Role-Based Access Control Consistency Validation

Marco Pistoia
IBM T.J. Watson Research Center

Friday, May 19, 11:00AM
Burchard 124
Computer Science Department
Stevens Institute of Technology
 

Abstract


Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. In this talk, we present a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy. Relying on a location-consistency property, we show how to infer whether an operation-based RBAC policy is equivalent to any data-based RBAC policy. Furthermore, this talk introduces also a novel theoretical foundation to describe the flow of authorization information in an RBAC system. The analysis can (1) identify the roles required by users to execute an enterprise application on an RBAC system, (2) detect potential inconsistencies caused by principal delegation policies, which are used to override a user's role assignment, and (3) report if the roles assigned to a user by a given policy are redundant, which would constitute a violation of the Principle of Least Privilege, or insufficient, which would make the application unstable. We have built two static analysis tools for Java Platform, Enterprise Edition (Java EE) called Static Analysis for Validation of Enterprise Security (SAVES) and Enterprise Security Policy Evaluator (ESPE). Relying on interprocedural pointer analysis and dataflow analysis, these tools analyze Java EE bytecode to determine if the associated RBAC policy is location consistent, insufficient, or redundant, and report potential security flaws.

This is joint work with Stephen J. Fink and Paolina Centonze (IBM Research), and Robert J. Flynn (Polytechnic University)