TY - GEN
T1 - Riskpol
T2 - 3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018
AU - Rubio-Medrano, Carlos E.
AU - Zhao, Ziming
AU - Ahn, Gail-Joon
N1 - Funding Information:
This work was partially supported by a grant from the National Science Foundation (NSF-IIS-1527268) and by a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University.
Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/3/14
Y1 - 2018/3/14
N2 - Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.
AB - Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.
KW - Attribute-based Access Control
KW - Policy Bypassing
KW - Risk Management, Attribute Forgery
UR - http://www.scopus.com/inward/record.url?scp=85052017008&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85052017008&partnerID=8YFLogxK
U2 - 10.1145/3180457.3180462
DO - 10.1145/3180457.3180462
M3 - Conference contribution
AN - SCOPUS:85052017008
T3 - ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018
SP - 54
EP - 60
BT - ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018
PB - Association for Computing Machinery, Inc
Y2 - 21 March 2018
ER -