DOI

Attribute Based Access Control (ABAC) is becoming the reference model for the specification and evaluation of access control policies. In ABAC policies and access requests are defined in terms of pairs attribute names/values. The applicability of an ABAC policy to a request is determined by matching the attributes in the request with the attributes in the policy. Some languages supporting ABAC, such as PTaCL or XACML 3.0, take into account the possibility that some attributes values might not be correctly retrieved when the request is evaluated, and use complex decisions, usually describing all possible evaluation outcomes, to account for missing attributes. In this paper, we argue that the problem of missing attributes in ABAC can be seen as a non-deterministic attribute retrieval process, and we show that the current evaluation mechanism in PTaCL or XACML can return a complex decision that does not necessarily match with the actual possible outcomes. This, however, is problematic for the enforcing mechanism, which needs to resolve the complex decision into a conclusive one. We propose a new evaluation mechanism, explicitly based on non-deterministic attribute retrieval for a given request. We extend this mechanism to probabilistic attribute retrieval and implement a probabilistic policy evaluation mechanism for PTaCL in PRISM, a probabilistic model-checker.

Original languageEnglish
Title of host publicationSACMAT 2015 - Proceedings of the 20th ACM Symposium on Access Control Models and Technologies
PublisherAssociation for Computing Machinery (ACM)
Pages99-109
Number of pages11
Volume2015-June
ISBN (Electronic)9781450335560
DOIs
StatePublished - 1 Jun 2015
Event20th ACM Symposium on Access Control Models and Technologies, SACMAT 2015 - Vienna, Austria

Conference

Conference20th ACM Symposium on Access Control Models and Technologies, SACMAT 2015
CountryAustria
CityVienna
Period1/06/153/06/15

    Research areas

  • Missing attribute, Policy evaluation, Probabilistic model-checking, PTaCL

ID: 32864324