Академический Документы
Профессиональный Документы
Культура Документы
ScienceDirect
journal homepage: www.elsevier.com/locate/cose
School of Mathematics-Physical & Information Engineering, Zhejiang Normal University, Jinhua, Zhejiang, China
School of Information Sciences, University of Pittsburgh, Pittsburgh, PA, USA
article info
abstract
Article history:
The User Authorization Query (UAQ) problem for RBAC is to determine whether there exists
by a user. It is a key issue related to efficiently handling users' access requests. Previous
definitions of the UAQ problem have considered only the optimization objective for the
number of permissions whereas the optimization objective for the number of roles, which
is also equally important, has been largely ignored. Moreover, little attention has been
Keywords:
given to the computational complexity of the UAQ problem that considers the optimization
Access control
objectives for both the numbers of permissions and roles. In this paper, we propose a more
RBAC
Computational complexity
Role-cardinality constraint
problem by dividing it into three subcases: exact match, safe match and available match, and
Permission-cardinality constraint
show that many instances in each subcase with additional constraints are intractable. We
also propose an approach for solving the intractable cases of the UAQ problem; the proposed approach incorporates static pruning, preprocessing and the depth-first search
based algorithm to significantly reduce the running time.
2014 Elsevier Ltd. All rights reserved.
1.
Introduction
http://dx.doi.org/10.1016/j.cose.2014.10.003
0167-4048/ 2014 Elsevier Ltd. All rights reserved.
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
117
118
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
2.
The User Authorization Query problem in
RBAC
An RBAC state determines the set of roles for which a user is
assigned and the set of permissions for which a user is
authorized (ANSI, 2004). We define an RBAC state as follows,
based on (ANSI, 2004):
Definition 1. An RBAC state is a 6-tuple (U, R, P, UA, PA, RH),
where
U, R, P denote the set of all users, the set of all roles, the set of all
permissions, respectively.
UA 4 UR, a user-role assignment relation.
PA 4 PR, a permission-role assignment relation.
RH 4 RR, a partial order on R called the inheritance relation,
written as , where r1 r2 0Permr2 4Permr1 .
Permr : R/2P , the mapping of role r onto a set of permissions in
the
presence
of
a
role
hierarchy;
formally,
Permr fp2Pjr r' ; p; r'2PAg.
PermS : R/2P , the mapping of a role set S onto a set of perS
Permr.
missions; formally, PermS
r2S
119
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
3.
The complexity of the User Authorization
Query problem
In this section, we present the computational complexity
analysis of various cases of the Constrained-UAQ problem.
Firstly, we present the complexity analysis of the exact match
UAQ problem and its subcases with constraints.
Theorem 1. The computational complexities of different constrained subcases of the exact match UAQ problems are as shown in
Table 1.
In Table 1, we show the computational complexity of exact
match UAQ problem in combination with the role-cardinality
and the irreducibility constraints. The proof for Theorem 1 is
in Appendix A, it consists of three parts. First, we show that
UAQexactrc:k, UAQexactrc:irr and UAQexactrc:
are NP-hard by proving Lemmas 1, 2 and 3. Second, we show
that UAQexactrc:kirr is in NP by proving Lemma 4. Finally,
we show that UAQexactirr and UAQexactrc: are in P by
proving Lemmas 5 and 6. Other results in Table 1 can be
implied from the proved cases.
Secondly, we present the complexity analysis of the safe
match UAQ problem and its subcases. Note that the
complexity of UAQsafeirrpc:Op is determined by UAQ
safeirr and UAQsafepc:Op. In other words, the irreducibility constraint and permission-cardinality constraints do
not affect each other. Hence, we only combine the rolecardinality constraint with the irreducibility constraint or
permission-cardinality constraint, as shown in Table 2.
Theorem 2. The computational complexities of different constrained subcases of the safe match UAQ problems are as shown in
Table 2.
The proof for Theorem 2 is in Appendix B, it is done in four
parts. First, we show that UAQsafepc:t, UAQsaferc:kirr,
UAQsaferc:pc:0, UAQsaferc:irr and UAQsaferc:pc:0 are NP-hard by proving Lemmas 7, 8, 9, 10 and 11.
Second, we show that UAQsafepc:t, UAQsaferc:kirr and
None
Irreducibility
None
Role-cardinality
Or k
Or
Or
NP-complete
P
NP-hard
NP-hard
120
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
Table 2 e Computational complexities of different subcases of the safe match UAQ problem.
Safe Match
None
Irreducibility
Permission-cardinality
None
P
Op t
Op 0
NP-complete
P
blerc: irr and UAQavailablerc: are NP-hard. Secondly, we show that UAQavailablepc:t and UAQ
availablerc:k are in NP. Thirdly, we show that UAQ
availablerc:kpc:t is in NPNP. Finally, we show that UAQ
availableirr and UAQavailablerc: are in P. Other results
in Table 3 can be implied from the proved cases.
4.
An approach for the User Authorization
Query problem
The fact that UAQ is intractable, as shown in Section 3, means
that there exist difficult problem instances that take exponential time in the worst case. However, many instances that
will be encountered in practice may still be efficiently solvable. For example, UAQavailablepc:0 is NP-hard as shown
by Lemma 19. Wickramaarachchi et al. (Wickramaarachchi
et al., 2009) provided a general definition of UAQ, which includes the intractable subcase UAQavailablepc:0. We now
revisit the definition of the UAQ problem used in
(Wickramaarachchi et al., 2009).
Definition 4. Given R, P, and the requested permission information
(Pl,Pu,obj), where Pl ; Pu 4P, obj2fmax; ming, find a role set S4R
such that the following conditions hold:
Pl 4PermS4Pu and jPermSj is maximized if obj max
(denoted as max-UAQ problem).
Role-cardinality
Or k
Or
Or
P
NP-complete
NPNP
NP-complete
P
NP-hard
P
NP-hard
Table 3 e Computational complexities of different subcases of the available match UAQ problem.
Available Match
None
Irreducibility
Permission-cardinality
None
Op t
Op 0
Role-cardinality
Or k
Or
Or
NP-complete
NP-hard
NP-complete
NP-hard
NPNP
P
NP-hard
NP-hard
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
4.1.
121
4.2.
A comparison of our approach to
Wickramaarachchi's
We have implemented the approach described in Section 4.1,
and performed several experiments using randomly generated instances. We make a comparison of our DFS algorithm
with the Backtracking-Based Search (BBS) algorithm proposed
by Wickramaarachchi et al. (Wickramaarachchi et al., 2009).
Our goals are to understand the effectiveness of the static
pruning and the preprocessing techniques, and to understand
how well our DFS algorithm scales with different parameters.
The implementation of our algorithm was written in C. All
the experiments have been carried out on a standard desktop
PC with a Pentium(R) Dual-Core CPU E5700 running at 3.0 GHz,
122
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
4.2.1.
Description
Set of all permissions requested by the user.
Set of roles which can be activated by the user.
Set of extra permissions beyond Preq.
Set of permissions that have not been covered by
the selected roles.
Set of roles which can satisfy UAQ
availablepc:0.
Set of roles which can satisfy UAQavailable.
Set of roles which covers no extra permissions
than Preq in UAQavailable.
Preq
1
1
1
1
1
5
[2,10]
2
10
2
[0.5, 4.5]
1
1
1
0.5
4.2.2.
Effectiveness of preprocessing
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
123
Fig. 2 e Effectiveness of the static pruning for different ratios of requested permissions to permissions and different ratios of
permissions to roles.
4.2.3.
Fig. 3 e Effectiveness of preprocessing for different ratios of requested permissions to permissions and different ratio of
permissions to roles.
124
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
Fig. 4 e Running time for Depth-First Search (DFS) algorithm and Backtracking-Based Search (BBS) algorithm.
the static pruning process will decrease as the ratio of permissions to roles increases. We point out also that the DFS
algorithm is more effective than the BBS algorithm, even
thought the ratio of permissions to roles is large. For example,
for Preq 25 in Fig. 4 (d), the DFS algorithm takes only 14.4673 s,
but the BBS algorithm takes 48.1962 s. Consequently, even
though the number of permissions in a large-scale RBAC
system may be huge, the DFS algorithm with static pruning
and preprocessing will be able to handle many queries if the
number of requested permissions is not too large.
4.3.
125
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
Table 6 e Key differences among the static pruning, preprocessing and DFS algorithm for various UAQ problem subcases
with permission-cardinality constraints.
Op
Static pruning
Preprocessing
DFS algorithm
t
unavailable
cr2R : PermrPreq
RRy{r}
cr2R : PermrPreq
RRy{r}
cr2R : Permr?Preq
RRy{r}
cr2R : Permr?Preq
RRy{r}
jPermRsat j is maximized
0
cr2R : Permr4Prem
PreqPreqyPerm(r)
cr2R : Permr4Prem
PreqPreqyPerm(r)
unavailable
5.
Related work
jPermRsat j Preq t
jPermRsat j is minimized
jPermRsat j Preq t
approaches have paid more attention to designing approximate or exhaustive algorithms for the UAQ problem rather
than analyzing the computational complexity of the problem.
The concept of UAQ was first proposed by Du et al. (Du and
Joshi, 2006), where they call it as the inter-domain role mapping (IDRM) problem. The definition of the IDRM problem from
Du et al. is basic and incomplete. There exist at least two
different reasons: first of all, there may not be a unique minimal set of roles, which is a better choice. A more important
issue is the fact that there may not be Rsat 4R such that
Perm(Rsat) Preq. Chen et al. (Chen and Crampton, 2007) redefine the IDRM problem definition. In their definition, two aspects of the IDRM problem are ensured. The first one is that all
requested permissions should be available while the second
one is that the principle of least privilege should be observed.
Later on, they introduce the minimal cover problem which is a
generalization of the well-known set cover problem. They use
it to determine the complexity of the IDRM problem (Chen and
Crampton, 2009). However, the IDRM problem defined by Chen
et al. is only a subcase of UAQ and it is equal to UAQ
availablepc:0. This is because they only consider the optimization of the number of permissions as a problem. In our
definition of UAQ, the permission-cardinality constraint can
be denoted as pcS,d, where S4R, d2ft ; t ; 0 ; 0 g, they only
take d 0 into consideration. And they also do not consider
the optimization of roles. Zhang et al. in (Zhang and Joshi,
2008) generalize the UAQ problem by dividing the problem
into three subcases: one where the exactly matched role set
exists; when this is impossible, availability or least privilege
concerns are used for the other two cases. Obviously, they
only consider the optimization of the number of roles for the
Table 7 e A summary of existing approaches related to the subcases of the UAQ problem. - denotes that the work
presents a heuristic solution to address the subcase of the UAQ problem indicated; + denotes that the work reports
computational complexity of the indicated subcase; DMER (Dynamic Mutual Exclusive Role), DSoD (Dynamic
Separation-of-Duty) and other constraints indicated shows that the proposed approach considers these in the policy.
Existing works
UAQexactrc:
UAQsafepc:0
UAQavailablepc:0
++ (irreducibility constraint)
-(DMER and cardinality constraints)
- (DMER and cardinality constraints)
- (multiple sessions and histories constraints)
-(role-cardinality constraints)
-(DSoD constraints)
126
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
6.
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
Acknowledgments
This work is supported by National Natural Science Foundation of China under Grant 61402418, 61170108, MOE (Ministry
of Education in China) Project of Humanity and Social Science
under Grant 12YJCZH142, Zhejiang Provincial Natural Science
Foundation of China under Grant LQ12F02005, LY13F020017,
LQ13F020007, Opening Fund of Key Discipline of Computer
Software and Theory of Zhejiang Province at ZJNU under
Grant ZSDZZZZXK23.
127
Turing
reduction
from
UAQexactrc:k
to
UAQ
exactrc:kirr. Suppose there exists an oracle for UAQ
exactrc:k, we query the oracle to obtain a solution S for UAQ
exactrc:k. We can compute an irreducible set S of S as a
solution to UAQexactrc:kirr as follows. For each role r2S,
remove r from S if Perm(S/{r})Perm(S). Hence, UAQ
exactrc:kirr
is
NP-hard,
and
therefore
UAQ
exactrc:irr is also NP-hard.
Lemma 3. UAQexact rc : is NP-hard.
Proof. We show UAQexactrc: is NP-hard by reducing
the NP-hard set cover optimization problem (Chen and
Crampton, 2009) to it. In the set cover optimization problem,
the inputs are a finite set S, a family F{S1,,Sl} of subsets of S.
The goal is to find the smallest sets in F whose union is S. The
reduction is as follows. Given F and S, we construct a role set R
and a requested permission set Preq, and then set R F and
Preq S. Clearly, a solution Rsat to the set cover optimization
problem provides a solution to UAQexactrc:.
Lemma 4. UAQexact rc : k irr is in NP.
Proof. We can see that UAQexactrc:k is in NP, because if
one correctly guess a subset Rsat of R as a solution to UAQ
exactrc:kirr, verifying whether Rsat is an exact match of
Preq such that jRsat j k, which can be done in polynomial
time. There exists an efficient algorithm for checking
whether Rsat is an irreducible set as follows. For each role
r2Rsat , remove r from Rsat if Perm(Rsat/{r}) Perm(Rsat). If no
role can be removed from Rsat without changing Perm(Rsat),
then Rsat is an irreducible set. This can be done in polynomial
time with the time complexity of O(jRsat j), where jRsat j is the
number of roles in Rsat.
Lemma 5. UAQexact irr is in P.
Proof. Firstly, an answer to UAQexact can be computed as
follows. Given R, P and Preq 4P, for each r2RYPermr4 Preq ,
add r to Rsat so that Rsat Rsat frg, and then determine
whether Perm(Rsat) Preq. This can be done in polynomial time
with the time complexity of O(NR), where NR is the number of
roles in R. Hence, UAQexact is in P.
Secondly, we show that there exists a polynomial time
Turing reduction from UAQexactirr to UAQexact. Let Rsat
be a solution to UAQexact, for each role r2Rsat , remove r from
Rsat if Perm(Rsat/{r}) Perm(Rsat). This can be done in polynomial
time with the time complexity of O(N), where N is the number
of roles in Rsat. Hence, UAQexactirr is also in P.
Lemma 6. UAQexact rc : is in P.
Proof. Given R, P and Preq 4P, we first give an algorithm to
compute a solution Rsat to UAQexactrc: as follows. We
first assume that Rsat , for each r2RYPermr4 Preq , let
Rsat Rsat frg, and finally determine whether Perm(Rsat) Preq.
This can be done in polynomial time with the time
complexity of O(N), where N is the number of roles in R. We
then show that for any other exact match R'sat of Preq,
'
R jRsat j. Suppose, for the sake of contradiction, that
sat
jRsat j < R'sat . Then there must exist a role r2R'sat r;Rsat , thus
Permr?Preq , otherwise r2Rsat . This contradicts the
assumption that R'sat is an exact match of Preq, hence,
'
R jRsat j. Therefore, UAQexactrc: is in P.
sat
128
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
jpermri j
jpermri j ai ;
ri 2Rsat
ri 2Rsat
P
aj M. Hence, the answer to the subset sum
aj 2Ajij;ri 2Rsat;
problem is yes. For the if part, suppose there exists a
P
ai M; we can find a role set R' 4R,
subset A' 4A where
where
P
ri 2Rsat
ai 2A'
jpermri j M0
P
ri 2R'
jpermri jPreq t, thus, R' is a
*
the
instance
P*req ; R* ; t*
of
UAQsafe pc : t
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
129
130
c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0
references
ANSI. American national standard for information technologyrole based access control. 2004. ANSI INCITS 359-2004.
Armando A, Ranise S, Turkmen F, Crispo B. Efficient run-time
solving of RBAC user authorization queries: pushing the
envelope. In: Proc. ACM Conference on Data and Application
Security and Privacy, San Antonio, Texas, USA; 2012. p. 241e8.
Arora S, Barak B. Computational complexity: a modern approach.
Cambridge University Press; 2009.
Chen L, Crampton J. Inter-domain role mapping and least
privilege. In: Proc. 12th ACM Symposium on Access Control
Models and Technologies, Sophia Antipolis, France; 2007.
p. 157e62.
Chen L, Crampton J. Set cover problems in role-based access
control. In: Proc. 14th European Symposium on Research in
Computer Security, Saint Malo, France; 2009. p. 689e704.
Crampton J, Huth M. An authorization framework resilient to
policy evaluation failures. In: Proc. 15th European Symposium
on Research in Computer Security, Athens, Greece; 2010.
p. 472e87.
Du S, Joshi JBD. Supporting authorization query and inter-domain
role mapping in presence of hybrid role hierarchy. In: Proc.
11th ACM Symposium on Access Control Models and
Technologies, Lake Tahoe, California, USA; 2006. p. 228e36.
Garey MR, Johnson DJ. Computers and intractability: a guide to
the theory of NP-completeness. San Francisco, CA: Freeman;
1979.
Hu J, Zhang Y, Li R, Lu Z. Role updating for assignments. In: Proc.
15th ACM Symposium on Access Control Models and
Technologies, Pittsburgh, Pennsylvania, USA; 2010. p. 89e98.
Hu J, Zhang Y, Li R. Towards automatic update of access control
policy. In: Proc. The 24th USENIX Large Installation System
Administration Conference, San Jose, CA, USA; 2010. p. 59e74.
Joshi JBD, Bertino E, Ghafoor A, Zhang Y. Formal foundations for
hybrid hierarchies in GTRBAC. ACM Trans Inform Syst Secur
2008;10(4):1e39.
Le X, Doll T, Barbosu M, Luque A, Wang D . An enhancement of
the role-based access control model to facilitate information
access management in context of team collaboration and
workflow. J Biomed Inform 2012;45(6):1084e107.
Li N, Tripunitara M, Bizri Z. On mutually exclusive roles and
separation-of-duty. ACM Trans Inform Syst Secur
2007;10(2):1e36.
Li R, Lu J, Lu Z, Ma X. Consistency checking of safety and
availability in access control. IEICE Trans Inform Syst
2010;E93-D(3):491e502.
Lu J, Han J, Chen W, Hu J. Safety and availability checking for user
authorization queries in RBAC. Int J Comput Intell Syst
2012;5(5):860e7.