Discipline: Computer Sciences and Information Management
Subcategory: Computer Science & Information Systems
Session: 1
Room: Park Tower 8219
Mehrnoosh Shakarami - University of Texas at San Antonio (UTSA)
Co-Author(s): RAVI SANDHU, University of Texas at San Antonio (UTSA), San Antonio, Texas.
The most common paradigm in Attribute-Based Access Control is pre-authorization, in which an access decision is made only once to be utilized by the policy enforcement point. From the perspective of the decision point, there are several components on basis of which an access decision is made: subject attribute values, object attribute values, environment attribute values and authorization policy. In this paper, we assume that the policy and current values of object and environment attributes are known with high assurance at the policy decision point. This is reasonable since the decision and enforcement points are often co-located with the object’s custodian who is responsible for object attribute values and authorization policy, and shares the environment with the object. Subject attributes, however, are usually collected incrementally from multiple attribute authorities. This incremental assembly along with differing validity periods for subject attribute values, raises the potential for inconsistency of subject attribute values at the decision point.
The problem of such inconsistencies has been previously studied in context of trust negotiation and distributed proof systems [7, 9]. We recast this prior work in context of a system where subjects are not attribute-shy and no negotiation is required to disclose subject attribute values. In this paper, we propose four increasingly powerful consistency levels with strict subset relationship between levels. The highest level limits the exposure of the decision point to obsolete attribute values by taking into account the request time, which is missing in the previous work [9]. We define the formal specification of each consistency level and identify the properties guaranteed by that level. We discuss implication of these consistency levels in different practical scenarios and compare our work with related previous research.
Funder Acknowledgement(s): The research is funded by CREST Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) program, NSF Award 1736209.
Faculty Advisor: Professor Ravi Sandhu, ravi.sandhu@utsa.edu
Role: I did the research under supervision of Professor Ravi Sandhu.