Abstract

Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.

Original languageEnglish (US)
Title of host publicationABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018
PublisherAssociation for Computing Machinery, Inc
Pages54-60
Number of pages7
Volume2018-January
ISBN (Electronic)9781450356336
DOIs
StatePublished - Mar 14 2018
Event3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018 - Tempe, United States
Duration: Mar 21 2018 → …

Other

Other3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018
CountryUnited States
CityTempe
Period3/21/18 → …

Fingerprint

Access control
Risk assessment

Keywords

  • Attribute-based Access Control
  • Policy Bypassing
  • Risk Management, Attribute Forgery

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Software

Cite this

Rubio-Medrano, C. E., Zhao, Z., & Ahn, G-J. (2018). Riskpol: A risk assessment framework for preventing attribute-forgery attacks to ABAC policies. In ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018 (Vol. 2018-January, pp. 54-60). Association for Computing Machinery, Inc. https://doi.org/10.1145/3180457.3180462

Riskpol : A risk assessment framework for preventing attribute-forgery attacks to ABAC policies. / Rubio-Medrano, Carlos E.; Zhao, Ziming; Ahn, Gail-Joon.

ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018. Vol. 2018-January Association for Computing Machinery, Inc, 2018. p. 54-60.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Rubio-Medrano, CE, Zhao, Z & Ahn, G-J 2018, Riskpol: A risk assessment framework for preventing attribute-forgery attacks to ABAC policies. in ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018. vol. 2018-January, Association for Computing Machinery, Inc, pp. 54-60, 3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018, Tempe, United States, 3/21/18. https://doi.org/10.1145/3180457.3180462
Rubio-Medrano CE, Zhao Z, Ahn G-J. Riskpol: A risk assessment framework for preventing attribute-forgery attacks to ABAC policies. In ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018. Vol. 2018-January. Association for Computing Machinery, Inc. 2018. p. 54-60 https://doi.org/10.1145/3180457.3180462
Rubio-Medrano, Carlos E. ; Zhao, Ziming ; Ahn, Gail-Joon. / Riskpol : A risk assessment framework for preventing attribute-forgery attacks to ABAC policies. ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018. Vol. 2018-January Association for Computing Machinery, Inc, 2018. pp. 54-60
@inproceedings{f57f56e9b9034469accb0e44104e2c05,
title = "Riskpol: A risk assessment framework for preventing attribute-forgery attacks to ABAC policies",
abstract = "Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.",
keywords = "Attribute-based Access Control, Policy Bypassing, Risk Management, Attribute Forgery",
author = "Rubio-Medrano, {Carlos E.} and Ziming Zhao and Gail-Joon Ahn",
year = "2018",
month = "3",
day = "14",
doi = "10.1145/3180457.3180462",
language = "English (US)",
volume = "2018-January",
pages = "54--60",
booktitle = "ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Riskpol

T2 - A risk assessment framework for preventing attribute-forgery attacks to ABAC policies

AU - Rubio-Medrano, Carlos E.

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

PY - 2018/3/14

Y1 - 2018/3/14

N2 - Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.

AB - Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.

KW - Attribute-based Access Control

KW - Policy Bypassing

KW - Risk Management, Attribute Forgery

UR - http://www.scopus.com/inward/record.url?scp=85052017008&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85052017008&partnerID=8YFLogxK

U2 - 10.1145/3180457.3180462

DO - 10.1145/3180457.3180462

M3 - Conference contribution

VL - 2018-January

SP - 54

EP - 60

BT - ABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018

PB - Association for Computing Machinery, Inc

ER -