Revogação com Downgrade
Resumo
Este artigo apresenta um modelo flexível de autorização que permite controlar de forma precisa a formação de cadeias de delegações, tanto através da limitação no comprimento tais cadeias, como atráves da definição de condições para aceitação de novas delegações. Direcionado a este modelo, é proposto um algoritmo eficiente de revogação com downgrade, que mantém os sujeitos com o maior conjunto possível de direitos, considerando-se as cadeias de suporte alternativas restantes após a revogação de delegações. É apresentado um algoritmo para aceitação, que verifica se há ao menos uma cadeia de suporte válida para cada nova delegação.Referências
A.K. Jones, R. L. and Snyder., L. (1976). A linear time algorithm for deciding security. In Proc. 17th Anual Symposium on Foundations of Computer Science, pages 33–41.
Astrahan, M. M. (1976). System R: A relational approach to database management. ACM Trans. Database Syst., 1(2):97–137.
Barka, E. and Sandhu., R. (2000). A role-based delegation model and some extensions. In 23rd National Information Systems Security Conference, Baltimore, MD, October 2000.
Bertino, E., Samarati, P., and Jajodia, S. (1997). An extended authorization model for relational databases. Knowledge and Data Engineering, 9(1):85–101.
Bondy, J. A. and Murty, U. S. R. (1976). Graph Theory with Applications. American Elsevier.
Griffiths, P. P. and Wade, B. W. (1976). An authorization mechanism for a relational data base system (abstract). In Rothnie, J. B., editor, SIGMOD Conference, page 51. ACM.
Ruan, C. and Varadharajan, V. (2004). A weighted graph approach to authorization delegation and conflict resolution. In Wang, H., Pieprzyk, J., and Varadharajan, V., editors, ACISP, volume 3108 of Lecture Notes in Computer Science, pages 402–413. Springer.
Samarati, P. and di Vimercati, S. D. C. (2001). Access control: Policies, models, and mechanisms. In Focardi, R. and Gorrieri, R., editors, Foundations of Security Analysis and Design, LNCS 2171. Springer-Verlag.
U. Bussolati, M. F. and Martella., G. (1993). A conceptual framework for security system: the action-entity model. In Proc. 9th IFIP World Conference, pages 127–132.
Wainer, J., Barthelmess, P., and Kumar, A. (2003). W-RBAC - A workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst., 12(4):455–485.
Wainer, J., Kumar, A., and Barthelmess, P. (2005). DW-RBAC: A formal security model of delegation and revocation in workflow systems. Information Systems, To be published.
Woo, T. Y. C. and Lam, S. S. (1993). Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2-3):107–136.
Yao,W., Moody, K., and Bacon, J. (2001). A model of oasis role-based access control and its support for active security. In SACMAT, pages 171–181.
Zhang, L., Ahn, G.-J., and tseng Chu, B. (2003a). A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur., 6(3):404–441.
Zhang, X., Oh, S., and Sandhu., R. (2003b). Pbdm: A flexible delegation model in rbac. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies.
Astrahan, M. M. (1976). System R: A relational approach to database management. ACM Trans. Database Syst., 1(2):97–137.
Barka, E. and Sandhu., R. (2000). A role-based delegation model and some extensions. In 23rd National Information Systems Security Conference, Baltimore, MD, October 2000.
Bertino, E., Samarati, P., and Jajodia, S. (1997). An extended authorization model for relational databases. Knowledge and Data Engineering, 9(1):85–101.
Bondy, J. A. and Murty, U. S. R. (1976). Graph Theory with Applications. American Elsevier.
Griffiths, P. P. and Wade, B. W. (1976). An authorization mechanism for a relational data base system (abstract). In Rothnie, J. B., editor, SIGMOD Conference, page 51. ACM.
Ruan, C. and Varadharajan, V. (2004). A weighted graph approach to authorization delegation and conflict resolution. In Wang, H., Pieprzyk, J., and Varadharajan, V., editors, ACISP, volume 3108 of Lecture Notes in Computer Science, pages 402–413. Springer.
Samarati, P. and di Vimercati, S. D. C. (2001). Access control: Policies, models, and mechanisms. In Focardi, R. and Gorrieri, R., editors, Foundations of Security Analysis and Design, LNCS 2171. Springer-Verlag.
U. Bussolati, M. F. and Martella., G. (1993). A conceptual framework for security system: the action-entity model. In Proc. 9th IFIP World Conference, pages 127–132.
Wainer, J., Barthelmess, P., and Kumar, A. (2003). W-RBAC - A workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst., 12(4):455–485.
Wainer, J., Kumar, A., and Barthelmess, P. (2005). DW-RBAC: A formal security model of delegation and revocation in workflow systems. Information Systems, To be published.
Woo, T. Y. C. and Lam, S. S. (1993). Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2-3):107–136.
Yao,W., Moody, K., and Bacon, J. (2001). A model of oasis role-based access control and its support for active security. In SACMAT, pages 171–181.
Zhang, L., Ahn, G.-J., and tseng Chu, B. (2003a). A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur., 6(3):404–441.
Zhang, X., Oh, S., and Sandhu., R. (2003b). Pbdm: A flexible delegation model in rbac. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies.
Publicado
28/08/2006
Como Citar
NEGRELLO, Fábio; WAINER, Jacques.
Revogação com Downgrade. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 6. , 2006, Santos.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2006
.
p. 208-221.
DOI: https://doi.org/10.5753/sbseg.2006.20950.
