TWC: Medium: Collaborative: Foundations of Application-Sensitive Access Control Evaluation

TWC：媒介：协作：应用程序敏感的访问控制评估的基础

• 批准号: 1228947
• 负责人: Lenore Zuck
• 金额: $ 65.33万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-09-01 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1228947&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Foundations; Application

Access control schemes are traditionally compared in terms of raw expressive power (i.e., the policies they can encode and how those policies can be changed); however, such comparisons ignore the needs of the application within which a scheme will be deployed. For some applications, the most expressive scheme may be overly complex and not necessarily the best fit. To this end, this project investigates the suitability analysis problem: Given a system's access control workload, a set of candidate access control schemes, and a set of application-specific cost metrics, which scheme best meets the needs of the system?The goal is to create a suitability-analysis framework that is sufficiently rigorous to be useful to researchers and theoreticians, while remaining accessible to security practitioners. Such a framework will help formalize an access control scheme's application-specific strengths and limitations, enable researchers to precisely describe the scenarios for which a scheme is best suited, allow assessment of the novelty and utility of proposed schemes, and help analysts diagnose shortcomings in existing systems. In particular, the project will develop (1) an application-specific, workload-based framework for analyzing the suitability of access control schemes that is sufficiently rich to compare logical, extensional, and hybrid schemes in both sequential and concurrent systems; (2) a cost analysis component that quantifies a scheme's suitability using custom metrics; and (3) tools that automate a range of suitability analysis tasks. A real-world security workload, PKI-based authentication and authorization on the web, will be used to evaluate the results.

访问控制方案传统上是根据原始表达能力（即，它们可以编码的策略以及这些策略可以如何改变）;然而，这样的比较忽略了将在其中部署方案的应用的需要。 对于某些应用程序，最具表现力的方案可能过于复杂，不一定是最适合的。为此，该项目研究的适用性分析问题：给定系统的访问控制工作量，一组候选的访问控制方案，和一组特定于应用程序的成本指标，该方案最能满足系统的需求？我们的目标是创建一个足够严格的适用性分析框架，对研究人员和理论家有用，同时保持安全从业人员的可访问性。这样一个框架将有助于正式的访问控制方案的应用程序特定的优势和局限性，使研究人员能够精确地描述方案最适合的场景，允许评估的新奇和实用性的建议计划，并帮助分析师诊断现有系统的缺点。 特别是，该项目将开发（1）一个特定于应用程序的，基于工作量的框架，用于分析访问控制方案的适用性，该框架足够丰富，可以在顺序和并发系统中比较逻辑，扩展和混合方案;（2）一个成本分析组件，使用自定义指标量化方案的适用性;以及（3）自动执行一系列适用性分析任务的工具。 一个真实世界的安全工作量，基于公钥基础设施的身份验证和授权的网络上，将被用来评估结果。