A framework for the extended evaluation of ABAC policies

Charles Morisset; Tim A. C. Willemse; Nicola Zannone

doi:10.1186/s42400-019-0024-0

A framework for the extended evaluation of ABAC policies

Charles Morisset, Tim A. C. Willemse, Nicola Zannone (Corresponding author)

Research output: Contribution to journal › Article › Academic › peer-review

7 Downloads (Pure)

Abstract

A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a naïve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.

Original language	English
Article number	6
Number of pages	21
Journal	Cybersecurity
Volume	2
Issue number	1
DOIs	https://doi.org/10.1186/s42400-019-0024-0
Publication status	Published - 2019

Fingerprint

Access control

Binary decision diagrams

Data structures

Cite this

Morisset, C., Willemse, T. A. C., & Zannone, N. (2019). A framework for the extended evaluation of ABAC policies. Cybersecurity, 2(1), [6]. https://doi.org/10.1186/s42400-019-0024-0

Morisset, Charles ; Willemse, Tim A. C. ; Zannone, Nicola. / A framework for the extended evaluation of ABAC policies. In: Cybersecurity. 2019 ; Vol. 2, No. 1.

@article{f49c93f469714f7eb8bfff6c9b7246a2,

title = "A framework for the extended evaluation of ABAC policies",

abstract = "A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a na{\"i}ve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.",

author = "Charles Morisset and Willemse, {Tim A. C.} and Nicola Zannone",

year = "2019",

doi = "10.1186/s42400-019-0024-0",

language = "English",

volume = "2",

journal = "Cybersecurity",

issn = "2523-3246",

publisher = "Springer",

number = "1",

}

Morisset, C, Willemse, TAC & Zannone, N 2019, 'A framework for the extended evaluation of ABAC policies', Cybersecurity, vol. 2, no. 1, 6. https://doi.org/10.1186/s42400-019-0024-0

A framework for the extended evaluation of ABAC policies. / Morisset, Charles; Willemse, Tim A. C.; Zannone, Nicola (Corresponding author).

In: Cybersecurity, Vol. 2, No. 1, 6, 2019.

Research output: Contribution to journal › Article › Academic › peer-review

TY - JOUR

T1 - A framework for the extended evaluation of ABAC policies

AU - Morisset, Charles

AU - Willemse, Tim A. C.

AU - Zannone, Nicola

PY - 2019

Y1 - 2019

N2 - A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a naïve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.

AB - A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a naïve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.

U2 - 10.1186/s42400-019-0024-0

DO - 10.1186/s42400-019-0024-0

M3 - Article

VL - 2

JO - Cybersecurity

JF - Cybersecurity

SN - 2523-3246

IS - 1

M1 - 6

ER -

Morisset C, Willemse TAC , Zannone N. A framework for the extended evaluation of ABAC policies. Cybersecurity. 2019;2(1). 6. https://doi.org/10.1186/s42400-019-0024-0

Access to Document

10.1186/s42400-019-0024-0

publishers versionFinal published version, 1.32 MB