Policy Management Using Access Control Spaces

Trent Ray Jaeger, Xiaolan Zhang, Antony Edwards

Research output: Contribution to journalArticle

54 Citations (Scopus)

Abstract

We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions explicitly assigned to a role defines its specified subspace, and the set of constraints precluding assignment to that role defines its prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of an access control space has unknown assignment semantics, which indicates that the policy is underspecified; and (2) often high-level assignments and constraints that are easily understood result in conflicts, where resolution often leads to significantly more complex specifications. We have developed a prototype system, called Gokyo, that computes access control spaces. Gokyo identifies the unknown subspace to assist system administrators in developing more complete policy specifications. Also, Gokyo identifies conflicting subspaces and enables system administrators to resolve conflicts in a variety of ways in order to preserve the simplicity of constraint specification. We demonstrate Gokyo by analyzing aWeb server policy example and examine its utility by applying it to the SELinux example policy. Even for the extensive SELinux example policy, we find that only eight additional expressions are necessary to resolve Apache administrator policy conflicts.

Original languageEnglish (US)
Pages (from-to)327-364
Number of pages38
JournalACM Transactions on Information and System Security
Volume6
Issue number3
DOIs
StatePublished - Aug 1 2003

Fingerprint

Access control
Specifications
State assignment
Servers
Semantics

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality

Cite this

Jaeger, Trent Ray ; Zhang, Xiaolan ; Edwards, Antony. / Policy Management Using Access Control Spaces. In: ACM Transactions on Information and System Security. 2003 ; Vol. 6, No. 3. pp. 327-364.
@article{08d364279e15423f9d45cc64c395eca5,
title = "Policy Management Using Access Control Spaces",
abstract = "We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions explicitly assigned to a role defines its specified subspace, and the set of constraints precluding assignment to that role defines its prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of an access control space has unknown assignment semantics, which indicates that the policy is underspecified; and (2) often high-level assignments and constraints that are easily understood result in conflicts, where resolution often leads to significantly more complex specifications. We have developed a prototype system, called Gokyo, that computes access control spaces. Gokyo identifies the unknown subspace to assist system administrators in developing more complete policy specifications. Also, Gokyo identifies conflicting subspaces and enables system administrators to resolve conflicts in a variety of ways in order to preserve the simplicity of constraint specification. We demonstrate Gokyo by analyzing aWeb server policy example and examine its utility by applying it to the SELinux example policy. Even for the extensive SELinux example policy, we find that only eight additional expressions are necessary to resolve Apache administrator policy conflicts.",
author = "Jaeger, {Trent Ray} and Xiaolan Zhang and Antony Edwards",
year = "2003",
month = "8",
day = "1",
doi = "10.1145/937527.937528",
language = "English (US)",
volume = "6",
pages = "327--364",
journal = "ACM Transactions on Information and System Security",
issn = "1094-9224",
publisher = "Association for Computing Machinery (ACM)",
number = "3",

}

Policy Management Using Access Control Spaces. / Jaeger, Trent Ray; Zhang, Xiaolan; Edwards, Antony.

In: ACM Transactions on Information and System Security, Vol. 6, No. 3, 01.08.2003, p. 327-364.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Policy Management Using Access Control Spaces

AU - Jaeger, Trent Ray

AU - Zhang, Xiaolan

AU - Edwards, Antony

PY - 2003/8/1

Y1 - 2003/8/1

N2 - We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions explicitly assigned to a role defines its specified subspace, and the set of constraints precluding assignment to that role defines its prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of an access control space has unknown assignment semantics, which indicates that the policy is underspecified; and (2) often high-level assignments and constraints that are easily understood result in conflicts, where resolution often leads to significantly more complex specifications. We have developed a prototype system, called Gokyo, that computes access control spaces. Gokyo identifies the unknown subspace to assist system administrators in developing more complete policy specifications. Also, Gokyo identifies conflicting subspaces and enables system administrators to resolve conflicts in a variety of ways in order to preserve the simplicity of constraint specification. We demonstrate Gokyo by analyzing aWeb server policy example and examine its utility by applying it to the SELinux example policy. Even for the extensive SELinux example policy, we find that only eight additional expressions are necessary to resolve Apache administrator policy conflicts.

AB - We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject or role. For example, the set of permissions explicitly assigned to a role defines its specified subspace, and the set of constraints precluding assignment to that role defines its prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of an access control space has unknown assignment semantics, which indicates that the policy is underspecified; and (2) often high-level assignments and constraints that are easily understood result in conflicts, where resolution often leads to significantly more complex specifications. We have developed a prototype system, called Gokyo, that computes access control spaces. Gokyo identifies the unknown subspace to assist system administrators in developing more complete policy specifications. Also, Gokyo identifies conflicting subspaces and enables system administrators to resolve conflicts in a variety of ways in order to preserve the simplicity of constraint specification. We demonstrate Gokyo by analyzing aWeb server policy example and examine its utility by applying it to the SELinux example policy. Even for the extensive SELinux example policy, we find that only eight additional expressions are necessary to resolve Apache administrator policy conflicts.

UR - http://www.scopus.com/inward/record.url?scp=84968352943&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84968352943&partnerID=8YFLogxK

U2 - 10.1145/937527.937528

DO - 10.1145/937527.937528

M3 - Article

AN - SCOPUS:84968352943

VL - 6

SP - 327

EP - 364

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

SN - 1094-9224

IS - 3

ER -