On missing attributes in access control: non-deterministic and probabilistic attribute retrieval

J. Crampton, C. Morisset, N. Zannone

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

15 Citations (Scopus)
3 Downloads (Pure)

Abstract

Attribute Based Access Control (ABAC) is becoming the reference model for the specification and evaluation of access control policies. In ABAC policies and access requests are defined in terms of pairs attribute names/values. The applicability of an ABAC policy to a request is determined by matching the attributes in the request with the attributes in the policy. Some languages supporting ABAC, such as PTaCL or XACML 3.0, take into account the possibility that some attributes values might not be correctly retrieved when the request is evaluated, and use complex decisions, usually describing all possible evaluation outcomes, to account for missing attributes. In this paper, we argue that the problem of missing attributes in ABAC can be seen as a non-deterministic attribute retrieval process, and we show that the current evaluation mechanism in PTaCL or XACML can return a complex decision that does not necessarily match with the actual possible outcomes. This, however, is problematic for the enforcing mechanism, which needs to resolve the complex decision into a conclusive one. We propose a new evaluation mechanism, explicitly based on non-deterministic attribute retrieval for a given request. We extend this mechanism to probabilistic attribute retrieval and implement a probabilistic policy evaluation mechanism for PTaCL in PRISM, a probabilistic model-checker.
Original languageEnglish
Title of host publication20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015, Vienna, Austria, June 1-3, 2015)
Place of PublicationNew York
PublisherAssociation for Computing Machinery, Inc
Pages99-109
ISBN (Print)978-1-4503-3556-0
DOIs
Publication statusPublished - 2015
Event20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015) - Vienna, Austria
Duration: 1 Jun 20153 Jun 2015
Conference number: 20
http://www.sacmat.org/2015/index.php

Conference

Conference20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015)
Abbreviated titleSACMAT 2015
CountryAustria
CityVienna
Period1/06/153/06/15
Internet address

Fingerprint Dive into the research topics of 'On missing attributes in access control: non-deterministic and probabilistic attribute retrieval'. Together they form a unique fingerprint.

  • Cite this

    Crampton, J., Morisset, C., & Zannone, N. (2015). On missing attributes in access control: non-deterministic and probabilistic attribute retrieval. In 20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015, Vienna, Austria, June 1-3, 2015) (pp. 99-109). Association for Computing Machinery, Inc. https://doi.org/10.1145/2752952.2752970