On the suitability of dissemination-centric access control systems for group-centric sharing

2016 IEEE Symposium on Security and Privacy (SP)

Shull

Myers

et al. 2016

Self Cite

The ability to enforce robust and dynamic access controls on cloud-hosted data while simultaneously ensuring confidentiality with respect to the cloud itself is a clear goal for many users and organizations. To this end, there has been much cryptographic research proposing the use of (hierarchical) identity-based encryption, attribute-based encryption, predicate encryption, functional encryption, and related technologies to perform robust and private access control on untrusted cloud providers. However, the vast majority of this work studies static models in which the access control policies being enforced do not change over time. This is contrary to the needs of most practical applications, which leverage dynamic data and/or policies.In this paper, we show that the cryptographic enforcement of dynamic access controls on untrusted platforms incurs computational costs that are likely prohibitive in practice. Specifically, we develop lightweight constructions for enforcing role-based access controls (i.e., RBAC0) over cloud-hosted files using identitybased and traditional public-key cryptography. This is done under a threat model as close as possible to the one assumed in the cryptographic literature. We prove the correctness of these constructions, and leverage real-world RBAC datasets and recent techniques developed by the access control community to experimentally analyze, via simulation, their associated computational costs. This analysis shows that supporting revocation, file updates, and other state change functionality is likely to incur prohibitive overheads in even minimally-dynamic, realistic scenarios. We identify a number of bottlenecks in such systems, and fruitful areas for future work that will lead to more natural and efficient constructions for the cryptographic enforcement of dynamic access controls. Our findings naturally extend to the use of more expressive cryptographic primitives (e.g., HIBE or ABE) and richer access control models (e.g., RBAC1 or ABAC).• Registration. Each user, u, of the system must carry out an initial registration process with the administrator. The result SU

Section: Sumentioning

confidence: 91%

On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud

2016 IEEE Symposium on Security and Privacy (SP)

Shull

Myers

et al. 2016

Self Cite

“…A related property is weak authorization preservation, defined in [15] (as weak AC-preservation). This property is a weakened version of authorization preservation: its intentions are similar, but the weak form can be used even when S and T do not support the exact same requests (i.e., simulating a system with requests of the form, "Does user u have access to permission p?"…”

Section: Dimension Qp: Query Preservationmentioning

confidence: 99%

“…Prior work has noted that practically evaluating an access control system must take into account the application in which the system is to be used, as well as additional cost metrics (e.g., computation, ease of use). This analysis problem has been identified as a system's suitability to a particular application [15], [16]. Suitability analysis formalizes an application's access control requirements (a workload), and uses expressiveness to prove that an access control system can satisfy those requirements.…”

Section: A Motivating Examplesmentioning

confidence: 99%

“…Further properties enforced above this baseline include using the identity query mapping for authorization requests (to ensure that T 's authorization questions are the queries being used to simulate S's authorization requests), forbidding string manipulations (to prohibit the state mapping from using arbitrary encodings to store information in the contents of strings such as user names), and restricting the command mapping from mapping nonadministrative commands in S to administrative commands in T . This framework has since been used to evaluate the suitability of certain general-purpose access control systems for various unique, application-specific requirements [15], [16].…”

Section: B Prior Workmentioning

confidence: 99%

“…Unfortunately, there are several indications that research on expressiveness analysis is being held back by the inability to reconcile the vastly different notions of expressiveness simulations and the disconnect between the properties preserved by a simulation and those that are important to a practical deployment. Several works have demonstrated scenarios in which static notions of expressiveness indicate two systems are equally capable of satisfying a set of operational requirements, but in practice they are better-suited to very different deployment scenarios [15], [20]. Bourdier et al point out the existence of several competing techniques for expressiveness analysis, none of which consider the deployment.…”

Section: Usage and Implicationsmentioning

confidence: 99%

See 2 more Smart Citations

Decomposing, Comparing, and Synthesizing Access Control Expressiveness Simulations

2015 IEEE 28th Computer Security Foundations Symposium

Lee

2015

Self Cite

Access control is fundamental to computer security, and has thus been the subject of extensive formal study. In particular, relative expressiveness analysis techniques have used formal mappings called simulations to explore whether one access control system is capable of emulating another, thereby comparing the expressive power of these systems. Unfortunately, the notions of expressiveness simulation that have been explored vary widely, which makes it difficult to compare results in the literature, and even leads to apparent contradictions between results. Furthermore, some notions of expressiveness simulation make use of non-determinism, and thus cannot be used to define mappings between access control systems that are useful in practical scenarios. In this work, we define the minimum set of properties for an implementable access control simulation; i.e., a deterministic "recipe" for using one system in place of another. We then define a wide range of properties spread across several dimensions that can be enforced on top of this minimum definition. These properties define a taxonomy that can be used to separate and compare existing notions of access control simulation, many of which were previously incomparable. We position existing notions of simulation within our properties lattice by formally proving each simulation's equivalence to a corresponding set of properties. Lastly, we take steps towards bridging the gap between theory and practice by exploring the systems implications of points within our properties lattice. This shows that relative expressive analysis is more than just a theoretical tool, and can also guide the choice of the most suitable access control system for a specific application or scenario. arXiv:1504.07948v2 [cs.CR] 1 May 2015 CDM s S).Theorem 30 CDMs= {SCa, QPa, CDi, CS1, R→}; that is, the CDM strong simulation decomposes to authorization correspondence, authorization preservation, independent command mapping, lock-step, and forward reachability. Proof: By Lemma 28, if T sim CDM s S, then S ≤ P T . By Lemma 29, if S ≤ P T , then T sim CDM s S. Thus, S ≤ P T if and only if T sim CDM s S, and thus the CDM strong simulation decomposes to {SCa, QPa, CDi, CS1, R→}.

On the suitability of dissemination-centric access control systems for group-centric sharing

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

Qiao

Lee

2014

The Group-centric Secure Information Sharing (g-SIS) family of models has been proposed for modeling environments in which group dynamics dictate information-sharing policies and practices. This is in contrast to traditional, dissemination-centric sharing models, which focus on attaching policies to resources that limit their flow from producer to consumer. The creators of g-SIS speculate that it may not be strictly more expressive than dissemination-centric models, but that it nevertheless has pragmatic efficiency advantages in group-centric scenarios [12]. In this paper, we formally and systematically test these characteristics of an access control system's suitability for a scenario-expressiveness and costto evaluate the capabilities of dissemination-centric systems within group-centric workloads. We show that several common dissemination-centric systems lack the expressiveness to meet all security guarantees while implementing the wide range of behavior that is characteristic of the g-SIS models, except via impractical, convoluted encodings. Further, even more efficient implementations (admissible under relaxed security requirements) suffer from high storage and computational overheads. These observations support the practical and theoretical significance of the g-SIS models, and provide insight into techniques for evaluating and comparing access control systems in terms of both expressiveness and cost.