Using Alloy to analyse a spatio-temporal access control model supporting delegation

M. Toahchoodee, I. Ray
2009 IET Information Security  
Pervasive computing applications use the knowledge of the environment to provide better services and functionality to the end user. Access control for such applications needs to use contextual information. Towards this end, we proposed an access control model based on RBAC that uses the environmental contexts time and location to determine whether a user can get access to some resource. The model also supports delegation which is important for dynamic applications where a user is unavailable
more » ... permissions may have to be transferred temporarily to another user/role in order to complete a specific task. Such a model typically has numerous features to support the requirements of various applications. The features may interact in subtle ways to produce conflicts. Here, we propose an automated approach using Alloy for detecting such conflicts. Alloy is supported by a software infrastructure that allows automated analysis of models and has been used to verify industrial applications. The results obtained from the analysis will enable the users of the model to make informed decisions. £ This work was supported in part by AFOSR under contract number FA9550-07-1-0042. 1 a room and it to be disabled when he leaves the room. Pervasive computing applications are dynamic in nature and the set of users and resources are not known in advance. It is possible that a user/role for doing a specific task is temporarily unavailable and another user/role must be granted access during this time to complete it. This necessitates that the model be able to support delegation. Moreover, different types of delegation need to be supported because of the unpredictability of the application. In an earlier work [24], we proposed a formal access control model for pervasive computing applications. Since RBAC is policy-neutral, simplifies access management, and widely used by commercial applications, we based our work on it. We extended RBAC to incorporate environmental contexts, such as time and location. We also described the different types of delegation that are supported by our model. Some of these are constrained by temporal and spatial conditions. We also showed how spatio-temporal information is used for making access decisions. The various features supported by the model were specified using logical constraints. These features often interact in subtle ways resulting in inconsistencies and conflicts. Consequently, it is important to analyze and understand these interactions before such models can be widely deployed. Manual analysis is tedious and error-prone. Analyzers based on theorem proving are hard to use, require expertise, and need manual intervention. Model checkers are automated but are limited by the size of the system they can verify. In this paper, we advocate the use of Alloy [14] , which supports automated analysis, for checking access control models. Alloy is a modeling language capable of expressing complex structural constraints and behavior. Moreover, it has been successfully used in the modeling and analysis of real-world systems [11, 30] . Alloy is supported by an automated constraint solver called Alloy Analyzer that searches instances of the model to check for satisfaction of system properties. The model is automatically translated into a Boolean expression, which is analyzed by SAT solvers embedded within the Alloy Analyzer. A user-specified scope on the model elements bounds the domain, making it possible to create finite Boolean formulas that can be evaluated by the SAT-solver. When a property does not hold, a counter example is produced that demonstrates how it has been violated. This paper illustrates how the spatio-temporal role-based access control model supporting delegation can be specified and analyzed using Alloy. The analysis demonstrates the features of the model that may conflict with each other. The rest of the paper is organized as follows. Section 2 describes the related work. Section 3 shows the relationship of each component of Core RBAC with time and location. Sections 4, 5, 6 and 7 propose different types of hierarchies, separation of duty constraints, and delegation that we can have in our model. Section 8 discusses how the model can be analyzed using Alloy. Section 9 concludes the paper with some pointers to future directions. Related Work Location-based access control has been addressed in other works not pertaining to RBAC [12, 18, 20] . Atluri and Chun [2, 3] proposed the Geospatial Data Authorization Model (GSAM) which is an authorization model for the geospatial information. The requester can get access to geospatial information provided his credentials and time of access matches the credential and temporal expressions defined in the authorization policy. Ardagna et al. [1] present the Location-3 t y, that is, senior role x has a time restricted permission-inheritance relation over junior role y, then x inherits y's permissions together with the temporal constraints associated with the permission. The counterexample shows one violation instance: rdtr, rdte, p, q, d, and l in r2rUPD and W SSoD PRA predicates with Role0, Role1, Permission0, Permission1, d and l respectively, we get the violation. We checked the assertion on a HP-xw4400-Core2Duo-SATA with two Core2Duo 1.86Ghz CPU and 2 Gb memory running Linux 64. We used Version 4.1.2 Alloy Analyzer. The time taken to check this assertion was 20,572 ms. We created assertions and tested for other sources of conflicts. Our analysis revealed the various types of conflicts. Examples include conflicts of permission inheritance hierarchy with SSoD constraints, activation hierarchy with DSoD constraints, role delegation with DSoD constraints, and permission delegation with SSoD permission role assignments. Conclusion and Future Work Traditional access control models which do not take into account environmental factors before making access decisions may not be suitable for pervasive computing applications. Towards this end, researchers have proposed spatio-temporal role based access control models. However, such models have numerous features restricted by spatio-temporal constraints that may interact producing conflicts and inconsistencies. We have shown how such a spatio-temporal model
doi:10.1049/iet-ifs.2008.0074 fatcat:bo2davx4tbbjpafkh3k7taqyge