skip to main content
research-article

Learning Relationship-Based Access Control Policies from Black-Box Systems

Published:19 May 2022Publication History
Skip Abstract Section

Abstract

Access control policies are crucial in securing data in information systems. Unfortunately, often times, such policies are poorly documented, and gaps between their specification and implementation prevent the system users, and even its developers, from understanding the overall enforced policy of a system. To tackle this problem, we propose the first of its kind systematic approach for learning the enforced authorizations from a target system by interacting with and observing it as a black box. The black-box view of the target system provides the advantage of learning its overall access control policy without dealing with its internal design complexities. Furthermore, compared to the previous literature on policy mining and policy inference, we avoid exhaustive exploration of the authorization space by minimizing our observations. We focus on learning relationship-based access control (ReBAC) policy, and show how we can construct a deterministic finite automaton (DFA) to formally characterize such an enforced policy. We theoretically analyze our proposed learning approach by studying its termination, correctness, and complexity. Furthermore, we conduct extensive experimental analysis based on realistic application scenarios to establish its cost, quality of learning, and scalability in practice.

REFERENCES

  1. [1] 2004. Elgg Social Networking Engine. Retrieved August 1, 2021 https://elgg.org/.Google ScholarGoogle Scholar
  2. [2] 2016. UI.Vision RPA. Retrieved August 1, 2021 https://ui.vision/rpa.Google ScholarGoogle Scholar
  3. [3] Aarts Fides, Ruiter Joeri De, and Poll Erik. 2013. Formal models of bank cards for free. In Proceedings of the 2013 IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 461468.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Aarts Fides, Jonsson Bengt, Uijen Johan, and Vaandrager Frits. 2015. Generating models of infinite-state communication protocols using regular inference with abstraction. Formal Methods in System Design 46, 1 (2015), 141.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Alohaly Manar, Takabi Hassan, and Blanco Eduardo. 2018. A deep learning approach for extracting attributes of ABAC policies. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 137148.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. [6] Angluin Dana. 1987. Learning regular sets from queries and counterexamples. Information and Computation 75, 2 (1987), 87106.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. [7] Argyros George, Stais Ioannis, Jana Suman, Keromytis Angelos D., and Kiayias Aggelos. 2016. Sfadiff: Automated evasion attacks and fingerprinting using black-box differential automata learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 16901701.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. [8] Argyros George, Stais Ioannis, Kiayias Aggelos, and Keromytis Angelos D.. 2016. Back in black: Towards formal, black box analysis of sanitizers and filters. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 91109.Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Batra Gunjan, Atluri Vijayalakshmi, Vaidya Jaideep, and Sural Shamik. 2021. Incremental maintenance of ABAC policies. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 185196.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Bui Thang and Stoller Scott D.. 2020. A decision tree learning approach for mining relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 167178.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] Bui Thang and Stoller Scott D.. 2020. Learning attribute-based and relationship-based access control policies with unknown values. In Proceedings of the International Conference on Information Systems Security. Springer, 2344.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. [12] Bui Thang, Stoller Scott D., and Le Hieu. 2019. Efficient and extensible policy mining for relationship-based access control. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 161172.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. [13] Bui Thang, Stoller Scott D., and Li Jiajie. 2017. Mining relationship-based access control policies. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 239246.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. [14] Bui Thang, Stoller Scott D., and Li Jiajie. 2018. Mining relationship-based access control policies from incomplete and noisy data. In Proceedings of the International Symposium on Foundations and Practice of Security. Springer, 267284.Google ScholarGoogle Scholar
  15. [15] Bui Thang, Stoller Scott D., and Li Jiajie. 2019. Greedy and evolutionary algorithms for mining relationship-based access control policies. Computers & Security 80 (2019), 317333.Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] Chakraborty Shuvra and Sandhu Ravi. 2021. Formal analysis of rebac policy mining feasibility. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 197207.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. [17] Chalupar Georg, Peherstorfer Stefan, Poll Erik, and Ruiter Joeri De. 2014. Automated reverse engineering using lego®. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 14).Google ScholarGoogle Scholar
  18. [18] Colantonio Alessandro, Pietro Roberto Di, and Ocello Alberto. 2008. A Cost-Driven Approach to Role Engineering. In Proceedings of the 2008 ACM Symposium on Applied Computing (SAC’08). 21292136.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. [19] Cotrini Carlos, Corinzia Luca, Weghorn Thilo, and Basin David. 2019. The next 700 policy miners: A universal method for building policy miners. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.95112.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. [20] Cotrini Carlos, Weghorn Thilo, and Basin David. 2018. Mining ABAC rules from sparse logs. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy. IEEE, 3146.Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Crampton Jason and Sellwood James. 2014. Path conditions and principal matching: A new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. ACM, 187198.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. [22] Ruiter Joeri De and Poll Erik. 2015. Protocol state fuzzing of TLS implementations. In Proceedings of the USENIX Security 15. 193206.Google ScholarGoogle Scholar
  23. [23] Fiterău-Broştean Paul, Janssen Ramon, and Vaandrager Frits. 2016. Combining model learning and model checking to analyze TCP implementations. In Proceedings of the International Conference on Computer Aided Verification. Springer, 454471.Google ScholarGoogle ScholarCross RefCross Ref
  24. [24] Fong Philip W. L.. 2011. Relationship-based access control: Protection model and policy language. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy. ACM, 191202.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. [25] Gautam Mayank, Jha Sadhana, Sural Shamik, Vaidya Jaideep, and Atluri Vijayalakshmi. 2017. Poster: Constrained policy mining in attribute based access control. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 121123.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. [26] Harel David and Kugler Hillel. 2002. Synthesizing state-based object systems from LSC specifications. International Journal of Foundations of Computer Science 13, 01 (2002), 551.Google ScholarGoogle ScholarCross RefCross Ref
  27. [27] Iyer Padmavathi and Masoumzadeh Amirreza. 2018. Mining positive and negative attribute-based access control policy rules. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. ACM, 161172.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. [28] Iyer Padmavathi and Masoumzadeh Amirreza. 2019. Generalized mining of relationship-based access control policies in evolving systems. In Proceedings of the 24th ACM on Symposium on Access Control Models and Technologies. ACM, 135140.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. [29] Iyer Padmavathi and Masoumzadeh Amirreza. 2020. Active learning of relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 155166.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Karimi Leila and Joshi James. 2018. An unsupervised learning based approach for mining attribute based access control policies. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data). IEEE, 14271436.Google ScholarGoogle ScholarCross RefCross Ref
  31. [31] Le Ha Thanh, Nguyen Cu Duy, Briand Lionel, and Hourte Benjamin. 2015. Automated inference of access control policies for web applications. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 2737.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. [32] Leskovec Jure and Krevl Andrej. 2014. SNAP Datasets: Stanford Large Network Dataset Collection. Retrieved from http://snap.stanford.edu/data.Google ScholarGoogle Scholar
  33. [33] Lu H., Vaidya J., and Atluri V.. 2008. Optimal Boolean Matrix Decomposition: Application to Role Engineering. In Proceedings of the 2008 IEEE 24th International Conference on Data Engineering. 297306.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. [34] Margaria Tiziana, Niese Oliver, Raffelt Harald, and Steffen Bernhard. 2004. Efficient test-based model generation for legacy reactive systems. In Proceedings of the 9th IEEE International High-Level Design Validation and Test Workshop. IEEE, 95100.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Masoumzadeh Amirreza. 2015. Inferring unknown privacy control policies in a social networking system. In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society. ACM, 2125.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. [36] Medvet Eric, Bartoli Alberto, Carminati Barbara, and Ferrari Elena. 2015. Evolutionary inference of attribute-based access control policies. In Proceedings of the International Conference on Evolutionary Multi-Criterion Optimization. Springer, 351365.Google ScholarGoogle ScholarCross RefCross Ref
  37. [37] Mitra Barsha, Sural Shamik, Vaidya Jaideep, and Atluri Vijayalakshmi. 2016. A survey of role mining. ACM Computing Surveys (CSUR) 48, 4 (2016), 137.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. [38] Molloy Ian, Li Ninghui, Qi Yuan Alan, Lobo Jorge, and Dickens Luke. 2010. Mining roles with noisy data. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, 4554.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. [39] Narouei Masoud, Khanpour Hamed, and Takabi Hassan. 2017. Identification of access control policy sentences from natural language policy documents. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 82100.Google ScholarGoogle ScholarCross RefCross Ref
  40. [40] Rizvi Syed Zain R., Fong Philip W. L., Crampton Jason, and Sellwood James. 2015. Relationship-based access control for an open-source medical records system. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 113124.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. [41] Schuts Mathijs, Hooman Jozef, and Vaandrager Frits. 2016. Refactoring of legacy software using model learning and equivalence checking: An industrial experience report. In Proceedings of the International Conference on Integrated Formal Methods. Springer, 311325.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Annie W. Sokol. 2010. A Report on the Privilege (Access) Management Workshop. NIST Interagency/Internal Report (NISTIR).Google ScholarGoogle Scholar
  43. [43] Vaandrager Frits. 2017. Model learning. Communications of the ACM 60, 2 (Jan. 2017), 8695.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. [44] Vaidya Jaideep, Atluri Vijayalakshmi, and Guo Qi. 2010. The role mining problem: A formal perspective. ACM Transactions on Information and System Security (TISSEC) 13, 3 (2010), 131.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. [45] Vaidya Jaideep, Atluri Vijayalakshmi, Guo Qi, and Lu Haibing. 2009. Edge-RMP: Minimizing administrative assignments for role-based access control. Journal of Computer Security 17, 2 (2009), 211235.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. [46] Whittle Jon and Schumann Johann. 2000. Generating statechart designs from scenarios. In Proceedings of the 22nd International Conference on Software Engineering. 314323.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. [47] Xu Zhongyuan and Stoller Scott D.. 2014. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (2014), 533545.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. [48] Xu Zhongyuan and Stoller Scott D.. 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 276291.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Learning Relationship-Based Access Control Policies from Black-Box Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 25, Issue 3
        August 2022
        288 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3530305
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 19 May 2022
        • Accepted: 1 February 2022
        • Revised: 1 January 2022
        • Received: 1 August 2021
        Published in tops Volume 25, Issue 3

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!