Extended Usage Control Models And Testing For Access Control Policies

Access control mechanisms and policies are implemented in most organizations to protect information and digital resources from unauthorized users. To achieve the objectives of access control systems, access control policies are use to specify the allowed activities of legitimate users in an access control system. Three main access control polices have been used from the 1960s to 1990s to help address the challenges of protecting digital resources or information from unauthorized users: Discretionary Access Control (DAC), Mandatory Access control and Role-Based Access control (RBAC)widely known as traditional access control policies. Observation indicates that, these policies control access in closed systems or environments using static binary authorization.The advancement in computing systems brings with it new security requirements. As a result, new security mechanisms are of a necessity. Traditional access control policies are inadequate in today's heterogeneous distributive and network-connected environment:where resources can be easily accessed, shared and also stored in various technological devices. Additionally traditional access control policies do not exert any form of control on resources once access is permitted.To address access control challenges in modern computing environment, usage control (UCON) has been introduced as a unified approach to capture a number of extensions for access control models. Unlike traditional access control, UCON provides richer, finer and persistent controls on information or digital resources. It also encompasses emerging applications such as trust management and digital right management in a unified framework. Furthermore, decision in UCON is determined not only by authorization but also by obligation and condition. Additionally the UCON model introduces attribute mutability and decision continuity, as two distinct concepts making it a unique and complex model at the same time.Nevertheless a weakness of UCON indicates that, components are predefined and static. Secondly the original UCON model considered a single usage process without focusing on concurrent usage processes or sessions. Thirdly the model fails to specify how post obligations pertaining to resource usage and management could be enforced. For instance the model does not specify what mechanisms could be used to enforced post obligations concerning purchased and free resources and how this can help manage resources. This dissertation therefore proposes several models based on the usage control model to help improve upon the UCON model in these areas. To ensure that authorized users are permitted access to resources, access control policies, specified in a language such as XACML, are used to state the allowed activities of user. The correct specification of access control policies is however very critical and also a complex task. Consequently,several testing mechanisms and tools have been proposed. However most of these testing mechanisms and tools do not consider the relationship that exist between the various elements in the policy: based on the context schema of the language for a policy, and how a change in any these elements might influence the other elements in a policy. To ensure the correct specification of access control policies, this dissertation also proposes an algorithm known as the "change rule and swap rule" based on XACML Context Schema for testing access control policies.To introduce dynamism and enhance upon the expressiveness of the UCON model,we propose a model for the creation and destruction of some of UCON's components. We extend the previous work of Zhang et al: formal model for component creation using Temporal Logic of Action (TLA). We introduce two additional rights in this regard:RightToCreate and RightToDestroy. The introduction of these additional rights is due to the fact that not every user can be permitted to create or destroy components. These additional rights can be used only when one has the right to first use the UCON system.Thus only authorized subject having these additional rights would be permitted to create or destroy components and their attributes in the UCON system when appropriate. For instance the system administrator can delegate these rights to service or content and resource providers to enable them create and destroy resources appropriately. The significance of this is that, it allows the delegation of rights to users such as resource and service providers to enhance the dynamic creation or destruction of components with their attributes appropriately. Additionally it enables resources providers to specify the policies that pertain to resources and align these policies with those of the UCON system.To address the issue of post obligation fulfillment, for example a policy that states that a document must be deleted within 10 days, we propose the redeem reputation mechanism (RRM) to help monitor the fulfillment of obligation by users or subjects and enable future usage of the UCON system. For instance with a policy that specifies the deletion of a downloaded paper from a subject's PC within 10 days, the RRM allows resource provider to deploy a 14 digits alphanumeric code. Half of this code is embedded into the resource and then released to the subject. When the stipulated time is due, the subject is prompted by a message to delete the downloaded document from his or her PC.If the subject obliges to the policy, the 7 digits code, which is embedded in the downloaded document is revealed to him or her. This code is used as a ticket to redeem his or her reputation and to allow subsequent usage of the UCON system. Thus the objective of RRM is to ensure that resource usage is persistently controlled and managed effectively outside the UCON system to promote security.Concurrency enforcement in UCON especially in distributive and collaborative system is very complex. This is as a result of updates of attributes and decision evaluations,which can occur in two main phases in the UCON system during usage process: pre and on phases. Concurrency must be controlled to ensure consistency and integrity of resources in these phases. The use of two-phase lock as in traditional systems would not be very efficient and also effective in the case of UCON system. To address this issue, we propose a concurrency model that implements three types of controllers: the Policy Dependent Detector (PDD), Pre-Controller (pc) and On-Controller (oc). These controllers are introduced to enable efficient enforcement of concurrent updates without conflict or delays by ensuring that the usage decision point or the policy decision point (UDP/PDP)produces just in time attributes values, during concurrent usage sessions while preserving integrity. The PDD is responsible for detecting dependencies in processes or policies and then synchronizing such policies instead of synchronizing all processes or policies. The pre-controller and on-controller are responsible for pre-updates and on-updates functions respectively, thus reducing the workload on the UDP/PDP. The proposed concurrency model is compared with using the UDP/PDP engine of XACML and UCON concurrency model by Janicke et al (2008) found to be of best performance.To test and ensure the correct specification of access control policies, an algorithm is proposed in this dissertation based on XACML Context Schema for a policy and a request.The proposed algorithm known as Change Rule and Swap Rule Algorithm (CRSR) is used for generating mutant policies based on XACML Context Schema. The algorithm focuses on the rule and target of a policy set or policy and represents policy as a vector of bits. A boolean variable 1 represents the applicability of a policy to a request and a boolean variable 0 represents the non-applicability of a policy to a request. Correct policy is assumed to evaluate to 1: indicating that all the elements, attributes ID and their values are correct. Firstly we identify and extract the rule(s) and target(s) from a policy and generate mutant policies by applying the proposed algorithm. We evaluate the rule(s) and target(s)first on the assumption that policy set specifies what policies may be applicable to a request,while a policy specifies the rules that are required for a policy to be applicable to a request. Mutants generated based on the XACML Context Schema for a policies using the proposed algorithm are compared with mutants generated by using mutation testing where specific mutant operators are applied. The significance of the proposed algorithm is that it can be used to generate mutant policies and requests simultaneously. Additionally it ensures a complete coverage of policies, rules and conditions. Consequently, in an experiment conducted,the fault detection capability of the proposed algorithm is higher compared to using mutant operators and other testing techniques.Finally to ensure security and also prevent the redistribution of purchased resources,the package concept of enforcing usage control on a remote client is proposed. This model classifies resources into three types and the need or purpose of access also into three.Specifically we classify resources as: sensitive, non-sensitive and intellectual resources.We also classify the purpose of access as: access to purchase,access to temporary use and access to modify. Based on these classifications, resources are packaged (type of resource and type of access) with the necessary obligations and the fingerprint of the subject by the resource provider before it is presented to the subject. Additionally a logic bomb is embedded into the requested resource to help enforce required obligations or policies such as the non-redistribution of resources after purchased. The use of fingerprint ensures that there is a geographical limitation to resource redistribution. The logic bomb mechanism helps to complement the enforcement of obligations that pertains to a resource. This helps to limit the redistribution of purchased resources while increasing the revenue generation of resource or service providers.