A Survey of Graph-Based RBAC Efficiency

1. A Survey of Graph-Based RBAC Efficiency Barry Wittman CS526 Research Project

2. Introduction RBAC has gained a lot of popularity in the access control research world. Most papers discuss the power of various versions of RBAC in terms of security capabilities. What are the complexity and performance issues?

3. Overview Basic Operations Conflicting Privileges Multidomain Policy Integration Safety Information Flow Conclusions

4. Basic Operations We examine the hierarchical framework discussed by Koch et al. in [5] and [9]. We look at all the basic operations and try to find the minimum time for an operation, based on an adjacency list implementation. R is the set of roles U is the set of all users S is the set of active sessions t(p) is the upper bound on the number of operations it takes to determine if a role has permission p

5. Conflicting Privileges We examine the algorithms introduced by Nyanchama and Osborn [13] which take into account conflicting privileges. R is the set of roles P is the set of all permissions

6. Multidomain Policy Integration Shafiq et al. [1] introduce a framework in which different domains with different RBAC policies can integrate their policies to allow for secure interoperation. To find the optimum assignment of roles to users, an integer programming problem must be solved. Unfortunately, this problem is NP-hard but can be approximated. There is no generic approximation bound on IP problems.

7. Safety Koch et al. [8] describe a graph-based RBAC formulation whose safety can be checked. The model has very similar expressive power to the Take-Grant model. The decidability algorithm is exponential.

8. Information Flow MAC models are heavily concerned with the flow of information. Some work has been done to analyze information flow in RBAC as well, particularly by [14]. Analysis is based on two algorithms: FlowStart: O(|R||P|2) CanFlow: O(n3)

9. Conclusions Basic Operations At least a simple implementation of graph-based RBAC can be quite efficient. Conflicting Permissions: The algorithms provided by [13] have serious performance problems, since most operations require checking every permission in the entire system. Multidomain Policy Integration The approximation of the IP problem warrants further study. Although it is beyond the scope of this work, an approximation bound (hopefully constant) for the IP should be found. Safety The time taken to determine safety with the current algorithm is exponential. Work should be done to see if a more efficient algorithm is possible or if the problem is NP-complete. Information Flow The information flow algorithms have a |P|2 term in them. However, this is a worst case value that will seldom actually be seen. Likewise, information flow analysis does not necessarily need to be done in real time.

10. References [1] Secure interoperation in a multidomain environment employing RBAC policies. IEEE Transactions on Knowledge and Data Engineering, 17(11):1557�1577, 2005. Student Member-Basit Shafiq and Member-James B. D. Joshi and Fellow-Elisa Bertino and Fellow-Arif Ghafoor. [2] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4(3):224�274, 2001. [3] L. Giuri and P. Iglio. A formal model for role-based access control with constraints. In CSFW �96: Proceedings of the Ninth IEEE Computer Security Foundations Workshop, page 136, Washington, DC, USA, 1996. IEEE Computer Society. [4] F. Glover and M. Laguna. Tabu Search. Kluwer Academic Publishers, Dordrecht, The Netherlands, 1998. [5] M. Koch, L. V. Mancini, and F. Parisi-Presicce. A formal model for role-based access control using graph transformation. In ESORICS �00: Proceedings of the 6th European Symposium on Research in Computer Security, pages 122�139, London, UK, 2000. Springer-Verlag. [6] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Foundations for a graph-based approach to the specification of access control policies. In FoSSaCS �01: Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures, pages 287�302, London, UK, 2001. Springer-Verlag. [7] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Conflict detection and resolution in access control policy specifications. In FoSSaCS �02: Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures, pages 223�237, London, UK, 2002. Springer-Verlag. [8] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Decidability of safety in graph-based models for access control. In ESORICS �02: Proceedings of the 7th European Symposium on Research in Computer Security, pages 229�243, London, UK, 2002. Springer-Verlag.

11. References (cont.) [9] M. Koch, L. V. Mancini, and F. Parisi-Presicce. A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur., 5(3):332�365, 2002. [10] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Administrative scope in the graph-based framework. In SACMAT �04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 97�104, New York, NY, USA, 2004. ACM Press. [11] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Graph-based specification of access control policies. J. Comput. Syst. Sci., 71(1):1�33, 2005. [12] G. L. Nemhauser and L. A. Wolsey. Integer and Combinatorial Optimization. Wiley-Interscience Series in Discrete Mathematics and Optimization. Wiley, 1988. NEM g 88:1 P-Ex. [13] M. Nyanchama and S. Osborn. The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur., 2(1):3�33, 1999. [14] S. L. Osborn. Information flow analysis of an RBAC system. In SACMAT �02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 163�168, New York, NY, USA, 2002. ACM Press. [15] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Rolebased access control models. Computer, 29(2):38�47, 1996.