Analysis of the methods for~attribute-based~access~control

M. N. Kalimoldayev; R. G. Biyashev; O. A. Rog

Geodesic

Parcourir par

Analysis of the methods for~attribute-based~access~control

M. N. Kalimoldayev ; R. G. Biyashev ; O. A. Rog

Prikladnaâ diskretnaâ matematika, no. 2 (2019), pp. 43-57.

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

The paper contains an analytical overview of the basic models and methods for access control from the traditional ones (DAC, MAC, RBAC) to the latest developments — numerous models implementing attribute based access control (ABAC). The model of typed attribute based access control (TAAC) being developed currently is described. The following disadvantages of traditional models are pointed out: identification of entities with unique names; access rights redundancy (“coarse-grained access control”); difficult managing large number of users; operating in closed environments; the inability to use integrated security policies; lack of built-in administration tools. It is found out that to ensure the safe sharing of information resources in both local and global computing environments, access control models must meet the requirements of universality, flexibility and ease of administration while performing the following tasks: identification of entities by several features for fine-grained access control; design and use of multiple access control policies to implement the “multiple policy” paradigm and adapt the system to work in various environments; administration as a means for dynamic policy modeling and convenient privilege managing a large number of users. The advantages and disadvantages of different types of ABAC models are considered. The advantages are: identification of entities by sets of attributes; “fine-grained access control”; flexibility and expressiveness of model specification languages; the possibility of creating new and modeling traditional methods of access control; relative ease of administration; managing privileges of groups of users. The main disadvantage of ABAC is the complexity of calculating attribute values. It is shown that the TAAC models meet the above requirements and provide the following: “fine-grained access control” by identifying entities with the sets of typed attributes; decrease in complexity and increase in speed of calculations; management privileges of hierarchical groups of subjects and objects; dynamic policy construction; multi-criteria access control.

Keywords: attribute-based access control (ABAC), typed attribute-based access control (TAAC), MAC, RBAC, access control policy, specification language, semantics, modeling.
Mots-clés : DAC, syntax

@article{PDM_2019_2_a3,
     author = {M. N. Kalimoldayev and R. G. Biyashev and O. A. Rog},
     title = {Analysis of the methods for~attribute-based~access~control},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {43--57},
     publisher = {mathdoc},
     number = {2},
     year = {2019},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2019_2_a3/}
}

TY  - JOUR
AU  - M. N. Kalimoldayev
AU  - R. G. Biyashev
AU  - O. A. Rog
TI  - Analysis of the methods for~attribute-based~access~control
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2019
SP  - 43
EP  - 57
IS  - 2
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2019_2_a3/
LA  - ru
ID  - PDM_2019_2_a3
ER  -

%0 Journal Article
%A M. N. Kalimoldayev
%A R. G. Biyashev
%A O. A. Rog
%T Analysis of the methods for~attribute-based~access~control
%J Prikladnaâ diskretnaâ matematika
%D 2019
%P 43-57
%N 2
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2019_2_a3/
%G ru
%F PDM_2019_2_a3

M. N. Kalimoldayev; R. G. Biyashev; O. A. Rog. Analysis of the methods for~attribute-based~access~control. Prikladnaâ diskretnaâ matematika, no. 2 (2019), pp. 43-57. http://geodesic.mathdoc.fr/item/PDM_2019_2_a3/

Bibliographie
Cité par

[1] Karp A., Haury H., Davis M., “From ABAC to ZBAC: The evolution of access control models”, ISSA J., 2010, no. 8, 22–30

[2] Sandhu R. S., Samarati P., “Access control: principle and practice”, IEEE Commun. Mag., 32:9 (1994), 40–48 | DOI

[3] Devyanin P. N., Models of security of computer systems, Textbook for students of higher educational institutions, Akademija Publ., M., 2005, 144 pp. (in Russian)

[4] Gaydamakin N. A., Differentiation of Access to Information in Computer Systems, USU Publ., Ekaterinburg, 2003, 328 pp. (in Russian)

[5] Hosmer H., “The multipolicy paradigm for trusted systems”, Proc. NSPW '92-93, ACM, N.Y., 1993, 19–32 | DOI

[6] Lang B. et al., “A flexible attribute based access control method for grid computing”, J. Grid Comput., 7:2 (2009), 169–180 | DOI

[7] Hu V. C., Ferraiolo D., Kuhn R., et al., Guide to Attribute Based Access Control (ABAC) Definition and Considerations, NIST Special Publication, 800-162, 2014 | DOI

[8] NCCOE. Attribute Based Access Control How-to Guides for Security Engineers, (Accessed November 25, 2015) https://nccoe.nist.gov/sites/default/files/nccoe/NIST_SP1800-3c_ABAC_0.pdf

[9] Servos D., Osborn S., “Current research and open problems in attribute-based access control”, ACM Computing Surveys, 49:4 (2017), 65 | DOI

[10] Jin X., Krishnan R., Sandhu R. S., “A unified attribute-based access control model covering DAC, MAC and RBAC”, LNCS, 7371, 2012, 41–55

[11] Servos D. and Osborn S., “HGABAC: Towards a formal model of hierarchical attribute-based access control”, Foundations and Practice of Security, Springer, 2014, 187–204

[12] Yuan E., Tong J., “Attributed based access control (ABAC) for web services”, Proc. ICWS'2005 (Washington, 2005), 561–569

[13] Biswas R., Sandhu R., Krishnan R., “Label-based access control: An ABAC model with enumerated authorization policy”, Proc. ABAC'16, ACM, N.Y., 2016, 1–12

[14] Biswas P., Sandhu R., Krishnan R. A., “A comparison of logical-formula and enumerated authorization policy ABAC models”, LNCS, 9766, 2016, 122–129

[15] Shen H., Hong F., “An attribute-based access control model for web services”, Proc. PDCAT'06, IEEE, 2006, 74–79

[16] Wang L., Wijesekera D., Jajodia S., “A logic-based framework for attribute based access control”, Proc. FMSE'04, ACM, 2004, 45–55

[17] Ferrailo D., Atluri V., Gavrila S., “The Policy Machine: A novel architecture and framework for access control policy specification and enforcement”, J. Systems Architecture, 57:4 (2011), 412–424 | DOI

[18] Kuijper W., Ermolaev V., “Sorting out role based access control”, Proc. 19th ACM SACMAT, ACM, 2014, 63–74

[19] Ferraiolo D., Chandramouli R., Hu V. C., Kuhn R. A., A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications, Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC), Natl. Inst. Stand. Technol. Spec. Publ. 800-178, 2016, 68 pp.

[20] Wakefield R., Policy Management in a Distributed Computing Environment, , 2008 http://www.cs.colostate.edu/w̃aker/papers/CS556_Policy_Management_in_Distributed_Computing.pdf

[21] Kalimoldayev M. N., Biyashev R. G., Rog O. A., “Formal representation of the functional model of a multi-criteria system of the access control to information resources”, Problemy Informatiki, 2014, no. 1(22), 43–55 (in Russian)

[22] Rog O. A., “Polymorphic typing of entities in the multi-criteria system of access control and a task of constructing types”, Inform. Technologies, Management and Society, 12th Intern. Scientific Conf. (Riga, April 16–17, 2014), 66

[23] Biyashev R. G., Kalimoldayev M. N., Rog O. A., “Polymorphic typing of entities and a task of constructing a mechanism for multi-criteria access control”, Izv. NAN RK, Ser. fiziko-matematicheskaja, 2014, no. 5, 33–41 (in Russian)

[24] Biyashev R. G., Kalimoldayev M. N., Rog O. A., “Designing of systems of multi-criteria attribute-based access control in cloud structures”, 11 Mezhdunar. Aziatskaja Shkola-seminar “Problemy optimizacii slozhnyh sistem” (Cholpon-Ata, 27 July–7 August, 2015), 148–152 (in Russian)

[25] Biyashev R. G., Kalimoldayev M. N., Rog O. A., “Logical approach to the organization of multi-criteria attribute-based access control”, Intern. Conf. “Computational and Informational Technologies in Science, Engineering and Education” (September 24–27, 2015), Kazak University, Almaty, 2015, 86 (in Russian)

[26] Biyashev R. G., Kalimoldayev M. N., Rog O. A., “Representation of the constraints of models of attribute-based access control”, Izv. NAN RK, Ser. fiziko-matematicheskaja, 2016, no. 1, 58–65 (in Russian)

[27] Biyashev R. G., Kalimoldayev M. N., Rog O. A., “Modeling of semantics of typed attribute-based access control”, Problemy Informatiki, 2017, no. 1, 25–37 (in Russian)

[28] Kalimoldayev M. N., Biyashev R. G., Rog O. A., “The use of logic for constructing models for the control of access to information”, Dokl. NAN RK, 2017, no. 3, 48–54 (in Russian)

[29] Kalimoldayev M. N., Biyashev R. G., Rog O. A., “Fundamentals of the architecture of software systems for the implementation of typed attribute-based access control”, Proc. “Sovremennye Problemy Informatiki i Vychislitel'nyh Tehnologij” (29–30 Juny 2017), Almaty, 2017, 88–95 (in Russian)

[30] Kalimoldayev M. N., Biyashev R. G., Rog O. A., “On the application of typed attribute-based access control in global computing environments”, Izv. Nauchno-Tehnicheskogo Obshhestva “KAHAK”, Almaty, 2017, no. 3(58), 30–36 (in Russian)