CERIAS Security: Attribute-Based Access Control

Speaker: William Winsborough · George Mason University 

Basing authorization on attributes of the resource requester provides flexibility and scalability that is essential in the context of large distributed systems. Logic programming provides an convenient, expressive, and well-understood framework in which to work with authorization policy. 

This talk will summarize an attribute-based authorization framework built on logic programming: RT, a family of Role-based Trust-management languages. It will then discuss efficient and effective evaluation of RT policies that are stored in a distributed manner. After discussing these basics, the talk will consider the problem of assessing authorization policies with respect to the vulnerability of resource owners to a variety of security risks to which they are exposed by delegations to other principals, risks such as undesired authorizations and unavailability of critical resources. 

We will consider several such properties of RT policies, many of which we will see can be decided efficiently. For other properties, we will see that the complexity depends on the subset of RT in which the policy is expressed. This part of the talk will conclude by discussing some prospects for continued research in this area. Finally, the talk will visit the problem of using attribute credentials to obtain access when the credentials and their contents may themselves be private. Trust negotiation, a simple approach to this problem, will be introduced, as well as an intuitive and useful security property formalizing the protection of private credentials. This research was funded by DARPA and the NSF. 

 For more information go to the Cerias website (http://bit.ly/dsFCBF)