Recently, attribute-based access control (ABAC) has emerged as a convenient paradigm for specifying, enforcing and maintaining rich and flexible authorization policies, leveraging attributes originated from multiple sources, e.g., operative systems, software modules, remote services, etc. However, attackers may try to bypass ABAC policies by compromising such sources to forge the attributes they provide, e.g., by deliberately manipulating the data contained within those attributes at will, in an effort to gain unintended access to sensitive resources as a result. In such a context, performing a proper risk assessment of ABAC policies, taking into account their enlisted attributes as well as their corresponding sources, becomes highly convenient to overcome zero-day security incidents or vulnerabilities, before they can be later exploited by attackers. With this in mind, we introduce RiskPol, an automated risk assessment framework for ABAC policies based on dynamically combining previously-assigned trust scores for each attribute source, such that overall scores at the policy level can be later obtained and used as a reference for performing a risk assessment on each policy. In this paper, we detail the general intuition behind our approach, its current status, as well as our plans for future work.

Original languageEnglish (US)
Title of host publicationABAC 2018 - Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control, Co-located with CODASPY 2018
PublisherAssociation for Computing Machinery, Inc
Number of pages7
ISBN (Electronic)9781450356336
StatePublished - Mar 14 2018
Event3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018 - Tempe, United States
Duration: Mar 21 2018 → …


Other3rd ACM Workshop on Attribute-Based Access Control, ABAC 2018
CountryUnited States
Period3/21/18 → …


  • Attribute-based Access Control
  • Policy Bypassing
  • Risk Management, Attribute Forgery

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint Dive into the research topics of 'Riskpol: A risk assessment framework for preventing attribute-forgery attacks to ABAC policies'. Together they form a unique fingerprint.

Cite this