Expressive Power, Safety and Cloud Implementation of Attribute and Relationship Based Access Control Models

摘要

For the last few years Attribute Based Access Control (ABAC) has been emerging as the next dominant form of access control. According to a 2014 NIST special publication, "ABAC enables more precise access control model as it can consider numerous attributes in authorization decision." ABAC can unify the advantages of the traditional discretionary, mandatory and role-based access control models by using appropriate attributes, while going beyond the capabilities of these. ABAC has become recognized as a model expressive enough to define finer-grained and flexible authorization policies suitable for modern application domains such cloud computing and Internet of Things. Meanwhile, in recent years, various online social network (OSN) applications such as Facebook, Twitter and LinkedIn have become widely used. In OSNs, authorization for users' access to specific content is typically based on the interpersonal relationships between the accessing user and content owner. Recently ReBAC has been expanded to cover systems beyond OSNs. Efforts to combine ReBAC and ABAC have also been published.;This dissertation makes fundamental contributions to our understanding of ABAC and ReBAC from three perspectives. Firstly, it clarifies and resolves conflicting claims in the literature regarding the expressive power of ABAC and ReBAC. It has been argued, on one hand, that attributes can encode relationships so ABAC subsumes ReBAC. On the other hand, it has been claimed that the multilevel or composed relations of ReBAC (such as friend of friend) bring fundamentally new capabilities. This dissertation develops separate classifications of ABAC and ReBAC models with respect to salient structural and dynamic properties. It shows the equivalence, dominance or non-comparability of the expressive power of various model classes in these classifications. The results of this analysis show that ABAC and ReBAC, when defined with sufficient generality, are equivalent in expressive power. For less general forms of ABAC and ReBAC the relative expressive power depends strongly on the details of the respective models.;Secondly, this dissertation analyzes the safety and expressive power of an existing ABAC model, viz. ABACalpha. ABACalpha is designed with just sufficient capabilities to configure commonly used forms of discretionary, mandatory and role-based access control. In particular ABACalpha restricts attribute values to be from finite fixed domains. The safety analysis of ABACalpha is shown to be decidable by providing a reduction from ABACalpha to safety decidable UCON (finite)/(preA) with finite attribute domain, which is a structurally different ABAC model with finite fixed domains. Two enhanced versions of ABACalpha are defined. One of these is shown to be equivalent in expressive power to UCON (finite)/(preA) with finite attribute domain. The other is shown to have undecidable safety and thus expressive power beyond UCON (finite)/(preA) with finite attribute domain. The question of whether ABACalpha is strictly less expressive than UCON (finite)/(preA) with finite attribute domain or equivalent to it, is left open.;Finally, the dissertation introduces a novel form of ReBAC model (OOReBAC) considering object-to-object relationship independent of users to control access of resources. A proof-of-concept implementation of OOReBAC for multicloud resource sharing using the open source OpenStack cloud platform and specifically its Swift object storage service is provided.