research-article

Proactive Risk Assessment for Preventing Attribute-Forgery Attacks to ABAC Policies

Authors:

Carlos E. Rubio-Medrano,

Luis Claramunt,

Shaishavkumar Jogani,

Gail-Joon AhnAuthors Info & Claims

SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

Pages 131 - 144

https://doi.org/10.1145/3381991.3395615

Published: 10 June 2020 Publication History

Abstract

Recently, the use of well-defined, security-relevant pieces of runtime information, a.k.a., attributes, has emerged as a convenient paradigm for writing, enforcing, and maintaining authorization policies, allowing for extended flexibility and convenience. However, attackers may try to bypass such policies, along with their enforcement mechanisms, by maliciously forging the attributes listed on them, e.g., by compromising the attribute sources : operative systems, software modules, remote services, etc., thus gaining unintended access to protected resources as a result. In such a context, performing a proper risk assessment of authorization policies, taking into account their inner structure: rules, attributes, combining algorithms, etc., along with their corresponding sources, becomes highly convenient to overcome \emphzero-day vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce \toolname, an automated risk assessment framework for authorization policies, which, besides being inspired by well-established techniques for vulnerability analysis such as symbolic execution, also introduces the very first approach for proactively assessing risks in the context of a series of attacks based on unintended attribute manipulation via forgery. We validate our approach by resorting to a set of case studies we performed on both real-life policies originally written in the English language, as well as a set of policies obtained from the literature, which show not only the convenience of our approach for risk assessment, but also reveal that some of those policies are vulnerable to attribute-forgery attacks by just compromising one or two of their attributes.

References

[1]

AT&T. 2020. XACML 3.0 . https://github.com/att/XACML . (2020).

[2]

T. Aven. 2007. A unified framework for risk and vulnerability analysis covering both safety and security . Reliability Eng. and Sys. Safety, Vol. 92, 6 (2007), 745--754.

[3]

S. Bhatt, F. Patwa, and R. Sandhu. 2017. ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine. In Proc. of the 2nd ACM Workshop on Attribute-Based Access Control (ABAC '17). ACM, 17--28.

[4]

K. Z. Bijon, R. Krishnan, and R. Sandhu. 2012. Risk-Aware RBAC Sessions .Springer Berlin Heidelberg.

[5]

L. Bilge and T. Dumitras. 2012. Before We Knew It: An Empirical Study of Zero-day Attacks in the Real World. In Proc. of the 2012 ACM Conf. on Computer and Communications Security (CCS '12). ACM, 833--844.

[6]

D. Brossard, G. Gebel, and M. Berg. 2017. A Systematic Approach to Implementing ABAC. In Proc. of the 2nd ACM Workshop on Attribute-Based Access Control (ABAC'17). ACM, 53--59.

[7]

Liang C., Luca G., and Timothy J. N. 2013. XACML and Risk-Aware Access Control. In Proc. of the Int. Workshop on Security in Info. Sys. (ICEIS 2013). 66--75.

[8]

K. Campbell, L. A. Gordon, M. P. Loeb, and L. Zhou. 2003. The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, Vol. 11, 3 (April 2003), 431--448.

Digital Library

[9]

P. Chapin, C. Skalka, and X. S. Wang. 2005. Risk Assessment in Distributed Authorization. In Proc. of the 2005 ACM Workshop on Formal Methods in Sec. Eng. (FMSE '05). ACM, 33--42.

[10]

D. Choi, K. Dohoon, and Seog P. 2015. A Framework for Context Sensitive Risk-Based Access Control in Medical Information Systems. Computational and Mathematical Methods in Medicine 2015, Vol. 265132 (2015).

[11]

N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody. 2004. Using Trust and Risk in Role-based Access Control Policies. In Proc. of the 9th ACM Symp. on Access Control Models and Technologies (SACMAT '04). ACM, 156--162.

[12]

K. A. Farris, S. R. McNamara, A. Goldstein, and G. Cybenko. 2016. A preliminary analysis of quantifying computer security vulnerability data in the wild. (2016), bibinfonumpages9825 - 9842 pages.

[13]

D. Ferraiolo, R. Chandramouli, R. Kuhn, and V. Hu. 2016. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). In Proc. of the 2016 ACM International Workshop on Attribute Based Access Control (ABAC '16). ACM, 13--24.

[14]

D. Gambetta. 1988. Can We Trust Trust?. In Trust: Making and Breaking Cooperative Relations . Basil Blackwell, 213--237.

[15]

M. T. Goodrich, M. Shin, R. Tamassia, and W. H. Winsborough. 2003. Authenticated Dictionaries for Fresh Attribute Credentials .Springer Berlin Heidelberg, Berlin, Heidelberg, 332--347.

[16]

GRPC. 2019. IT Access Control and User Access Management Policy . https://www.gprc.ab.ca/about/administration/policies/fetch.php?ID=320 . (2019). [Online; accessed Sep-23--2019].

[17]

V. C Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication, Vol. 800 (2014), 162.

[18]

S. Kandala, R. Sandhu, and V. Bhamidipati. 2011. An Attribute Based Framework for Risk-Adaptive Access Control Models. In 2011 Sixth International Conference on Availability, Reliability and Security . 236--241.

[19]

J. C. King. 1976. Symbolic Execution and Program Testing. Comm. ACM, Vol. 19, 7 (July 1976), 385--394.

Digital Library

[20]

Margrave, An API for XACML Policy Verification and Change Analysis. 2020. Margrave Continue Example . http://www.margrave-tool.org/v1

[21]

v2/margrave/versions/01-01/examples/continue/. (2020).

[22]

R. Nath, S. Das, S. Sural, J. Vaidya, and V. Atluri. 2019. PolTree: A Data Structure for Making Efficient Access Decisions in ABAC. In Proc. of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT '19). ACM, 25--35.

[23]

NHS Digital. 2019. Access Control Sample Policy . https://webarchive.nationalarchives.gov.uk/20180307183605/https://digital.nhs.uk/cyber-security/policy-and-good-practice-in-health-care/access-control/example-policy . (2019).

[24]

Q. Ni, E. Bertino, and J. Lobo. 2010. Risk-based Access Control Systems Built on Fuzzy Inferences. In Proc. of the 5th ACM Symp. on Information, Computer and Comm. Security (ASIACCS '10). ACM, 250--260.

[25]

OASIS Standard. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. (2013, January 22) . http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html . (2013). [Online; accessed September-23--2019].

[26]

J. Park and R. Sandhu. 2004. The UCONABC Usage Control Model. ACM Trans. Inf. Syst. Secur., Vol. 7, 1 (Feb. 2004), 128--174.

Digital Library

[27]

W. Rautenberg. 2009. A Concise Introduction to Mathematical Logic 3rd ed.). Springer Publishing Company, Incorporated.

[28]

C. E. Rubio-Medrano, J. Lamp, A. Doupé, Z. Zhao, and G-J. Ahn. 2017. Mutated Policies: Towards Proactive Attribute-based Defenses for Access Control. In Proc. of the 2017 Workshop on Moving Target Defense (MTD '17). ACM, 39--49.

Digital Library

[29]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. 1996. Role-Based Access Control Models. Computer, Vol. 29, 2 (Feb. 1996), 38--47.

Digital Library

[30]

SANS. 2019. SANS Consensus Policy Resource Community . https://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy . (2019). [Online; accessed Sep-23--2019].

[31]

D. Servos and S. L. Osborn. 2017. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv., Vol. 49, 4, Article 65 (Jan. 2017).

[32]

State of North Carolina. 2019. Access Control Policy SCIO-SEC-301-00 . https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Access_Control.pdf . (2019). [Online; accessed Sep-23--2019].

[33]

The Asela Project. 2020. XACML Examples . https://svn.wso2.org/repos/wso2/people/asela/xacml/sample/kmarket/resources/lib/. (2020).

[34]

R. C. Turner. 2017. Proposed Model for Natural Language ABAC Authoring. In Proc. of the 2nd ACM Workshop on Attribute-Based Access Control (ABAC'17). ACM, 61--72.

Digital Library

[35]

R. B. Vaughn, R. Henning, and A. Siraj. 2003. Information assurance measures and metrics - state of practice and proposed taxonomy. In Proc. of the 36th Annual Hawaii Int. Conf. on System Sciences, 2003 . 10.

Cited By

Yan XWu JZhou NJiang ZWu JYin JLiu Y(2023)Blockchain-Based Access Control Model for Security Attributes in the Internet of Things2023 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics)10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00040(95-101)Online publication date: 17-Dec-2023
https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00040
Williams ARoy ADasgupta D(2023)A Distributed Multi-User Access Control Middleware for Critical Applications2023 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI52147.2023.10371790(1145-1150)Online publication date: 5-Dec-2023
https://doi.org/10.1109/SSCI52147.2023.10371790

Index Terms

Proactive Risk Assessment for Preventing Attribute-Forgery Attacks to ABAC Policies
1. Security and privacy
  1. Security services
    1. Access control
2. Software and its engineering
  1. Software creation and management
    1. Software development process management
      1. Risk management

Recommendations

RiskPol : A Risk Assessment Framework for Preventing Attribute-Forgery Attacks to ABAC Policies
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, ...
Attribute Expressions, Policy Tables and Attribute-Based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Attribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes ...
Automated Generation and Update of Structured ABAC Policies
SaT-CPS '24: Proceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

We present a new access control policy generation algorithm that also offers a solution to the policy update problem. The algorithm generates structured attribute-based access control policies, more precisely, it generates a categorisation of principals ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

June 2020

234 pages

ISBN:9781450375689

DOI:10.1145/3381991

General Chair:
Jorge Lobo
ICREA & Universitat Pompeu Fabra, Spain
,
Program Chairs:
Scott D. Stoller
Stony Brook University, USA
,
Peng Liu
Penn State University, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

SACMAT '20

Sponsor:

SIGSAC

SACMAT '20: The 25th ACM Symposium on Access Control Models and Technologies

June 10 - 12, 2020

Barcelona, Spain

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
131
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)6

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yan XWu JZhou NJiang ZWu JYin JLiu Y(2023)Blockchain-Based Access Control Model for Security Attributes in the Internet of Things2023 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics)10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00040(95-101)Online publication date: 17-Dec-2023
https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00040
Williams ARoy ADasgupta D(2023)A Distributed Multi-User Access Control Middleware for Critical Applications2023 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI52147.2023.10371790(1145-1150)Online publication date: 5-Dec-2023
https://doi.org/10.1109/SSCI52147.2023.10371790

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents