Date of Award

1-1-2012

Document Type

Campus Access Dissertation

Department

Computer Science and Engineering

First Advisor

Csilla Farkas

Abstract

Access control systems must adjust to evolving business needs, such as accommodating new and modified business needs. These changes may require new skills or the modification of privileges users have in a given security system. Current access control models are not flexible enough to accommodate such changes. In the first part of this dissertation, we propose a business-oriented approach to support accurate and dynamic user-role assignments for the RBAC model. A novel aspect of this work is the agile adaptation of RBAC-based access control policies to changes in organizational needs, while reducing the burden of security administration.

Another important challenge we address in this dissertation is the problem of policy composition. In collaborative environments where resources must be shared across multiple sites and between different entities, access control policies of the participants must be composed in order to define a coherent policy. Developing automated policy composition frameworks that are sound and practical has however been a long-standing problem. The difficulty of this problem increases when the policies to compose are stated independently and by autonomous entities. The diversity of the policies to combine may lead to conflicts where two policies yield contradictory decisions. Thus, a crucial step when composing policies is to ensure these policies are compatible, that is they maintain similar levels of security. Our work aims thus at developing more advanced techniques to address policy conflicts. We propose a technique to compose access policies that are stated in XACML by independent entities. We provide a precise and non-ambiguous specification of the policies in logic form. We use a logic representation to build the foundations for a solid reasoning about the correctness and the soundness of the algorithms that we design to detect conflicts and the causes.

Finally, we propose a risk-adaptive access control model for managing human users requests for information on database systems. With this model, request to access information in a database is granted if doing so will not drastically degrade the performance of the system. On the contrary, our model proposes to the information requester a replacement query similar to the original request which when executed will provide acceptable answers without preventing the processing of other queries. In addition to being similar to the original request, this request is also safe i.e., it causes no performance issues, and secure i.e., access to the answer-set of the query is authorized to the requester. Compared to most of the existing query analysis techniques, the distinctive aspect of this model is that it decouples the process of analyzing the resources requirements of a request from its execution. Thereby, the execution of the request can be postponed in case it is considered to cause overhead.

Share

COinS