Skip to feedback

Award Abstract # 1421893
TWC: Small: Towards Trustworthy Access Control Policies

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: THE RESEARCH FOUNDATION FOR THE STATE UNIVERSITY OF NEW YORK
Initial Amendment Date: August 1, 2014
Latest Amendment Date: May 2, 2019
Award Number: 1421893
Award Instrument: Standard Grant
Program Manager: Jeremy Epstein
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: August 1, 2014
End Date: June 30, 2020 (Estimated)
Total Intended Award Amount: $341,410.00
Total Awarded Amount to Date: $341,410.00
Funds Obligated to Date: FY 2014 = $341,410.00
History of Investigator:
  • Scott Stoller (Principal Investigator)
     stoller@cs.stonybrook.edu
Recipient Sponsored Research Office: SUNY at Stony Brook
 W5510 FRANKS MELVILLE MEMORIAL LIBRARY
 STONY BROOK
 NY  US  11794-0001
(631)632-9949
Sponsor Congressional District: 01
Primary Place of Performance: SUNY at Stony Brook
 Computer Science Dept.
 Stony Brook
 NY  US  11794-4400
Primary Place of Performance
Congressional District:		 01
Unique Entity Identifier (UEI): M746VC6XMNH9
Parent UEI: M746VC6XMNH9
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001415DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434, 7923
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Getting access control policies right is challenging, especially in large organizations. This project is developing techniques and tools to support efficient and trustworthy administration of Attribute-Based Access Control (ABAC) policies. ABAC is a flexible, high-level, and increasingly popular security policy framework.

ABAC promises long-term cost savings through reduced administrative effort, but manual development of an initial ABAC policy can be expensive. This project is developing policy mining algorithms that promise to drastically reduce the cost of migrating from legacy access control frameworks to ABAC. These algorithms generate candidate ABAC policies from existing lower-level policies, if available, or operation logs, together with data about attributes of users and resources.

An administrative policy specifies how each user may change the access control policy. Fully understanding the implications of administrative policies in enterprise systems can be difficult, because of the size and complexity of the policies, and because sequences of changes by different users may interact in unexpected ways. This project is developing policy analysis algorithms that support validation of administrative policies, by answering questions such as whether, how, and under what conditions specified administrators can together change the policy in order to grant specified permissions to specified users.

Powerful development environments for creating and validating access control policies, incorporating algorithms like the ones being developed in this project, have the potential to significantly increase the trustworthiness of IT systems, by helping security administrators efficiently and reliably develop correct policies.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 29)
Bui, Thang and Stoller, Scott D. "A Decision Tree Learning Approach for Mining Relationship-Based Access Control Policies" Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT 2020) , 2020 https://doi.org/10.1145/3381991.3395619 Citation Details
Christopher Kane, Bo Lin, Saksham Chand, Scott D. Stoller, Yanhong A. Liu "High-level Cryptographic Abstractions" ACM SIGSAC 14th Workshop on Programming Languages and Analysis for Security (PLAS '19) , 2019 10.1145/3338504.3357343
Dung Phan, Junxing Yang, Denise Ratasich, Radu Grosu, Scott A. Smolka, and Scott D. Stoller "Collision Avoidance for Mobile Robots with Limited Sensing and Limited Information about Moving Obstacles" Formal Methods in System Design , 2017
Dung Phan, Junxing Yang, Denise Ratasich, Radu Grosu, Scott Smolka, and Scott D. Stoller "Collision Avoidance for Mobile Robots with Limited Sensing and Limited Information about the Environment" Proceedings of the Fifteenth International Conference on Runtime Verification (RV 2015) , 2015 , p.201 10.1007/978-3-319-23820-3_13
Dung Phan, Junxing Yang, Radu Grosu, Scott A. Smolka, and Scott D. Stoller "A Component-Based Simplex Architecture for High-Assurance Cyber-Physical Systems" Proceedings of the 17th International Conference on Application of Concurrency to System Design (ACSD 2017) , 2017
Dung Phan, Nicola Paoletti, Radu Grosu, Scott A. Smolka and Scott D. Stoller "Neural State Classification for Hybrid Systems" 16th International Symposium on Automated Technology for Verification and Analysis (ATVA 2018) , 2018
Junxing Yang, Md. Ariful Islam, Abhishek Murthy, Scott A. Smolka, and Scott D. Stoller "A Simplex Architecture for Hybrid Systems using Barrier Certificates" Proceedings of the International Conference on Computer Safety, Reliability, and Security (SAFECOMP) , 2017
Liu, Yanhong A and Stoller, Scott D "Founded semantics and constraint semantics of logic rules" Journal of Logic and Computation , v.30 , 2020 https://doi.org/10.1093/logcom/exaa056 Citation Details
Liu, Yanhong A and Stoller, Scott D "Knowledge of uncertain worlds: programming with logical constraints" Journal of Logic and Computation , v.31 , 2020 https://doi.org/10.1093/logcom/exaa077 Citation Details
Liu, Yanhong A. and Stoller, Scott D. "Assurance of Distributed Algorithms and Systems: Runtime Checking of Safety and Liveness" Proceedings of the 20th International Conference on Runtime Verification (RV 2020) , 2020 https://doi.org/10.1007/978-3-030-60508-7_3 Citation Details
Liu, Yanhong A. and Stoller, Scott D. "Knowledge of Uncertain Worlds: Programming with Logical Constraints: An Overview." Proceedings 36th International Conference on Logic Programming (ICLP 2020) (Technical Communications) , v.325 , 2020 https://doi.org/10.1007/978-3-030-36755-8_8 Citation Details
(Showing: 1 - 10 of 29)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Access control is a cornerstone of computer security.  Access control policies are critical to the security of many IT systems.  However, getting the policies right is challenging, especially in large organizations, because the policies are large and complex, the policies are managed by multiple users, and in many cases the policies are expressed in cumbersome low-level legacy approaches to access control.  This project developed techniques and tools that significantly reduce the cost of migrating from legacy access control methods to modern high-level access control frameworks, notably Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC), an extension of ABAC.  Policies in these high-level frameworks are more succinct, easier to validate, and easier to maintain.   Specifically, this project developed novel algorithms that automatically generate candidate high-level access control policies, by learning them from low-level access control policies or operation logs, together with information about attributes of and relationships between entities.  These new algorithms are the heart of the intellectual merit of this project.

The broader impacts of this project include advanced training of numerous students in computer security, and the dissemination via publications and software releases of these novel policy learning algorithms.  Several IT companies (CA Technologies, Core Security, IBM, Oracle, NEXIS, Novell, SailPoint, etc.) sell computer security management products that learn role-based policies.  ABAC and ReBAC are the next generation of access control after roles.  In government, the Federal Chief Information Officer Council called out ABAC as a recommended access control model because it allows "an unprecedented amount of flexibility and security while promoting information sharing between diverse and often disparate organizations".  In industry, more and more products support ABAC.  As more and more organizations decide to adopt ABAC or ReBAC, policy learning techniques like those developed in this project are likely to appear in commercial products and significantly reduce the cost of migration to these frameworks.  In turn, adoption of these frameworks will significantly improve access control policy management and thereby improve the security of the organizations' information resources.


Last Modified: 07/05/2020
Modified by: Scott D Stoller

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top