Inter-domain Role Mapping and Least Privilege Liang Chen Jason - - PowerPoint PPT Presentation

Inter-domain Role Mapping and Least Privilege

Liang Chen Jason Crampton

Information Security Group, Royal Holloway, University of London

12th ACM Symposium on Access Control Models and Technologies

IDRM and Least Privilege · Introduction

RBAC96

• The RBAC96 family of models define a number of basic

components – A set of users U – A partially ordered set of roles RH ⊆ R × R – A set of permissions P – A user-role assignment relation UA ⊆ U × R – A set of sessions S – A permission-role assignment relation PA ⊆ P × R

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Introduction

Inter-domain role mapping (IDRM) problem

• Given a set of requested permissions Q ⊆ P, find the minimal set
• f roles R′ ⊆ R such that Auth(R′) = Q (Du and Joshi,

SACMAT, 2006)

• The IDRM problem is not well defined for at least two reasons

– There may be several sets R1, . . . , Rk such that Auth(Ri) = Q, i = 1, . . . , k – There may not exist R′ ⊆ R such that Auth(R′) = Q

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Introduction

Motivating example

• Given Q

= {p2, p3, p4, p5}, then {r2, r4} and {r3, r4} are both mini- mal solutions

• Given Q = {p2, p3, p4}, what is the

appropriate solution for the IDRM problem? – Auth({r3}) = {p2, p3} – Auth({r3, r4}) = {p2, p3, p4, p5} t

r1

tr2 tr3 tr4 t

p1

t

p2

t

p3

t

p4

t

p5

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Introduction

Our motivation

We want to formulate the IDRM problem more accurately in terms

• f availability and safety
• Availability and least privilege

– Auth(R′) ⊇ Q – |Auth(R′)| is minimized – |R′| is minimized

• Safety

– Auth(R′) ⊆ Q – |Auth(R′)| is maximized – |R′| is minimized

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Introduction

Outline

• Weighted set cover problem and greedy algorithm
• An availability approach to IDRM
• A safety approach to IDRM
• Conclusion and future work

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Weighted set cover problem

Set cover optimization problem

• Given a universe U and a collection C of subsets of U whose

union is U, find a subset D ⊆ C such that U =

• D∈D

D and |D| is minimized

• Let U = {1, 2, 3, 4, 5, 6}, and

C = {{1, 2}, {1, 3}, {1, 4}, {1, 5}, {1, 6}, {1, 2, 3}, {3, 4, 5}} – Then {{1, 2, 3}, {3, 4, 5}, {1, 6}} is a solution of the set cover

• ptimization problem

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Weighted set cover problem

Weighted set cover problem

• Given a universe U, a collection C of subsets of U whose union is

U, and a weight function w : C → R+, find a subset D ⊆ C such that U =

• D∈D

D and

• D∈D

w(D) is minimized

• The set covering optimization problem is an instance of the

weighted set cover problem in which w(C) = 1 for all C ∈ C

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Weighted set cover problem

Greedy algorithm

• The weighted set cover problem is NP-hard
• There exists a greedy algorithm that provides good approximate

solutions – Let Ai−1 ⊆ U denotes the set of elements that remain uncovered at the (i − 1)th iteration (A0 = U) – At the ith iteration, Ci ∈ C is selected such that

w(Ci) |Ci∩Ai−1| is

minimized

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · An availability approach to IDRM

Basic idea

• Recall that we want to ensure that Auth(R′) ⊇ Q, and

|Auth(R′)| and |R′| are minimized

• We compute RQ = {r ∈ R : Auth(r) ∩ Q = ∅}
• We map the IDRM problem to the weighted set cover problem

– Q is contained in the union of Auth(r), r ∈ RQ – We select a subset of RQ minimizing the choices from r ∈ RQ where Auth(r) contains a permission that is not in Q

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · An availability approach to IDRM

The weight function

• We define the weight function w : RQ → R+, where

w(r) = |Auth(r)| · |Auth(r) \ Q| + 1 |Q| – If Auth(r) ⊆ Q, then |Auth(r) \ Q = ∅| and w(r) = 1/|Q| – In contrast, roles that “step outside” Q have a much greater weight

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · An availability approach to IDRM

The algorithm

• Given a set of permissions Q, a collection of subsets

{Auth(r) : r ∈ RQ}, and a weight function w : RQ → R+, find R′

Q ⊆ RQ such that

• r∈R′

Q

Auth(r) ⊇ Q and

• r∈R′

Q

w(r) is minimized

• We modify the greedy algorithm to compute an approximate

solution for the IDRM problem – Let Ai−1 ⊆ Q denote the set of elements remain uncovered – At the ith iteration, we choose r such that Ai−1 ∩ Auth(r) = ∅ and γ(r) =

w(r) |Ai−1∩Auth(r)| is minimized

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · An availability approach to IDRM

An example

• Given

Q = {p2, p3, p4}, then RQ = {r1, r2, r3, r4}, w(r1) = 31

3 ,

w(r2) = w(r3) = 1

3, w(r4) = 10 3

• The first iteration of the greedy al-

gorithm selects r3 since γ(r3) = 1

6,

and then selects r4, at which point the algorithm terminates

• The solution {r3, r4} is an optimal

solution for the IDRM problem (at least with respect to availability)

• The algorithm does not necessarily

compute an optimal solution (see proceedings) t

r1

tr2 tr3 tr4 t

p1

t

p2

t

p3

t

p4

t

p5

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · A safety approach to IDRM

Basic idea

• Recall that we want to ensure that Auth(R′) ⊆ Q, |Auth(R′)| is

maximized, and |R′| is a minimized

• Given Q ∈ P, we compute RQ = {r ∈ R : Auth(r) ⊆ Q}
• Given RQ, Q′ = Auth(RQ) ⊆ Q and {Auth(r) : r ∈ RQ}, find

R′

Q ⊆ RQ such that

• r∈R′

Q

Auth(r) = Q′ and |R′

Q|

is minimized

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · A safety approach to IDRM

Solution

• We simply map the standard set covering optimization problem

to the IDRM problem (defined in terms of safety)

• The greedy algorithm is applied to compute R′

Q, and the weight

w(r) is 1 for all r

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · A safety approach to IDRM

An example

• Given Q = {p2, p3, p4}, then RQ =

{r2, r3} and Q′ = {p2, p3}

• The first iteration of the greedy al-

gorithm selects r3 since γ(r3) = 1

2,

at which point the algorithm ter- minates – Auth(r3) = {p2, p3} ⊆ Q – The solution {r3} is an optimal solution for the IDRM problem (in terms of safety) t

r1

tr2 tr3 tr4 t

p1

t

p2

t

p3

t

p4

t

p5

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Conclusion and future work

Conclusion and future work

• We examined the IDRM problem from two different perspectives

– Availability and least privilege – Safety – The greedy algorithm for the weighted set cover problem computes an approximate solution to the IDRM problem but might not return an optimal solution for availability

• We also examine these problem in the context of ERBAC07,

TRBAC07 and ETRBAC07 (see proceedings)

• We would like to see if there are other heuristics for the

availability problem and to compare these alternatives with the weighted set cover greedy algorithm

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton

IDRM and Least Privilege · Questions

Questions

12th ACM Symposium on Access Control Models and Technologies Liang Chen · Jason Crampton