CatBAC: A Generic Framework for Designing and Validating

Hybrid Access Control Models

Bernard Stepien, University of Ottawa

Hemanth Khambhammettu

Kamel Adi

Luigi Logrippo

Université du Québec en Outaouais

Université du Québec en OutaouaisSmall university of about 8,000 studentsPart of the “Université du Québec” network

2

Selective access control Alice

works in project 1A and has security level Unclassified, can she write on file RFP?

RFP

Thousand of Alices, thousands of resources …

Access Control Many subjects, many resources in an organization

Virtual, real subjects and resources What each subject can do on the resources can

depend on many factors The role or group of the subject in the organization

(RBAC) The other roles it may have (SOD) The other files it may have accessed (CW) Its security level (BLP) Delegation Etc.

5

Models and languages Many access control models have been

developed Are associated with access control

languages to specify access control properties of subjects

Languages express access control policies

Issues in Access Control (AC) Access control policies in an organization can contain

tens of thousands of rules that can be implemented at different levels of abstraction with a variety of methods.

We address issues of: Homogeneity and expressiveness:

Identifying common high-level concepts, leading to unified terminology and languages

Consistency, completeness Are there inconsistencies in set of rules? Do we have all the rules that we need?

Lifecycle From the initial design stages to the final set of implemented

policies through refinement and formal verification stages

Homogeneity and expressiveness

In business, RBAC, Role Based Access Control, is a prevalent AC model

We have a real ‘alphabet soup’ of other models that complement RBAC DAC, Discretionary Access Control GBAC, Group-Based Access Control ABAC, Attribute-Based Access Control BLP, Bell-Lapadula, Biba, etc.

Combining access control models Combine AC models in a single Hybrid policy model for

maximum power and flexibility In a company, one may wish to have:

RBAC as a basic model Bell-LaPadula as an auxiliary model

E.g. within a role, subjects can have different clearance levels Complex combinations may be desirable RBAC research has shown how many AC control

models can be represented in RBAC But this is not always intuitive

Specification of combined models Defined a framework for combined AC specs starting

from an abstract UML meta-model Provided a language for it, together with an engine for

execution and verification

Concept of Category Categories can be roles, groups, security

levels, etc. Can be assigned to other categories

E.g. A role can be assigned to a security level Can be organized in hierarchies

E.g. Role hierarchies

Combined model in UML and text

resources

actions

categoriessubjects

In more compact textual form:assign subject Alice to role Consultant;assign subject Alice to group Project 1A;assign subject Alice to security level Unclassified;

CAtBAC language

A strongly typed, user-friendly language to be the textual representation of UACML

CatBAC Features Assign subjects to categories

assign subject Alice to role Consultant; Assignments between categories

assign category group Project_1B to category security_level Classified;

Assignments of permissions to resources-actions assign permission permit to categories role Consultant,

Manager for resources Input_RFP, Bid_RFP and actions read, write;

Mandatory assignments assign mandatory permission permit to category group

Project_1A for resource Input_RFP and action Read;

Authorization Constraints Constraints that specify restrictions on

subject-category assignments, category-resource assignments and resource-action assignments E.g. separation of duties

Constraints in CatBAC Mutual exclusion

category role teacher and category role student are mutually exclusive;

Requirements category assignment role teacher requires

category assignment role researcher; Cardinality

category role President assignments should not exceed 1;

Execution and verification CatBAC has operational semantics based on

Prolog (Horn-clauses predicate calculus) CatBAC can be executed and can be queried

For verification of consistency: find all possible outcomes of an access request

Find whether there are violations of mandatory assignments

Find whether there are violations of constraints

Practical use Security administrators can

Express high-level security policies in graphic UML form Compile the graphic form into a form that allows the inclusion of

detailed low-level security policies Textual form

Enables expressing policy sets of realistic sizes Can be validated to detect design faults:

inconsistency, separation of duties, etc.

This top-down approach enables an integrated view of the security policies of a whole enterprise, using a unified model and language

Conclusion UACML and CatBAC form a powerful

conceptual framework for the expression and combination of Access Control methods

Most common access control systems can coexist within this framework

Lifecycle support is provided, by allowing iterative development from UML notation to executable code, with verification steps in between