Abstract
Access control policies are crucial in securing data in information systems. Unfortunately, often times, such policies are poorly documented, and gaps between their specification and implementation prevent the system users, and even its developers, from understanding the overall enforced policy of a system. To tackle this problem, we propose the first of its kind systematic approach for learning the enforced authorizations from a target system by interacting with and observing it as a black box. The black-box view of the target system provides the advantage of learning its overall access control policy without dealing with its internal design complexities. Furthermore, compared to the previous literature on policy mining and policy inference, we avoid exhaustive exploration of the authorization space by minimizing our observations. We focus on learning relationship-based access control (ReBAC) policy, and show how we can construct a deterministic finite automaton (DFA) to formally characterize such an enforced policy. We theoretically analyze our proposed learning approach by studying its termination, correctness, and complexity. Furthermore, we conduct extensive experimental analysis based on realistic application scenarios to establish its cost, quality of learning, and scalability in practice.
- [1] 2004. Elgg Social Networking Engine. Retrieved August 1, 2021 https://elgg.org/.Google Scholar
- [2] 2016. UI.Vision RPA. Retrieved August 1, 2021 https://ui.vision/rpa.Google Scholar
- [3] . 2013. Formal models of bank cards for free. In Proceedings of the 2013 IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 461–468.Google Scholar
Digital Library
- [4] . 2015. Generating models of infinite-state communication protocols using regular inference with abstraction. Formal Methods in System Design 46, 1 (2015), 1–41.Google Scholar
Digital Library
- [5] . 2018. A deep learning approach for extracting attributes of ABAC policies. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 137–148.Google Scholar
Digital Library
- [6] . 1987. Learning regular sets from queries and counterexamples. Information and Computation 75, 2 (1987), 87–106.Google Scholar
Digital Library
- [7] . 2016. Sfadiff: Automated evasion attacks and fingerprinting using black-box differential automata learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1690–1701.Google Scholar
Digital Library
- [8] . 2016. Back in black: Towards formal, black box analysis of sanitizers and filters. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 91–109.Google Scholar
Cross Ref
- [9] . 2021. Incremental maintenance of ABAC policies. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 185–196.Google Scholar
Digital Library
- [10] . 2020. A decision tree learning approach for mining relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 167–178.Google Scholar
Digital Library
- [11] . 2020. Learning attribute-based and relationship-based access control policies with unknown values. In Proceedings of the International Conference on Information Systems Security. Springer, 23–44.Google Scholar
Digital Library
- [12] . 2019. Efficient and extensible policy mining for relationship-based access control. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 161–172.Google Scholar
Digital Library
- [13] . 2017. Mining relationship-based access control policies. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 239–246.Google Scholar
Digital Library
- [14] . 2018. Mining relationship-based access control policies from incomplete and noisy data. In Proceedings of the International Symposium on Foundations and Practice of Security. Springer, 267–284.Google Scholar
- [15] . 2019. Greedy and evolutionary algorithms for mining relationship-based access control policies. Computers & Security 80 (2019), 317–333.Google Scholar
Cross Ref
- [16] . 2021. Formal analysis of rebac policy mining feasibility. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 197–207.Google Scholar
Digital Library
- [17] . 2014. Automated reverse engineering using lego®. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 14).Google Scholar
- [18] . 2008. A Cost-Driven Approach to Role Engineering. In Proceedings of the 2008 ACM Symposium on Applied Computing (SAC’08). 2129–2136.Google Scholar
Digital Library
- [19] . 2019. The next 700 policy miners: A universal method for building policy miners. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.95–112.Google Scholar
Digital Library
- [20] . 2018. Mining ABAC rules from sparse logs. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy. IEEE, 31–46.Google Scholar
Cross Ref
- [21] . 2014. Path conditions and principal matching: A new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. ACM, 187–198.Google Scholar
Digital Library
- [22] . 2015. Protocol state fuzzing of TLS implementations. In Proceedings of the USENIX Security 15. 193–206.Google Scholar
- [23] . 2016. Combining model learning and model checking to analyze TCP implementations. In Proceedings of the International Conference on Computer Aided Verification. Springer, 454–471.Google Scholar
Cross Ref
- [24] . 2011. Relationship-based access control: Protection model and policy language. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy. ACM, 191–202.Google Scholar
Digital Library
- [25] . 2017. Poster: Constrained policy mining in attribute based access control. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 121–123.Google Scholar
Digital Library
- [26] . 2002. Synthesizing state-based object systems from LSC specifications. International Journal of Foundations of Computer Science 13, 01 (2002), 5–51.Google Scholar
Cross Ref
- [27] . 2018. Mining positive and negative attribute-based access control policy rules. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. ACM, 161–172.Google Scholar
Digital Library
- [28] . 2019. Generalized mining of relationship-based access control policies in evolving systems. In Proceedings of the 24th ACM on Symposium on Access Control Models and Technologies. ACM, 135–140.Google Scholar
Digital Library
- [29] . 2020. Active learning of relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 155–166.Google Scholar
Digital Library
- [30] . 2018. An unsupervised learning based approach for mining attribute based access control policies. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data). IEEE, 1427–1436.Google Scholar
Cross Ref
- [31] . 2015. Automated inference of access control policies for web applications. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 27–37.Google Scholar
Digital Library
- [32] . 2014. SNAP Datasets: Stanford Large Network Dataset Collection. Retrieved from http://snap.stanford.edu/data.Google Scholar
- [33] . 2008. Optimal Boolean Matrix Decomposition: Application to Role Engineering. In Proceedings of the 2008 IEEE 24th International Conference on Data Engineering. 297–306.Google Scholar
Digital Library
- [34] . 2004. Efficient test-based model generation for legacy reactive systems. In Proceedings of the 9th IEEE International High-Level Design Validation and Test Workshop. IEEE, 95–100.Google Scholar
Digital Library
- [35] . 2015. Inferring unknown privacy control policies in a social networking system. In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society. ACM, 21–25.Google Scholar
Digital Library
- [36] . 2015. Evolutionary inference of attribute-based access control policies. In Proceedings of the International Conference on Evolutionary Multi-Criterion Optimization. Springer, 351–365.Google Scholar
Cross Ref
- [37] . 2016. A survey of role mining. ACM Computing Surveys (CSUR) 48, 4 (2016), 1–37.Google Scholar
Digital Library
- [38] . 2010. Mining roles with noisy data. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, 45–54.Google Scholar
Digital Library
- [39] . 2017. Identification of access control policy sentences from natural language policy documents. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 82–100.Google Scholar
Cross Ref
- [40] . 2015. Relationship-based access control for an open-source medical records system. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 113–124.Google Scholar
Digital Library
- [41] . 2016. Refactoring of legacy software using model learning and equivalence checking: An industrial experience report. In Proceedings of the International Conference on Integrated Formal Methods. Springer, 311–325.Google Scholar
Digital Library
- [42] Annie W. Sokol. 2010. A Report on the Privilege (Access) Management Workshop. NIST Interagency/Internal Report (NISTIR).Google Scholar
- [43] . 2017. Model learning. Communications of the ACM 60, 2 (
Jan. 2017), 86–95.Google ScholarDigital Library
- [44] . 2010. The role mining problem: A formal perspective. ACM Transactions on Information and System Security (TISSEC) 13, 3 (2010), 1–31.Google Scholar
Digital Library
- [45] . 2009. Edge-RMP: Minimizing administrative assignments for role-based access control. Journal of Computer Security 17, 2 (2009), 211–235.Google Scholar
Digital Library
- [46] . 2000. Generating statechart designs from scenarios. In Proceedings of the 22nd International Conference on Software Engineering. 314–323.Google Scholar
Digital Library
- [47] . 2014. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (2014), 533–545.Google Scholar
Digital Library
- [48] . 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 276–291.Google Scholar
Digital Library
Index Terms
Learning Relationship-Based Access Control Policies from Black-Box Systems
Recommendations
Active Learning of Relationship-Based Access Control Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesUnderstanding access control policies is essential in understanding the security behavior of systems. However, often times, a complete and accurate specification of the enforced access control policy in a system is not available. In fact, scale and ...
Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...
A Datalog Framework for Modeling Relationship-based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationships like friendship to limit access to resources have been part of social network applications since their beginnings. Describing access control policies in terms of relationships is not particular to social networks and it arises naturally in ...






Comments