Access Control

Introduction

Research into access control at Birkbeck has its origins in work by Dr Greg O'Shea (Microsoft Labs, Cambridge) and Professor George Loizou. Dr Greg O'Shea has extensive experience of security vulnerabilities in commercial operating systems and computer applications. His PhD thesis provided a logical framework to support the development of administrative tools that would simplify and improve the allocation of file permissions to users.

This work was subsequently extended to include work on the specification of access control policies, with particular emphasis on separation of duty policies. Jason Crampton joined the School as an EPSRC-funded student in 1998. His PhD research considered separation of duty and administration in role-based access control. Ian Lawson, working under the supervision of Professor Loizou, is currently implementing the role-based administrative model developed by Jason Crampton.

Current Research Outline and Aims

Introduction

Role-based access control is a relatively new paradigm which seeks to alleviate the burden of administration in access control. Central to role-based access control is the concept of a role, which is a generalisation of a group in earlier access control models. Both users and permissions can be assigned to a role, thereby providing a "bridge" between the subjects and objects in an access control system and making activities like per-subject and per-object review of access rights feasible. (Per-object review is feasible in an access control list-based system, while per-subject review is feasible in a capability-based system. However, it is generally difficult to perform both reviews in a particular discretionary access control system.)

An important area of research in the role-based access control community is role-based administration. There are two possible approaches: allocate administrative permissions to roles or base administration on the structural properties of the role hierarchy. The first of these approaches leads to difficulties in reasoning about the propagation of permissions - the "safety problem". Hence we have concentrated on developing an administrative model that is controlled by the enterprise structure as reflected in the role hierarchy.

Administration in Role-Based Access Control

The central idea in our administrative model is that of administrative scope. Informally, the administrative scope of a role r is the set of roles in the hierarchy that r is allowed to change. Administrative scope has been used as the basis for the RHA family of models that are used to determine whether a change to the role hierarchy is permitted. The most complex of the RHA models has been extended to a complete model for role-based administration called SARBAC (scoped administration in role-based access control).

Preliminary comparisons suggest that SARBAC offers considerable advantages over existing administrative models. Furthermore, we believe SARBAC can be used to support discretionary access control and delegation.

A prototype of the SARBAC model has been developed by Ian Lawson using Prolog. We are currently investigating the performance of SARBAC and comparing it to that of ARBAC97, a well known administrative model due to Sandhu et al.

We are currently investigating the worst case computational complexity of implementing SARBAC. An important area for future research is to develop the notion of delegation within SARBAC. In addition, we want to extend the SARBAC framework to include the administration of separation of duty constraints.

Separation of Duty

We have developed a set-based approach to separation of duty that can be easily integrated into existing role-based models. It is considerably simpler than many existing approaches, although it is slightly less expressive than the most general treatment of separation of duty by Jaeger and Tidswell. One advantage of the simplicity approach is that the representation of a separation of duty constraint is identical to certain constraints within SARBAC. Hence it should be straightforward to incorporate the administration of separation of duty into the SARBAC model.

Publications

Greg O'Shea. Redundant rights in protection systems. Operating Systems Review 26(3), 27-30, 1992.

Greg O'Shea. On the specification, validation and verification of security in access control systems. The Computer Journal 37(5), 437-448, 1994.

Greg O'Shea. Access Control in Operating Systems. PhD Thesis, 1997.

J. Crampton, G. Loizou and G. O'Shea. Evaluating and improving access control. Technical report BBKCS-99-11, 1999.

J. Crampton and G. Loizou Conflict of interest policies: A general approach. Technical report BBKCS-00-07, 2000.

J. Crampton and G. Loizou On the structural complexity of conflict of interest policies. Technical report BBKCS-00-13, 2000.

J. Crampton, G. Loizou and G. O'Shea. A logic of access control. The Computer Journal 44(2), 137-149, 2001.

J. Crampton and G. Loizou. Authorisation and antichains. Operating Systems Review 35(3), 6-15, 2001.

J. Crampton. Authorization and Antichains. PhD Thesis, 2002.

J. Crampton and G. Loizou. Administrative scope and role hierarchy operations. In Proceedings of SACMAT02, 7th Symposium on Access Control Models and Technologies. 145-154, 2002 (Monterey, California).

J. Crampton and G. Loizou. SARBAC: A New Model for Role-Based Administration. Technical report BBKCS-02-09, 2002.