The Creation Of Access Control Systems

Published Date: 02 Nov 2017

Abstract

The recent advances in mobile computing and other technologies involving in remote access to resources has prompted an urgent need for the creation of Access Control systems, which takes into consideration the location of user and the time of access. In order to be adaptable to the requirements of such applications and technologies with both spatial constraint and temporal constraint, researchers have proposed several Spatio-Temporal Access Control models. These models are very large, complex and have numerous features that interact in subtle ways. As a consequence, it is possible the interaction between the STRBAC features result in inconsistency. Existence of inconsistency can be because of wrong specification, resulting in an incorrect implementation of the system or inherent to the system. In both case, it is crucial that these demands are resolved prior to the development of the system. Therefore, the need arises for the analysis of the specification of such systems prior to the implementing of the systems.

This thesis first utilises automated methods Alloy and Timed Automata in order to analyse the access control specifications in the context of Spatio-Temporal Role Based Access Control (STRBAC). More specifically, this thesis employs the Model Driven Architecture (MDA) technology to achieve an automated transformation of STRBAC model to Alloy and STRBAC model to Timed Automata and Timed Computation Tree Logic (TCTL). This is accomplished by providing formal algebraic notations of the STRBAC model to specify its components and defining a set of transformation rules to map the STRBAC features to Alloy features and another set of transformation rules to map the features of STRBAC model to Timed Automata and TCTL features. Details of our implementation of the model transformation in the SiTra transformation engine and a number of case studies are also presented.

The second part of the thesis presents a comparative study between the Alloy and Timed Automata from the capability and performance point of view. For the last part of the thesis we present an extension of the STRBAC model to consider the Physical aspect of Access Control systems. This is described with the help of a case study.

CHAPTER 1

INTRODUCTION

Introduction

Information is a valuable asset for most businesses. In today's highly competitive business environment, information assets need to be protected from unauthenticated access. The disclosure of highly sensitive information about a company's customers, strategic plans or products a competitor could not only lead to a huge financial loss, loss of reputation and legal liability but also provides the competitor the opportunity to leapfrog the company [2]. The competitor does not need to incur the financial burden as well as the time involved in research and development. They also have the opportunity to evolve counter strategies to a company's plans before they even implement the strategy. Such disclosure of critical information is almost impossible to recover from [2]. Therefore, organizations have evolved various procedures and systems aimed at protecting information assets from both internal and external threats [1]. These procedures and systems are often known as information security. The main security goal of information security is to ensure Confidentiality, Integrity, Availability and Assurance of information assets [61].

Confidentiality: Ensures that unauthorised users cannot access to information resources. There are several approaches that can be used to achieve this, such as Cryptography and Access control

Integrity: Ensures the information is available to authorised users.

Availability: This is the ability of authorized users to have access to information resources when they need or request for it. It is concerned with the prevention of denial of service attacks.

Assurance: Security assurance is the degree of confidence in the security of the system with respect to predefined security goals.

To summaries one can say that the objective of information security is to deny access to information resources to unauthorized users whilst making it available to the authorized users. This should be done in a manner that it does not adversely affect the business of the organization [2]. The availability of information resources is one that organisations have invested heavily in. One of the technologies that organisations have used to achieve this is Access Control systems.

Access Control system is one of the key stages in computer security as it provides a means to control which entities in an information system have access to which resources and what the nature of such an access [4, 5]. By making information resources available to only authorised users, the mechanism ensures that only information is always available to those permitted to access it. Many models have been developed to construct and manage access control systems that can be deployed by organizations to meet their information security needs; such as Mandatory access control (MAC) [7], Discretionary Access Control (DAC) [8, 9], Role Based Access Control (RBAC) [3, 5, 10, 11].

Among these models, the Role Based Access Control (RBAC) model is receiving increasing attention as a generalised approach to access control [3, 5, 10, 11]. A study accomplished by NIST [3] shows that in many organisations the access control decision is based on a user's role and responsibilities within the organisation, making Role Based Access Control approach a perfect fit for expressing security requirements. In [60], Clark et. al. demonstrate that the traditional MAC and DAC models do not sufficiently address the various security requirements of many organisations. RBAC model can significantly simplify security administration. For instance, if a person moves to a new job in the organisation, then he/she can only be assigned to the new role and removed from the earlier role, while in the absence of an RBAC model, his/her old a privilege should be cancelled, and a new privilege should be granted. In the RBAC model, roles can be structured into hierarchies to capture organisational functional hierarchies. Role hierarchy means that a senior role in an organisation can inherit the permissions of the junior role. A role hierarchy can considerably decrease explicit permission assignments to a role and therefore can significantly decrease the administration overhead. Another important feature of RBAC model is that, it allows expressing a variety of Separation of duty constraints which are beneficial in many applications. Separation of duty constraints help to reduce the risk of allowing a person to have conflicted roles or a role to be assigned to conflicted permissions. Moreover, RBAC model is a policy-neutral [3, 11]. More specifically, by appropriately configuring a role-based system, one can support various policies, including both MAC and DAC policies [5]. Such flexibility of the RBAC model is very important, as it can be adapted to support the access control requirements of enterprise-wide security administration and enforcement.

With the increase in the growth of wireless networks and mobile devices and other technologies involved in remote accessing of resources, we are moving towards an era where contextual information such as spatial and temporal information will be essential for access control [12, 20, 24, 63]. For instance, a part-time PhD student in a university may be authorized to access to the university electronic library only from the university campus during a specific period of time (i.e. Jan, Feb and Mar) every year. If a part-time PhD student is represented by a role, enforcing such rules requires that the part-time PhD student assume the role in that time interval and at the university campus only. A part-time PhD student role may be further restricted to only pre-specified days and hours in the active time. The traditional access control models, such as RBAC model cannot provide such spatio-temporal based access control. These traditional models need to be augmented prior be capable to provide spatio-temporal based access.

In order to support spatio-temporal based access control, Ray and Toahchoodee [12, 13] and other researchers [65, 66, 67] have proposed several Spatio-Temporal RBAC models, which are extensions of the standard RBAC. The Spatio-Temporal Role Based Access Control (STRBAC) model [12] is an example of these models. The STRBAC enhances the traditional RBAC model by incorporating time and location conditions to the RBAC entities, relationships and constraints. In this model, the roles are assigned to users based on time and location constraints and the permissions are also assigned to roles based on time and location constraints. In addition, the hierarchy of roles, the Separation of Duty and the cardinality constraints are time and location dependent. Incorporating the traditional RBAC model with both time and location information increases the complexity of Access Control models even further. As a consequence, this increases the possibility of having contradictory statements in the Access Control specification. Such statements are commonly known as inconsistencies. Existence of inconsistency can be because of an error in the specification, resulting in an incorrect implementation of the system. On the other hand, it could be the case that stakeholders of the system are imposing conflicting demands. In both case, it is crucial that these demands are resolved prior to the development of the system. Therefore, the need arises for the analysis of the specification of such systems prior to the implementing of the systems. However due to the complexity and size of modern systems discovery of such inconsistencies is a formidable task and cannot be carried out manually.

Another most important issue with the STRBAC is that, sometimes the STRBAC specification is consistent; however a minor change to the specification by choosing an unsuitable allocation of the users to roles makes the specification inconsistent. We refer to these as semi-consistency in the specification [16]. A semi-consistency is a special case where the inconsistency can be avoided if the assignment of user to role is controlled. If we can identify such scenarios, then we can adopt pre-emptive action by putting in constraints to avoid such changes to the specification. These scenarios could pose dangerous security issues that could even cause the downfall of the organization. It is therefore essential to perform an analysis of STRBAC models to identify the semi-consistencies in the specifications.

Currently Alloy [20, 21, 22] and Timed Automata [23, 24] have been widely used for modelling and analysing of Access Control specifications. This is because both of them are supported by automatic model checkers which are capable of checking a sufficient number of constraints to detect enamours design. For example, Alloy is supported by a tool called The Alloy Analyser. The analyser is an automated constraint solver that transforms the Alloy code into Boolean expressions, providing the analysis by its embedded SAT solvers. While Timed Automata is supported by the model checker Uppaal [25]. The model checker Uppaal allows verification of properties that are expressed in the Uppaal Requirement Specification Language. This language is a subset of Timed Computation Tree Logic (TCTL), where primitive expressions are location names, variables, and clocks from the modelled system.

The main thesis of this research is to use both methods Alloy and Timed Automata to specify and analyse the Access Control specification in the context if Spatio-Temporal Role Based Access Control and then, conduct a comparative study between the two methods from a capability and performance point of view. The comparison is based on a case study for a SECURE Bank system taken from [29].

Typically, the process of transformation between Access Control specifications and formal methods such as Alloy or Timed Automata has been done manually. This process however is prone to human error and time consuming. There is also a problem of scoping as system growing in size, where manually generation of formal models becomes extremely difficult, if not infeasible. It is therefore useful to have an automated tool that will extract a formal model from the systems specifications for formal analysis. The Object Management Group's Model Driven Architecture (MDA) methodology made it possible to generate a model from another model [26]. Therefore, In this thesis, we propose two MDA transformations to automate the transformation between the STRBAC specifications and Alloy and Timed Automata for the purpose of analysis. More precisely, the first approach, AC2Alloy [27], automates the transformation between the STRBAC specifications and Alloy, thus allowing for powerful analysis to be carried out via Alloy Analyser, whereas the second method AC2Uppaal [28], transforms the STRBAC specifications into and Timed Automata and TCTL [88] statements and then, the produced Timed Automata network and TCTL statements will be modelled and verified using the model checker Uppaal. The proposed approaches are used to identify inconsistencies and semi-consistencies in the specification that might be caused by the interaction between the STRBAC features. The proposed approaches can be used in the early phases of the Access Control system development to ensure the consistency of the specifications. We have evaluated our approaches by using a case study for a SECURE Bank system taken from [29].

Although the STRBAC model is very useful for providing a high level description of Access Control, especially in Cyber Access Control systems (CAC), when the time and location information are required to grant or deny access to the resources, it does not provide a complete solution for all access control issues. This is because we have found that the existing Access Control models including the STRBAC model are not adequate enough to represent Physical aspect of the Access Control systems. One of the serious limitations of the existing Access Control models that we have come across when trying to model a Physical Access Control (PAC) mechanism used by British Telecom (BT) is representation of the locations. The current models deal with logical location which may not be a suitable for the Physical Access Control specifications. For instance, this thesis will argue that logical location and physical location are different, in particular when dealing with hierarchy. Therefore, extending the current models to overcoming such limitations is very important, because such extension will assist systems designer to create a correct Access Control specifications that support the Physical aspect of the Access Control. As a result, this thesis proposes a new extension of the Spatio-Temporal Role Based Access Control for Physical Systems [30] to overcome such limitations. This involves introducing a graph capturing physical access to geographical locations with building. This approach is described with the help a case study. This case study is provided by our industrial partner British Telecom (BT). An overview of the proposed approach is presented in the next section.