skip to main content
research-article

Valued Authorization Policy Existence Problem: Theory and Experiments

Published:09 July 2022Publication History
Skip Abstract Section

Abstract

Recent work has shown that many problems of satisfiability and resiliency in workflows may be viewed as special cases of the authorization policy existence problem (APEP), which returns an authorization policy if one exists and “No” otherwise. However, in many practical settings it would be more useful to obtain a “least bad” policy than just a “No,” where “least bad” is characterized by some numerical value indicating the extent to which the policy violates the base authorization relation and constraints. Accordingly, we introduce the Valued APEP, which returns an authorization policy of minimum weight, where the (non-negative) weight is determined by the constraints violated by the returned solution.

We then establish a number of results concerning the parameterized complexity of Valued APEP. We prove that the problem is fixed-parameter tractable (FPT) if the set of constraints satisfies two restrictions, but is intractable if only one of these restrictions holds. (Most constraints known to be of practical use satisfy both restrictions.) Our analysis is based on the novel concept of a user profile.

We also introduce a new type of resiliency problem in the context of workflow satisfiability, show how it can be addressed using Valued APEP, and use this to build a set of benchmark instances for Valued APEP. We describe two different formulations of this problem using mixed integer programming and report the results of computational experiments which solve the problem using these formulations as input to a general-purpose solver. Our results show that the formulation which employs the user profile concept, has FPT-like running time and usually significantly outperforms our naive formulation of the problem.

REFERENCES

  1. [1] Basin David A., Burri Samuel J., and Karjoth Günter. 2012. Optimal workflow-aware authorizations. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 93102.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. [2] Bergé P., Crampton J., Gutin G., and Watrigant R.. 2020. The authorization policy existence problem. IEEE Trans. Depend. Secure Comput. 17, 6 (2020), 13331344.Google ScholarGoogle ScholarCross RefCross Ref
  3. [3] Bertino Elisa, Ferrari Elena, and Atluri Vijayalakshmi. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65104.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Bertolissi Clara, Santos Daniel Ricardo dos, and Ranise Silvio. 2015. Automated synthesis of run-time monitors to enforce authorization policies in business processes. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 297308.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Bertolissi Clara, Santos Daniel Ricardo dos, and Ranise Silvio. 2018. Solving multi-objective workflow satisfiability problems with optimization modulo theories techniques. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. ACM, 117128.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. [6] Chen Liang and Crampton Jason. 2011. Risk-aware role-based access control. In Proceedings of the International Workshop on Security and Trust Management(Lecture Notes in Computer Science, Vol. 7170). Springer, 140156.Google ScholarGoogle Scholar
  7. [7] Cohen David, Crampton Jason, Gagarin Andrei, Gutin Gregory, and Jones Mark. 2014. Iterative plan construction for the workflow satisfiability problem. J. Artif. Intell. Res. 51 (2014), 555577. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  8. [8] Cohen David A., Cooper Martin C., Jeavons Peter, and Krokhin Andrei A.. 2005. Supermodular functions and the complexity of MAX CSP. Discret. Appl. Math. 149, 1–3 (2005), 5372. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Crampton Jason, Eiben Eduard, Gutin Gregory Z., Karapetyan Daniel, and Majumdar Diptapriyo. 2021. Valued authorization policy existence problem. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 8394. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Crampton Jason, Gutin Gregory, and Watrigant Rémi. 2016. Resiliency policies in access control revisited. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies. ACM, 101111. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] Crampton Jason, Gutin Gregory, and Yeo Anders. 2013. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16, 1 (2013), 4. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. [12] Crampton Jason, Gutin Gregory Z., and Karapetyan Daniel. 2015. Valued workflow satisfiability problem. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 313.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. [13] Crampton Jason, Gutin Gregory Z., Karapetyan Daniel, and Watrigant Rémi. 2017. The bi-objective workflow satisfiability problem and workflow resiliency. J. Comput. Secur. 25, 1 (2017), 83115.Google ScholarGoogle ScholarCross RefCross Ref
  14. [14] Cygan M., Fomin F. V., Kowalik L., Lokshtanov D., Marx D., Pilipczuk M., Pilipczuk M., and Saurabh S.. 2015. Parameterized Algorithms. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  15. [15] Dimmock Nathan, Belokosztolszki András, Eyers David M., Bacon Jean, and Moody Ken. 2004. Using trust and risk in role-based access control policies. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 156162.Google ScholarGoogle Scholar
  16. [16] Santos Daniel Ricardo dos, Ranise Silvio, Compagna Luca, and Ponta Serena Elisa. 2017. Automatically finding execution scenarios to deploy security-sensitive workflows. J. Comput. Secur. 54, 3 (2017), 255282.Google ScholarGoogle Scholar
  17. [17] Downey R. G. and Fellows M. R.. 2013. Fundamentals of Parameterized Complexity. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  18. [18] Fong Philip W. L.. 2019. Results in workflow resiliency: Complexity, new formulation, and ASP encoding. In Proceedings of the ACM Conference on Data and Application Security and Privacy. ACM, 185196.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. [19] Impagliazzo Russell and Paturi Ramamohan. 1999. Complexity of k-SAT. In Computational Complexity Conference. IEEE Computer Society, 237240.Google ScholarGoogle ScholarCross RefCross Ref
  20. [20] Jukna Stasys. 2001. Extremal Combinatorics—with Applications in Computer Science. Springer, Berlin.Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Karapetyan Daniel and Gutin Gregory. 2021. Solving the workflow satisfiability problem using general purpose solvers. arXiv:2105.03273 (2021).Google ScholarGoogle Scholar
  22. [22] Karapetyan Daniel, Parkes Andrew J., Gutin Gregory Z., and Gagarin Andrei. 2019. Pattern-based approach to the workflow satisfiability problem with user-independent constraints. J. Artif. Intell. Res. 66 (2019), 85122. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  23. [23] Kuhn Harold W.. 1956. Variants of the Hungarian method for assignment problems. Naval Res. Logist. Quart. 3, 4 (1956), 253258.Google ScholarGoogle ScholarCross RefCross Ref
  24. [24] Li N., Wang Q., and Tripunitara M. V.. 2009. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur. 12, 4 (2009).Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. [25] Lokshtanov Daniel, Marx Dániel, and Saurabh Saket. 2011. Lower bounds based on the exponential time hypothesis. Bull. EATCS 105 (2011), 4172.Google ScholarGoogle Scholar
  26. [26] Mace John C., Morisset Charles, and Moorsel Aad P. A. van. 2014. Quantitative workflow resiliency. In Proceedings of the European Symposium on Research in Computer Security(Lecture Notes in Computer Science, Vol. 8712). Springer, 344361.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. [27] Marinovic Srdjan, Dulay Naranker, and Sloman Morris. 2014. Rumpole: An introspective break-glass access control language. ACM Trans. Inf. Syst. Secur. 17, 1 (2014), 2:1–2:32.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. [28] Petritsch Helmut. 2014. Break-Glass—Handling Exceptional Situations in Access Control. Springer.Google ScholarGoogle Scholar
  29. [29] Schaefer Thomas J.. 1978. The complexity of satisfiability problems. In Proceedings of the 10th Annual ACM Symposium on Theory of Computing (STOC’78). Association for Computing Machinery, New York, NY, 216226. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Wang Q. and Li N.. 2010. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 4 (2010), 40.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. [31] Zavatteri M. and Vigano L.. 2019. Last man standing: Static, decremental and dynamic resiliency via controller synthesis. J. Comput. Secur. 27, 3 (2019), 343373.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Valued Authorization Policy Existence Problem: Theory and Experiments

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 25, Issue 4
        November 2022
        330 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3544004
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 9 July 2022
        • Online AM: 21 April 2022
        • Accepted: 1 March 2022
        • Revised: 1 January 2022
        • Received: 1 July 2021
        Published in tops Volume 25, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)113
        • Downloads (Last 6 weeks)9

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!