Attribute-based access control models and implementation in cloud infrastructure as a service

Recently, there has been considerable interest in attribute-based access control (ABAC) to overcome the limitations of the classical access control models (i.e, discretionary-DAC, mandatory-MAC and role based-RBAC) while unifying their advantages. The general idea of ABAC is to determine access control based on the attributes of involved entities. Example user attributes are department, clearance and role and example object attributes are size, createTime and owner. Authorization results are computed based on subject and object attributes and authorization policies. As attributes can be engineered to reflect appropriately detailed information about users, subjects and objects, ABAC ensures great flexibility in expressing fine-grained policies which are increasingly required by applications.;There has been considerable prior work for ABAC in various aspects such as formal models, enforcement models, implementation standards, policy composition languages and so on. However, there is no consensus on precisely what is meant by ABAC or the required features of ABAC. There is no widely accepted formal ABAC model as there are for DAC, MAC and RBAC. Questions such as what are the core components and configuration points of ABAC, and how are attributes assigned and modified remain to be fully investigated.;In this dissertation, we conduct a systematic study of ABAC models. Based on the sizable related work on ABAC and on existing classical access control models, we design models that cover operational and administrative ABAC. More specifically, the contributions are summarized into two parts. In the formal model part, we first define the ABACalpha model that has "just sufficient" features to be "easily and naturally" configured to do DAC, MAC and RBAC. We understand DAC to mean owner-controlled access control lists, MAC to mean lattice-based access control with tranquility and RBAC to mean flat and hierarchical RBAC. We design basic components, configuration points and configuration languages for this model and give ABACalpha configurations for DAC, MAC and RBAC. To further extend the expressive power, we develop ABACbeta model based on ABACalpha . The basic motivation is to cover advanced features of the standard RBAC model as well as RBAC extensions. We show that without additional configuration points, ABACbeta is able to unify numerous well-documented extended features for RBAC. We conjecture that ABAC can serve as the most general ABAC beta model excluding attribute mutability as defined in usage control models. Secondly, based on the operational model, we design an administrative model called generalized user-role assignment model (GURA) to manage user attributes using administrative roles. We carry out comprehensive complexity analysis for the user-attribute reachability problem in GURA.;In the proof of concept part, we demonstrate the advantage of ABAC by applying it as an access control model in Infrastructure as a Service (IaaS) cloud, building upon the theoretical models enumerated above. We show the flexibility of our ABAC model by comparing it with existing IaaS models, which are primarily role-based. We design operational and administrative models for cloud IaaS. We define different enforcement models and implement them on a widely deployed open-source cloud platform OpenStack. Performance evaluation is provided to reflect the cost incurred by enforcing ABAC.