTIONS
FORBAC is framework that tries to find sweet spot between
expressiveness in policy specification and efficiency in policy analysis
for first-order RBAC
FORBAC
Expressiveness Efficiency
8. CONTRIBUTIONS
Expressiveness
• Specifying policies using complete First Order Logic (FOL) could
be really challenging to analyze.
• FORBAC uses an expressive fragment of FOL for policy
specification
• Allows simple policies of the form:
𝑃1 𝑥 ∧ … ∧ 𝑃 𝑘 𝑥 ∧ ¬ 𝑄1 𝑥 ∧ … ∧ ¬𝑄𝑛(𝑥)
9. CONTRIBUTIONS
Efficiency
• Deciding the satisfiability of a FORBAC formula is NP-Complete
• Why NP-Complete?
• Satisfiability of a FORBAC formula can be reduced to the
Boolean satisfiability problem.
• If there is a model satisfying a FORBAC-formula, then there is a
model that is polynomial in the size of the formula.
10. DEFINITION OF FORBAC SIGNATURE
FORBAC signature is a triple ∑ = {S, A1, A2} where
S = SRBAC ∪ {Integer, String}
SRBAC = {Users, Roles1, Roles2, ….., RolesT, Perms}
A1 denotes single valued attributes
A2 denotes set valued attributes
11. USER ASSIGNMENTS (UA)
Users are assigned roles according to their attribute values.
Attributes can be single or set valued.
The assignment of role instance to users is defined by a family of FORBAC-
formulas:
UA = {UAR(u, r): R ∈ RT(𝜮)}
Example: Consider a bank which has two types of account: Student and
Employee.
UARstudent(u, r) ≡ 𝑎𝑔𝑒 𝑢 ≤ 25 ∧ 𝑐𝑜𝑢𝑛𝑡𝑟𝑦 𝑟 = 𝑛𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑖𝑡𝑦 𝑢 , “𝑈𝑆𝐴”
UARemployee(u, r) ≡ (𝑠𝑎𝑙𝑎𝑟𝑦 𝑢 > $1500 ∧ 𝑙𝑖𝑚𝑖𝑡 𝑟 = 𝑠𝑎𝑙𝑎𝑟𝑦(𝑢))
12. PERMISSION ASSIGNMENTS (PA)
Roles are assigned permissions according to their attribute values.
The assignment of permissions to role instances is defined by a family of
FORBAC-formulas:
PA = {PAR(r, p): R ∈ RT(𝜮)}
Example: Consider a bank which has two types of account: Student and
Employee.
PARstudent(r, p) ≡ ( 𝑎𝑐𝑡𝑖𝑜𝑛 𝑝 ∈ “𝑤𝑖𝑡ℎ𝑑𝑟𝑎𝑤” ∧ 𝑎𝑚𝑜𝑢𝑛𝑡 𝑝 ≤ 1000 ∧ 𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛 ∈
13. FORBAC POLICIES
A FORBAC-policy is a triple (Σ, 𝑈𝐴, 𝑃𝐴) where
𝜮 is FORBAC-signature
𝑼𝑨 is user assignment specification
𝑷𝑨 is permission assignment specification
15. POLICY ANALYSIS QUERIES (PAQ)
Authorization Inspection can be used to verify that a policy does
not grant undesired access
Assignment Simplification can be used to identify redundancies in
user-role assignment relation
Role Subsumption can be used to identify relationships between
roles.
Redundant Assignments can be used to identify implicit
redundancies of roles
16. POLICY ANALYSIS IN FORBAC
Policy
PAQ
Ψ
FROBAC
Formula SMT Solver
Counter
Model
Control Flow in FORBAC
17. AUTHORIZATION INSPECTION
This can be used to verify that a FORBAC-policy does not grant undesired
access
• Does there exists an accountant who has access to balance
sheets and can change make some fraudulent changes on
them?
• Does there exists a developer who can change the source code
for payment transaction process?
• Does exists an employee in Google who can read personal
18. AUTHORIZATION INSPECTION
Does there exists an accountant who has access to balance sheets and can make
fraudulent changes on them?
job: accountant
Balance Sheets
Access balance
sheets
Update balance
sheets for
fraudulent
activity
19. AUTHORIZATION INSPECTION
ψu(u) ≡
job(u) =
accountan
t
Ψ1(p1) ≡
action(p1) = read /
target(p1) = balance
sheets
Ψ2(p2) ≡
action(p2) = update /
target(p2) = balance
sheets
Does there exists an accountant who has access to balance sheets and
can make fraudulent changes on them?
21. ASSIGNMENT SIMPLIFICATION
This can be used to identify redundancies in FORBAC formulas
Customer
Category
UA-Rule 1:
If age < 3 then
customer.categor
y = infant
UA-Rule 2:
If age == 2 and
height == 1m
then
customer.category
= infant
Special
Discounts
Special baby
care kit
26. LIMITATION OF FORBAC
Expressiveness Efficiency
• Rule based RBAC
• Numeric and String valued
attributes
• No transitive closure
• No multi valued decisions
• Manageable in daily business
• Low Complexity
• Policy Equivalence
• Conflict detection
27. EXPERIMENTAL RESULTS
Analyzed the access control policies of 10 out 350 applications of a major
European bank
Each policy manages access of 3490 – 85949 users
The size of the policies ranges between 2,000 – 300,000 occurrences of atomic
sub formulas
28. EXPERIMENTAL RESULTS
Policy App1 App2 App3 App4 App5 App6 App7 App8 App9 App10
AI 357.87 >360 >360 >360 2.98 1.85 3.52 32.69 38.02 0.30
AS 0.61 0.63 0.57 0.54 NA 0.75 0.87 0.5 0.49 NA
RS 0.53 0.55 0.43 0.43 0.45 0.47 0.46 0.47 0.47 0.44
RA 0.73 0.47 0.46 0.49 NA 0.58 0.53 0.59 0.49 NA
Time (in seconds) needed by Z3 for a query on average
AI: Authorization Inspection
AS: Assignment Simplification
RS: Role Subsumption
RA: Redundant Assignment
30. MARGRAVE: POLICY SPECIFICATION & ANALSYIS FRAMEWORK
Positive Aspects:
It computes an exhaustive set of counterexamples, if the policy is
violated. In contrast, FORBAC computes only one counter
example.
Supports reasoning about the combined effects of policies
written in different configuration languages
31. MARGRAVE: POLICY SPECIFICATION & ANALSYIS FRAMEWORK
Negative Aspects:
Margrave cannot reason about integer constraints and therefore
cannot express policies like FORBAC “Alice can read a file if her
clearance level is greater than the file's clearance level”
Margrave does not support set valued attributes and thus
everything has to mentioned explicitly. This makes Margrave
difficult to maintain
32. ATHENA + YICES
Positive aspects
Merges functional programming with first-order logic for both
policy specification and property verification.
In contrast to FORBAC, their language can express arithmetic
constraints and they can reason about XACML policies.
Athena+Yices can reason about arithmetic constraints.
33. ATHENA + YICES
Negative aspects
Cannot deal with set valued attributes
They do not allow quantification when specifying policies.
Authors do not provide complexity bounds for their policy analysis. In
contrast, FORBAC ensures that policy analysis is in NP
34. FUTURE WORK
Extend FORBAC for role hierarchies, which define a partial order on a set of
roles
Extend FORBAC for two types of constraints: static and dynamic separation-
of-duty constraints and cardinality constraints.
35. SOME COMMENTS
Strong Points
Everything is formally verified in terms of policy analysis complexity
The paper provides a balance between expressiveness and efficiency.
The theory has been validated with experiments, illustrating the
applicability of FORBAC in realistic scenarios.
Weak Points
Mathematical formulation in some sections is really complicated to
understand which could have simplified.
Some examples are not precise. Better analogies could have been used to
make them clearer.
40. ASSIGNMENT SIMPLIFICATION FORMULA
FORBAC formula Ψ(𝑥1, 𝑥2, … , 𝑥𝑘) is equivalent to another formula
Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘), one can check this by determining whether the following
formula is valid
∀ 𝑥1, 𝑥2, … , 𝑥𝑘 Ψ 𝑥1, 𝑥2, … , 𝑥𝑘 ⟷ Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘)
This is equivalent to determine whether the following existential FORBAC
formula is unsatisfiable:
∃ 𝑥1, 𝑥2, … , 𝑥𝑘 ¬Ψ 𝑥1, 𝑥2, … , 𝑥𝑘 ⟷ Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘)
41. ROLE SUBSUMPTION FORMULA
Let R1 and R2 are two role templates. We says R1 subsumes R2 if R1 expands
R2 and the following formula is valid:
∀𝑟1: 𝑅1, 𝑟2: 𝑅2 ∧ 𝑓: 𝑅2 ⟶ 𝑊 𝑓 𝑟1 = 𝑓 𝑟2 ⟶ ∀𝑝. 𝑃𝐴𝑅2(
𝑟2, 𝑝) ⟶ 𝑃𝐴𝑅1(
𝑟1, 𝑝)
Here f ranges over attributes of type R2 ⟶ W, with W∈ 𝐒𝐭𝐫𝐢𝐧𝐠, 𝐈𝐧𝐭𝐞𝐠𝐞𝐫 .
This formula says the following Let r1 and r2 be two role instances of R1 and
R2 respectively. If f(r1) = f(r2), for every attribute f of type R2 ⟶ W, then
perimission assigned to r2 is also assigned to r1
Notas do Editor
Security breach:
Improperly configured firewall
Unauthorised Database Access
Access to insider information i.e banks
Most commonly used method to stop such security breach is access control:
User are assigned some authorities/permission
So complex system easy to find way around this system to exploit the system
TO simply access control mechanism:
RBAC comes into picture