Towards A Timesbased Usage Control Model

1
Towards A Times-based Usage Control Model
Baoxian Zhao1, Ravi Sandhu2, Xinwen Zhang3, and
Xiaolin Qin4 1George Mason University, Fairfax,
VA, USA 2 Institute for Cyber-Security Research
at the University of Texas, San Antonio,
USA 3Samsung Information Systems America, San
Jose, CA, USA 4 Nanjing University of
Aeronautics and Astronautics, Nanjing,
China presented by Baoxian Zhao
2
Outline

• Reviewing access control models
• Traditional access control models
• Temporal access control models
• Construction of the TUCON model
• Preliminaries of the TUCON model
• Times-based authorizations
• Authorization rules
• The implementation of access control
• Conclusion and Future work

3
Reviewing existing access control models

• Traditional access control models
• gtDiscretionary Access Control (DAC)
• gtMandatory Access Control (MAC)
• gtRole-based Access Control (RBAC)
• Temporal access control models
• gt The temporal authorization models
  suggested by E.Bertino et al 94,96,98
• Only applied to the DAC model
• gtTemporal Data Authorization Model
  (TDAM), A. Gal et al 02
• Adding transaction time and valid time
• gtTRBAC 01, GTRBAC 05
• gtgt Adding temporal
  constraints to RBAC Model

4
Limitations of existing access control models

• Primary consider authorization decisions
  constrained by certain time periods
• Authorizations are static authorization decisions
• gt Authorizations are made at the
  requested time and hardly recognize ongoing
  controls for times constrained access or for
  immediate revocation
• gt Once an authorization decision is
  made, the object can be accessed without
  limitation during a valid period!

5
Requirements of new access control

• Usage of a digital object can not only be
  time-independent, like read and write
• But also temporal and times-consuming, such as
  payment-based online reading, or a downloadable
  music file that can only be played 10 times
  within a valid period.
• It means that authorization can be updated during
  ongoing usage

6
The principle of the TUCON model

• Keeping the time periods
• Authorizations are still constrained by the time
  periods
• Introducing usage times
• Times are consumed, to meet the request that the
  usage of digital objects can be consumed and
  limited
• Times are decreased by 1, to update authorization
  during a single access process
• New features of the TUCON model
• Authorizations can be updated during ongoing
  usage.
• Authorizations can be consumed
• Effectively prevent systems from the attacks of
  DoS, such as nimda and red codes.

7
Difference From UCON

• In UCON model, it uses ABC (Authorization,
  oBligation, Condition) core models to solve these
  problems
• In TUCON model, we consider temporal and consumed
  factors as attributes of Authorizations rather
  than attributes of subjects or objects
• Support delegation
• TUCON is simple to be implemented.

8
Preliminaries of TUCON
Definition 1 (Periodic expression) Bertino et
al. 98 A periodic expression is defined as
, where
, and are calendars,for
,and . Here let D
present the set of all valid periods.
Example From 900 AM to 1200PM during
workdays Definition 2 (Times) Times are a set
of natural numbers, formally defined as
9
Times-based Authorizations

• Definition 3 (Times Authorization) A times
  authorization is a 6-tuple (pt,s, o, priv, pn,
  g), where ,
• Example Mary grants Bob 5 read privilege on
  the book of Sun
• (5, Bob, Sun, read, , Mary)
• Definition 4 (Non-Times Authorization) When
  pt -1 in a tuple of times authorization, we call
  this kind of times authorization non-times
  authorization.

10
Times-based Authorizations (cont)

• Definition 5 (Times-based Authorization) A
  times-based authorization is a 3-tuple (time,
  period, auth) where time represents a time
  interval , period is a periodical
  expression, and auth is a 6-tuple authorization.
  ( )
• Example Between Jan. 12, 2001 and Dec. 24 ,
  2005, Tom has 6 times of privilege read on
  object file, but he can operate this privilege
  only on Tuesday each week.
• (1/12/2001,12/24/2005,Weaks2.days,(6,Tom,
  file, read,, Sam) )

11
Authorization rules

• Definition 6 (Grant Rule) A grant rule is
  defined as the form of
• Li can be a trigger condition expression.
• Example 1 In an application system
  Business_system, if a registered user Bob
  pre-pays 1000, he can enjoy a certain
  super-value service m for 6 times during every
  Friday since the time 09/12/2006. Let this
  privilege be super.
• access( 09/12/2006,8 , Weeks5.days, (6,
  Bob , m, super, , Business_system))?
  prepay(Bob,1000) register (Bob)

12
Authorization rules (cont)

• Definition 7 (Derived Rule) A derived rule is
  defined as the form of
• Li can be access with conditional
  expressions
• Example 2 Now Bob wants to transfer 3 times for
  enjoying the service m to another user Alice.
• deraccess( 09/12/2006, 8 , Weeks5.days,
  (3, Alice , m, super, , Business_system)) ?
  access ( 09/12/2006, 8 , Weeks5.days, (6,
  Bob , m, super,, Business system)) give(3,
  Alice, m, super, Bob) less(3,6)
• deraccess( 09/12/2006, 8 , Weaks5.days,
  (3, Bob , m, super, , Business_system)) ?
  access ( 09/12/2006, 8 , Weeks5.days, (6,
  Bob , m, super,, Business system)) give(3,
  Alice, m, super, Bob) less(3,6)

13
Authorization rules (cont)

• Definition 8 (Resolution Rule) A resolution rule
  is defined as the form of
• Li can be access or deraccess or condition
  expressions specified by security policy
• Example 3 In example 2, if Alice has 4 times
  super right on service m.
• force_access( 09/12/2006, 8 ,
  Weaks5.days, (7, Alice , m, super, ,
  Business_system)) ? access ( 09/12/2006, 8 ,
  Weeks5.days, (4, Alice , m, super, , Business
  system)) deraccess ( 09/12/2006, 8 ,
  Weeks5.days, (3, Alice , m, super, , Business
  system))

14
Completeness of rules

• THEOREM 1 ( Completeness) The policy in TUCON
  can be specified by a non-empty set of TUCON
  rules.
• Proof 1 no conflict decisions
• 2 specifying all possible
  decisions

15
The Implementation of Access control

• Grant privileges
• Access objects
• Revoke privileges

16
Grant privileges

• Times-based authorization
• gthere, pt gt0 and pn
• Unlimited authorization
• gtpt-1 and pn

How about Times-based authorization Unlimited
authorization?
17
Access objects

• Times-based Authorization Base (TAB)
• gt A set of authorizations, in which there
  is no
• conflict authorizations.
• Valid Access Function
• gt A function to check every access
  request against
• the current TAB to determine whether
  the access is
• authorized.

18
Revoke privileges

• Time intervals
• gt time intervals is expired!
• Usage Times
• gt pt0
• Other factors
• gt Abusing privileges
• gt Breaking security policies

19
Conclusion and Future Work

• Wide applications, especially in times-metered
  systems
• Viewed as a solution to some specific problems of
  mutable attributes in modern access control
• Extend the model by considering different
  intervals and different periods.
• Develop the administration of authorization in
  UCON

Using temporal logic to express?
20
Any Question?

• Thank you !