The Community for Technology Leaders
Green Image
ABSTRACT
Specifying and managing access control policies is a challenging problem. We propose to develop formal verification techniques for access control policies to improve the current state of the art of policy specification and management. In this paper, we formalize classes of security analysis problems in the context of Role-Based Access Control. We show that in general these problems are PSPACE-complete. We also study the factors that contribute to the computational complexity by considering a lattice of various subcases of the problem with different restrictions. We show that several subcases remain PSPACE-complete, several further restricted subcases are NP-complete, and identify two subcases that are solvable in polynomial time. We also discuss our experiences and findings from experimentations that use existing formal method tools, such as model checking and logic programming, for addressing these problems.
INDEX TERMS
Access controls, Security and Protection, Complexity of proof procedures
CITATION
William Winsborough, Somesh Jha, Ninghui Li, Qihua Wang, Mahesh Tripunitara, "Towards Formal Verification of Role-Based Access Control Policies", IEEE Transactions on Dependable and Secure Computing, vol. 5, no. , pp. 242-255, October-December 2008, doi:10.1109/TDSC.2007.70225
108 ms
(Ver )