Safety analysis of usage control authorization models

TLDR

The usage control (UCON) model extends traditional access control by allowing attribute changes as side‑effects of access, but its safety properties have remained unexplored despite prior work on its expressive power. This study establishes two core safety results for the UCONA sub‑model, which considers only authorizations. We prove that UCONA’s safety problem is undecidable in general, yet becomes decidable when attribute values are finite and attribute creation is acyclic, and the decidable variant still supports expressive applications such as RBAC and DRM with consumable rights.

Abstract

The usage control (UCON) model was introduced as a unified approach to capture a number of extensions for traditional access control models. While the policy specification flexibility and expressive power of this model have been studied in previous work, as a related and fundamental problem, the safety analysis of UCON has not been explored. This paper presents two fundamental safety results for UCONA, a sub-model of UCON only considering authorizations. In UCONA, an access control decision is based on the subject and/or the object attributes, which can be changed as the side-effects of using the access right, resulting in possible changes to future access control decisions. Hence the safety question in UCONA is all the more pressing since every access can potentially enable additional permissions due to the mutability of attributes in UCON. In this paper, first we show that the safety problem is in general undecidable. Then, we show that a restricted form of UCONA with finite attribute value domains and acyclic attribute creation relation has a decidable safety property. The decidable model maintains good expressive power as shown by specifying an RBAC system with a specific user-role assignment scheme and a DRM application with consumable rights.

References

Page 1

	Year	Citations
Role-based access control models Ravi Sandhu, Edward J. Coyne, H.L. Feinstein, Computer EngineeringInformation SecuritySoftware EngineeringHardware SecurityLogical Access Control	1996	5.8K
Introduction to the Theory of Computation Michael Sipser ACM SIGACT News Account SaveEngineeringData ScienceAutomated ReasoningComputational Model Theory	1996	2.8K
Proposed NIST standard for role-based access control David F. Ferraiolo, Ravi Sandhu, Serban I. Gavrila, ACM Transactions on Information and System Security EngineeringInformation SecuritySoftware EngineeringAuthentication Access ControlLogical Access Control	2001	2.5K
A lattice model of secure information flow Dorothy E. Denning Communications of the ACM EngineeringInformation SecuritySoftware AnalysisFormal VerificationLattice Structure	1976	1.9K
Protection in operating systems Michael A. Harrison, Walter L. Ruzzo, Jeffrey D. Ullman Communications of the ACM EngineeringInformation SecurityVerificationSoftware AnalysisFormal Verification	1976	1K
The UCON<sub>ABC</sub>usage control model Jae-Hong Park, Ravi Sandhu ACM Transactions on Information and System Security	2004	935
The ARBAC97 model for role-based administration of roles Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer ACM Transactions on Information and System Security Rbac AdministrationAuthentication AuthorizationEngineeringInformation SecuritySoftware Engineering	1999	601
Secure Computer Systems: Mathematical Foundations and Model David E. Bell Medical Entomology and Zoology Security ModellingEngineeringSecure Computer SystemsInformation SecuritySecurity	1973	487
The typed access matrix model Ravi Sandhu EngineeringComputational ComplexityStrong TypingMatrix TheoryFormal Verification	2003	241
A Linear Time Algorithm for Deciding Subject Security R.J. Lipton, Lawrence Snyder Journal of the ACM	1977	198

Page 1