TWC: Medium: Collaborative: Foundations of Application-Sensitive Access Control Evaluation

TWC：媒介：协作：应用程序敏感的访问控制评估的基础

• 批准号: 1228668
• 负责人: Von Welch
• 金额: $ 20.18万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-09-01 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1228668&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Foundations; Application

Access control schemes are traditionally compared in terms of raw expressive power (i.e., the policies they can encode and how those policies can be changed); however, such comparisons ignore the needs of the application within which a scheme will be deployed. For some applications, the most expressive scheme may be overly complex and not necessarily the best fit. To this end, this project investigates the suitability analysis problem: Given a system's access control workload, a set of candidate access control schemes, and a set of application-specific cost metrics, which scheme best meets the needs of the system?The goal is to create a suitability-analysis framework that is sufficiently rigorous to be useful to researchers and theoreticians, while remaining accessible to security practitioners. Such a framework will help formalize an access control scheme's application-specific strengths and limitations, enable researchers to precisely describe the scenarios for which a scheme is best suited, allow assessment of the novelty and utility of proposed schemes, and help analysts diagnose shortcomings in existing systems. In particular, the project will develop (1) an application-specific, workload-based framework for analyzing the suitability of access control schemes that is sufficiently rich to compare logical, extensional, and hybrid schemes in both sequential and concurrent systems; (2) a cost analysis component that quantifies a scheme's suitability using custom metrics; and (3) tools that automate a range of suitability analysis tasks. A real-world security workload, PKI-based authentication and authorization on the web, will be used to evaluate the results.

传统上，访问控制方案是根据原始表达能力（即，它们可以编码的政策以及如何更改这些政策）进行比较；但是，这种比较忽略了将部署计划的应用程序的需求。 对于某些应用，最表现力的方案可能过于复杂，而不一定是最合适的。为此，该项目调查了适合性分析问题：鉴于系统的访问控制工作量，一组候选访问控制计划以及一组特定应用的成本指标，哪些方案最能满足系统的需求？目标是创建一个适用性 - 分析框架，该框架对研究人员和理论家的适用性访问权限很严格，以便对可靠的练习访问。这样的框架将有助于正式化访问控制计划的特定应用程序的优势和局限性，使研究人员能够精确地描述最适合计划的方案，允许评估拟议方案的新颖性和实用性，并帮助分析师诊断现有系统中的短缺。 特别是，该项目将开发（1）一个基于应用程序的，基于工作负载的框架，用于分析访问控制方案的适用性，该方案足够丰富，可以比较顺序和并发系统中的逻辑，扩展和混合方案； （2）使用自定义指标量化计划的适用性的成本分析组件； （3）自动化一系列适用性分析任务的工具。 现实世界中的安全工作负载，基于PKI的身份验证和网络授权将用于评估结果。